threatpost.com Open in urlscan Pro
35.173.160.135  Public Scan

Submitted URL: https://threatpost.com/cloud-ransomware-convergence/177112///////
Effective URL: https://threatpost.com/cloud-ransomware-convergence/177112/
Submission: On December 17 via api from US — Scanned from DE

Form analysis 4 forms found in the DOM

POST /cloud-ransomware-convergence/177112/#gf_5

<form method="post" enctype="multipart/form-data" target="gform_ajax_frame_5" id="gform_5" action="/cloud-ransomware-convergence/177112/#gf_5">
  <div class="gform_body">
    <ul id="gform_fields_5" class="gform_fields top_label form_sublabel_below description_below">
      <li id="field_5_8" class="gfield field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label" for="input_5_8"></label>
        <div class="ginput_container ginput_container_text"><input name="input_8" id="input_5_8" type="text" value="" class="medium" placeholder="Your name" aria-invalid="false"></div>
      </li>
      <li id="field_5_1" class="gfield gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label" for="input_5_1"><span class="gfield_required">*</span></label>
        <div class="ginput_container ginput_container_email">
          <input name="input_1" id="input_5_1" type="text" value="" class="medium" placeholder="Your e-mail address" aria-required="true" aria-invalid="false">
        </div>
      </li>
      <li id="field_5_9" class="gfield js-kaspersky-gform-recaptcha-placeholder gform_hidden field_sublabel_below field_description_below gfield_visibility_hidden"><input name="input_9" id="input_5_9" type="hidden" class="gform_hidden"
          aria-invalid="false" value=""></li>
      <li id="field_5_2" class="gfield input-without-label label-gdpr gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label"><span class="gfield_required">*</span></label>
        <div class="ginput_container ginput_container_checkbox">
          <ul class="gfield_checkbox" id="input_5_2">
            <li class="gchoice_5_2_1">
              <input name="input_2.1" type="checkbox" value="I agree" id="choice_5_2_1">
              <label for="choice_5_2_1" id="label_5_2_1">I agree to my personal data being stored and used to receive the newsletter</label>
            </li>
          </ul>
        </div>
      </li>
      <li id="field_5_5" class="gfield input-without-label label-gdpr gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label"><span class="gfield_required">*</span></label>
        <div class="ginput_container ginput_container_checkbox">
          <ul class="gfield_checkbox" id="input_5_5">
            <li class="gchoice_5_5_1">
              <input name="input_5.1" type="checkbox" value="I agree" id="choice_5_5_1">
              <label for="choice_5_5_1" id="label_5_5_1">I agree to accept information and occasional commercial offers from Threatpost partners</label>
            </li>
          </ul>
        </div>
      </li>
      <li id="field_5_10" class="gfield gform_validation_container field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label" for="input_5_10">Name</label>
        <div class="ginput_container"><input name="input_10" id="input_5_10" type="text" value=""></div>
        <div class="gfield_description" id="gfield_description__10">This field is for validation purposes and should be left unchanged.</div>
      </li>
    </ul>
  </div>
  <div class="gform_footer top_label"> <input type="submit" id="gform_submit_button_5" class="gform_button button" value="Subscribe" onclick="if(window[&quot;gf_submitting_5&quot;]){return false;}  window[&quot;gf_submitting_5&quot;]=true;  "
      onkeypress="if( event.keyCode == 13 ){ if(window[&quot;gf_submitting_5&quot;]){return false;} window[&quot;gf_submitting_5&quot;]=true;  jQuery(&quot;#gform_5&quot;).trigger(&quot;submit&quot;,[true]); }" style="display: none;"> <input
      type="hidden" name="gform_ajax" value="form_id=5&amp;title=&amp;description=&amp;tabindex=0">
    <input type="hidden" class="gform_hidden" name="is_submit_5" value="1">
    <input type="hidden" class="gform_hidden" name="gform_submit" value="5">
    <input type="hidden" class="gform_hidden" name="gform_unique_id" value="">
    <input type="hidden" class="gform_hidden" name="state_5" value="WyJbXSIsImIwODQwZTA2ZGQ0NzYwODcyOTBkZjNmZDM1NDk2Y2ZkIl0=">
    <input type="hidden" class="gform_hidden" name="gform_target_page_number_5" id="gform_target_page_number_5" value="0">
    <input type="hidden" class="gform_hidden" name="gform_source_page_number_5" id="gform_source_page_number_5" value="1">
    <input type="hidden" name="gform_field_values" value="">
  </div>
</form>

