Cyber Insiders - Magazine - Page 23
Among a host of other benefits,
cloud computing has enabled
companies to be more flexible
and mobile, while improving
collaboration efficiency. It has
also facilitated scalability and
reduced overall IT costs.
Unfortunately, cybercriminals
have recognised this shift and
the valuable data now held
within the cloud; leading to
‘Ransomcloud’ attacks to take
advantage of poor cloud
security.
Such attacks occur through
three key methods:
File sync piggybacking
Remote connection with
stolen credentials
Attacking the cloud provider
So, how do these methods
work?
1 – File sync piggybacking
The first type of ransomcloud
attack leverages the common
attack vector of phishing to
infect the victim’s local
computer. Contrary to popular
belief, the malicious
attachment or link included in
the email often does not
contain the malware payload.
Rather, it delivers a small
program that runs stealthily in
the background, and it is this
program that will then install
the malware.
Once in the system, the
malware will disguise itself as a
popup permission request from
a trusted software like an antivirus scan request. By
approving, the malware is
activated and can now
disseminate itself; not just in the
local computer, but across the
network to any machine or
server it may be connected to.
As it spreads, threat actors will
be on the lookout for a file sync
service interacting with a cloud
service. When it has been
identified, the ransomware
piggybacks on the file sync
allowing threat actors to
access, infect and encrypt data
in the cloud.
Of course, should the
organisation have measures
such as air gapping in place,
ransomware may be unable to
compromise a route to the
cloud and settle on local
infection instead. It’s no wonder
then that we are witnessing a
rise in the use of Google Drive,
Slack, Microsoft Teams etc. to
distribute malicious software.
These applications sit between
the cloud and on-premise
devices, syncing relevant files
as appropriate. Once
compromised, it becomes
incredibly difficult to reverse
the impact. This is where
Advanced Cloud Access
Security Broker (CASB) tools
prove useful as they sit
between the on-premise and
cloud infrastructures, vetting
the traffic between them.
2 – Remote connection with
stolen credentials
The second tactic sees threat
actors monitor network
connections for authentication
attempts. They will then
capture the user’s cloud
credentials usually by
presenting a fake login portal
masquerading as the real cloud
platform. By tracking the
keystrokes on the infected local
computer, connection details
can be copied to a remote
computer and automatically
entered to the real cloud
platform from there.
As the local malware captures
the keystrokes and passes this
on to the remote computer,
cybercriminals can gain entry
to the cloud via simultaneous
login. Therefore, potentially
bypassing two-factor
authentication methods that
ask for a code as the user
would type this in also. Now,
they have a connection to the
cloud from their own computer
and gain as much or as little
access as the cloned user,
depending on their privilege
level.
CYBER INSIDERS MAGAZINE
23