GET https://threatpost.com/

<form class="c-site-search__form" role="search" method="get" action="https://threatpost.com/">
  <input type="text" class="c-site-search__field" name="s" placeholder="Search">
  <button type="submit" class="c-button c-button--secondary c-button--smaller c-site-search__button" value="Search"><svg class="icon fill">
      <use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://threatpost.com/wp-content/themes/threatpost-2018/assets/sprite/icons.svg#icon-search"></use>
    </svg> Search</button>
  <div class="c-site-search__overlay"></div>
</form>

POST https://threatpost.com/wp-comments-post.php

<form action="https://threatpost.com/wp-comments-post.php" method="post" id="commentform" class="comment-form">
  <div class="o-row">
    <div class="o-col-12@md">
      <div class="c-form-element"><textarea id="comment" name="comment" cols="45" rows="8" aria-required="true" placeholder="Write a reply..."></textarea></div>
    </div>
  </div>
  <div class="o-row">
    <div class="o-col-6@md">
      <div class="c-form-element"><input id="author" name="author" placeholder="Your name" type="text" value="" size="30"></div>
    </div>
    <div class="o-col-6@md">
      <div class="c-form-element"><input id="email" name="email" placeholder="Your email" type="text" value="" size="30"></div>
    </div>
  </div>
  <p class="form-submit"><input name="submit" type="submit" id="submit" class="c-button c-button--primary" value="Send Comment"> <input type="hidden" name="comment_post_ID" value="177112" id="comment_post_ID">
    <input type="hidden" name="comment_parent" id="comment_parent" value="0">
  </p>
  <p style="display: none;"><input type="hidden" id="akismet_comment_nonce" name="akismet_comment_nonce" value="12c982939b"></p><!-- the following input field has been added by the Honeypot Comments plugin to thwart spambots -->
  <input type="hidden" id="V5BQbZmoNzPERMj1IinHqsNcg" name="NDTmcpdGVDSeqV2paxRpibIRV">
  <script type="text/javascript">
    document.addEventListener("input", function(event) {
      if (!event.target.closest("#comment")) return;
      var captchaContainer = null;
      captchaContainer = grecaptcha.render("recaptcha-submit-btn-area", {
        "sitekey": "6LfsdrAaAAAAAMVKgei6k0EaDBTgmKv6ZQrG7aEs",
        "theme": "standard"
      });
    });
  </script>
  <script src="https://www.google.com/recaptcha/api.js?hl=en&amp;render=explicit" async="" defer=""></script>
  <div id="recaptcha-submit-btn-area">&nbsp;</div>
  <noscript>
    <style type="text/css">
      #form-submit-save {
        display: none;
      }
    </style>
    <input name="submit" type="submit" id="submit-alt" tabindex="6" value="Submit Comment">
  </noscript><textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100" style="display: none !important;"></textarea><input type="hidden" id="ak_js" name="ak_js" value="1639759189455">
</form>

GET https://threatpost.com/

<form class="c-site-search__form" role="search" method="get" action="https://threatpost.com/">
  <input type="text" class="c-site-search__field" name="s" placeholder="Search">
  <button type="submit" class="c-button c-button--secondary c-button--smaller c-site-search__button" value="Search"><svg class="icon fill">
      <use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://threatpost.com/wp-content/themes/threatpost-2018/assets/sprite/icons.svg#icon-search"></use>
    </svg> Search</button>
  <div class="c-site-search__overlay"></div>
</form>

Text Content

Newsletter


SUBSCRIBE TO OUR THREATPOST TODAY NEWSLETTER

Join thousands of people who receive the latest breaking cybersecurity news
every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn
Park, Woburn, MA 01801. Detailed information on the processing of personal data
can be found in the privacy policy. In addition, you will find them in the
message confirming the subscription to the newsletter.

 * 
 * *
   
 * 
 * *
    * I agree to my personal data being stored and used to receive the
      newsletter

 * *
    * I agree to accept information and occasional commercial offers from
      Threatpost partners

 * Name
   
   This field is for validation purposes and should be left unchanged.


This iframe contains the logic required to handle Ajax powered Gravity Forms.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn
Park, Woburn, MA 01801. Detailed information on the processing of personal data
can be found in the privacy policy. In addition, you will find them in the
message confirming the subscription to the newsletter.

Threatpost
 * Cloud Security
 * Malware
 * Vulnerabilities
 * InfoSec Insiders
 * Webinars

 * 
 * 
 * 
 * 
 * 
 * 
 * 

Search

 * Conti Gang Suspected of Ransomware Attack on McMenaminsPrevious article
 * 

InfoSec Insider


CONVERGENCE AHOY: GET READY FOR CLOUD-BASED RANSOMWARE

InfoSec Insider
Oliver Tavakoli
December 17, 2021 10:45 am
4:30 minute read
Write a comment

Share this article:

 * 
 * 

Oliver Tavakoli, CTO at Vectra AI, takes us inside the coming nexus of
ransomware, supply-chain attacks and cloud deployments.

The two types of cyberattacks that have dominated the news over the past year
have been ransomware, and software and service supply-chain attacks. The former
have mainly been perpetrated by criminal enterprises looking to turn a quick
profit. In contrast, the latter attacks have primarily been the domain of
nation-states looking to expand their information-gathering capabilities.

There’s a good chance these two approaches will start converging — and it’s
going to happen in the cloud.

One example of this already happening is the ransomware attack that leveraged
Kaseya software – but that was a different kind of supply-chain attack in that
the supply chain consisted of the managed security service providers (MSSPs) who
were hosting Kaseya software on behalf of their customers. Kaseya itself (unlike
SolarWinds) was not hacked, and all the action happened downstream.



Why are ransomware and the supply chain coming together? Historically, what
started out as nation-state techniques make their way into pen-testing and red
teaming tools and eventually become commoditized in attacks undertaken by
hackers seeking profit. There’s no reason to think the same won’t happen in this
case; thus, it is useful to consider tools and techniques employed in
supply-chain attacks as a harbinger of what is to come to ransomware attacks.


CLOUD LEVERAGE IN SUPPLY-CHAIN ATTACKS

Nation-states have plenty of time and human capital to expend in supply-chain
efforts, so the complexity or relatively unknown nature of the environment does
not present a significant barrier. In fact, many nation-state attacks involve
cloud components — they often mix and match traditional on-prem steps in an
attack with steps taken in the cloud.

The SolarWinds hack was a case in point. After hacking into SolarWinds and
laboriously crafting and inserting a payload into the Orion software, Cozy Bear
(aka the Russian SVR) waited for software updates to go out and the infected
Orion servers to call home. What followed from there was a careful selection of
high-value targets to pursue. One of the common approaches, which was observed
across multiple targets, was that the attackers went on to steal the SAML
certificate-signing key. The end goal was to be able impersonate an
authenticated user accessing data in Office 365 or other software-as-a-service
(SaaS)-delivered applications.

More recently, that same threat actor (referred to by Microsoft as Nobelium) was
reported to be hacking  MSSPs, expressly to gain access to administrative
account credentials. These were used to create accounts in Azure Active
Directory (AD), and then onward to victim’s on-premise AD — the cloud was used
again.

This all comes against the backdrop of security monitoring having a particular
scope (data center, cloud, federated identity, endpoints, etc.) — overall,
security monitoring implemented by most organizations doesn’t do a good job of
stitching these scopes together, and that presents another advantage to advanced
attackers. As they hopscotch through these areas, they can generally count on
any slightly suspicious behavior in one scope not leading to elevated concern in
the next.


THE TRADITIONAL NATURE OF RANSOMWARE ATTACKS 

In contrast, most ransomware attacks that have made the news have been
relatively pedestrian. They have used well-known tool chains that are also used
by pen-testers and red teams (think Mimikatz, Cobalt Strike, BloodHound, etc.)
to perpetrate attacks on relatively traditional IT environments.

There is generally very little reliance on zero-day vulnerabilities (Kaseya
being an exception in that the attackers burned a couple of Kaseya VSA server
zero-days). When software vulnerabilities are exploited as part of the attack,
it’s typically via well-known vulnerabilities for which patches are already
available but have not yet been applied by the target. The poster child for this
was the EternalBlue exploit in the internal propagation of WannaCry in 2017 –
Microsoft released the patch in March, while the large-scale outbreak of
WannaCry happened in May.


WHY RANSOMWARE WILL COME TO THE CLOUD 

There is also Willie Sutton’s famous quote when asked why he robbed banks:
“Because that’s where the money is.” The migration of data and applications to
the cloud which was already well underway at the end of 2019 has been
supercharged by the pandemic. And as almost every piece of data of value moves
to the cloud, either into SaaS applications or into public-cloud stacks,
attackers will undoubtedly follow to the cloud as the pickings for on-premise
attacks become slim.

And thanks to the supply-chain attacks, detailed information on how clouds
operate and how to attack them is becoming commoditized. So once the money moves
to the cloud, the ability to attack there will not be limited to nation states.


WHAT RANSOMWARE WILL LOOK LIKE IN THE CLOUD

With most attacks, there is a question of what the initial point of entry will
be and how that initial foothold will be expanded to gain access to valuable
data.

We have already seen multiple points of entry to attacks involving the cloud:

 * Account takeover – compromising an endpoint belonging to the organization by
   coaxing users to provide account credentials in seemingly legitimate
   exchanges.
 * Identity system takeover – stealing an organization’s SAML-signing key allows
   the attacker to authenticate as any account in the system.
 * Sprawling DMZ – workloads (often created by development teams) in the public
   cloud which are unpatched or unsecured, and are accessible to the internet
   without the organization’s security team being aware of them.

Lateral movement (from point of entry to targeted data) in the cloud almost
always involves stolen or impersonated credentials, or the leverage of available
APIs. Cloud systems come with incredibly powerful APIs – particularly for
privileged credentials – which enable attackers to rapidly progress to their
ultimate goal.


TAKEAWAYS

There are things organizations can do to prepare for these attacks:

 * Ensure you keep your SAML-signing key under incredibly strict control and
   monitor any access to the system which uses the key.
 * Review your multifactor authentication (MFA) policies – I know, everyone
   claims to have MFA enabled for all accounts, but most Azure AD customers do
   this via conditional-access policies, which often contain a mess of
   contradictory logic which may or may not accomplish what you believe your
   policy to be.
 * Review permissions granted to your cloud-accessible identities and practice
   principles of least privilege.
 * Carefully monitor the creation of new privileged accounts as well as any use
   of privileged accounts.
 * Know thy internet-accessible footprint – where possible, implement
   overarching policies which prevent a developer from accidentally exposing
   your cloud footprint to the internet and constantly scan for such accidents
   on the assumption that such policies can fail.
 * Shift a substantial portion of your pen testing and red teaming efforts to
   your public cloud and SaaS applications – find out how hard a target you
   really are.

And obviously, put strict controls over the data you most care about and
practice restoring the data from isolated backups.

Oliver Tavakoli is CTO at Vectra AI.

Enjoy additional insights from Threatpost’s Infosec Insiders community by
visiting our microsite.

Write a comment

Share this article:


 * Cloud Security
 * InfoSec Insider
 * Malware


SUGGESTED ARTICLES


CONTI GANG SUSPECTED OF RANSOMWARE ATTACK ON MCMENAMINS

The incident occurred last weekend at the popular chain of restaurants, hotels
and breweries, which is still facing disruptions.

December 17, 2021


‘TROPIC TROOPER’ REEMERGES TO TARGET TRANSPORTATION OUTFITS

Analysts warn that the attack group, now known as ‘Earth Centaur,’ is honing its
attacks to go after transportation and government agencies.

December 16, 2021


‘PSEUDOMANUSCRYPT’ MASS SPYWARE CAMPAIGN TARGETS 35K SYSTEMS

It’s similar to Lazarus’s Manuscrypt malware, but the new spyware is splattering
itself onto government organizations and ICS in a non-Lazarus-like, untargeted
wave of attacks.

December 16, 2021
1


DISCUSSION


LEAVE A COMMENT CANCEL REPLY

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.


INFOSEC INSIDER


 * CONVERGENCE AHOY: GET READY FOR CLOUD-BASED RANSOMWARE
   
   December 17, 2021


 * 2022: SUPPLY-CHAIN CHRONIC PAIN & SAAS SECURITY MELTDOWNS
   
   December 14, 2021


 * NEXT-GEN MALDOCS & HOW TO SOLVE THE HUMAN VULNERABILITY
   
   December 10, 2021


 * NOT WITH A BANG BUT A WHISPER: THE SHIFT TO STEALTHY C2
   
   December 8, 2021


 * ARE YOU GUILTY OF THESE 8 NETWORK-SECURITY BAD PRACTICES?
   
   December 6, 2021

Newsletter


SUBSCRIBE TO THREATPOST TODAY

Join thousands of people who receive the latest breaking cybersecurity news
every day.

Subscribe now
Twitter

1.8M+ attacks, against half of all corporate networks, are attempting to exploit
#Log4Shell, including with a new r… https://t.co/dDky1faadm

18 hours ago

Follow @threatpost

NEXT 00:02 01:15 360p 720p HD 1080p HD Auto (360p) About Connatix V143023 Closed
Captions About Connatix V143023 1/1 Skip Ad Continue watching after the ad Visit
Advertiser website GO TO PAGE




SUBSCRIBE TO OUR NEWSLETTER, THREATPOST TODAY!

Get the latest breaking news delivered daily to your inbox.

Subscribe now
Threatpost

The First Stop For Security News

 * Home
 * About Us
 * Contact Us
 * Advertise With Us
 * RSS Feeds

 * Copyright © 2021 Threatpost
 * Privacy Policy
 * Terms and Conditions
 * Advertise

 * 
 * 
 * 
 * 
 * 
 * 
 * 


TOPICS

 * Black Hat
 * Breaking News
 * Cloud Security
 * Critical Infrastructure
 * Cryptography
 * Facebook
 * Government
 * Hacks
 * IoT
 * Malware
 * Mobile Security
 * Podcasts
 * Privacy
 * RSAC
 * Security Analyst Summit
 * Videos
 * Vulnerabilities
 * Web Security

Threatpost
 * 
 * 
 * 
 * 
 * 
 * 
 * 


TOPICS

 * Cloud Security
 * Malware
 * Vulnerabilities
 * Privacy

Show all
 * Black Hat
 * Critical Infrastructure
 * Cryptography
 * Facebook
 * Featured
 * Government
 * Hacks
 * IoT
 * Mobile Security
 * Podcasts
 * RSAC
 * Security Analyst Summit
 * Slideshow
 * Videos
 * Web Security


AUTHORS

 * Tara Seals
 * Tom Spring
 * Lisa Vaas


THREATPOST

 * Home
 * About Us
 * Contact Us
 * Advertise With Us
 * RSS Feeds

Search

 * 
 * 
 * 
 * 
 * 
 * 
 * 

InfoSec Insider


INFOSEC INSIDER POST

Infosec Insider content is written by a trusted community of Threatpost
cybersecurity subject matter experts. Each contribution has a goal of bringing a
unique voice to important cybersecurity topics. Content strives to be of the
highest quality, objective and non-commercial.

Sponsored


SPONSORED CONTENT

Sponsored Content is paid for by an advertiser. Sponsored content is written and
edited by members of our sponsor community. This content creates an opportunity
for a sponsor to provide insight and commentary from their point-of-view
directly to the Threatpost audience. The Threatpost editorial team does not
participate in the writing or editing of Sponsored Content.

We use cookies to make your experience of our websites better. By using and
further navigating this website you accept this. Detailed information about the
use of cookies on this website is available by clicking on more information.

ACCEPT AND CLOSE