threatpost.com
Open in
urlscan Pro
35.173.160.135
Public Scan
Submitted URL: https://threatpost.com/cloud-ransomware-convergence/177112///////
Effective URL: https://threatpost.com/cloud-ransomware-convergence/177112/
Submission: On December 17 via api from US — Scanned from DE
Effective URL: https://threatpost.com/cloud-ransomware-convergence/177112/
Submission: On December 17 via api from US — Scanned from DE
Form analysis
4 forms found in the DOMPOST /cloud-ransomware-convergence/177112/#gf_5
<form method="post" enctype="multipart/form-data" target="gform_ajax_frame_5" id="gform_5" action="/cloud-ransomware-convergence/177112/#gf_5">
<div class="gform_body">
<ul id="gform_fields_5" class="gform_fields top_label form_sublabel_below description_below">
<li id="field_5_8" class="gfield field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label" for="input_5_8"></label>
<div class="ginput_container ginput_container_text"><input name="input_8" id="input_5_8" type="text" value="" class="medium" placeholder="Your name" aria-invalid="false"></div>
</li>
<li id="field_5_1" class="gfield gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label" for="input_5_1"><span class="gfield_required">*</span></label>
<div class="ginput_container ginput_container_email">
<input name="input_1" id="input_5_1" type="text" value="" class="medium" placeholder="Your e-mail address" aria-required="true" aria-invalid="false">
</div>
</li>
<li id="field_5_9" class="gfield js-kaspersky-gform-recaptcha-placeholder gform_hidden field_sublabel_below field_description_below gfield_visibility_hidden"><input name="input_9" id="input_5_9" type="hidden" class="gform_hidden"
aria-invalid="false" value=""></li>
<li id="field_5_2" class="gfield input-without-label label-gdpr gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label"><span class="gfield_required">*</span></label>
<div class="ginput_container ginput_container_checkbox">
<ul class="gfield_checkbox" id="input_5_2">
<li class="gchoice_5_2_1">
<input name="input_2.1" type="checkbox" value="I agree" id="choice_5_2_1">
<label for="choice_5_2_1" id="label_5_2_1">I agree to my personal data being stored and used to receive the newsletter</label>
</li>
</ul>
</div>
</li>
<li id="field_5_5" class="gfield input-without-label label-gdpr gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label"><span class="gfield_required">*</span></label>
<div class="ginput_container ginput_container_checkbox">
<ul class="gfield_checkbox" id="input_5_5">
<li class="gchoice_5_5_1">
<input name="input_5.1" type="checkbox" value="I agree" id="choice_5_5_1">
<label for="choice_5_5_1" id="label_5_5_1">I agree to accept information and occasional commercial offers from Threatpost partners</label>
</li>
</ul>
</div>
</li>
<li id="field_5_10" class="gfield gform_validation_container field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label" for="input_5_10">Name</label>
<div class="ginput_container"><input name="input_10" id="input_5_10" type="text" value=""></div>
<div class="gfield_description" id="gfield_description__10">This field is for validation purposes and should be left unchanged.</div>
</li>
</ul>
</div>
<div class="gform_footer top_label"> <input type="submit" id="gform_submit_button_5" class="gform_button button" value="Subscribe" onclick="if(window["gf_submitting_5"]){return false;} window["gf_submitting_5"]=true; "
onkeypress="if( event.keyCode == 13 ){ if(window["gf_submitting_5"]){return false;} window["gf_submitting_5"]=true; jQuery("#gform_5").trigger("submit",[true]); }" style="display: none;"> <input
type="hidden" name="gform_ajax" value="form_id=5&title=&description=&tabindex=0">
<input type="hidden" class="gform_hidden" name="is_submit_5" value="1">
<input type="hidden" class="gform_hidden" name="gform_submit" value="5">
<input type="hidden" class="gform_hidden" name="gform_unique_id" value="">
<input type="hidden" class="gform_hidden" name="state_5" value="WyJbXSIsImIwODQwZTA2ZGQ0NzYwODcyOTBkZjNmZDM1NDk2Y2ZkIl0=">
<input type="hidden" class="gform_hidden" name="gform_target_page_number_5" id="gform_target_page_number_5" value="0">
<input type="hidden" class="gform_hidden" name="gform_source_page_number_5" id="gform_source_page_number_5" value="1">
<input type="hidden" name="gform_field_values" value="">
</div>
</form>
GET https://threatpost.com/
<form class="c-site-search__form" role="search" method="get" action="https://threatpost.com/">
<input type="text" class="c-site-search__field" name="s" placeholder="Search">
<button type="submit" class="c-button c-button--secondary c-button--smaller c-site-search__button" value="Search"><svg class="icon fill">
<use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://threatpost.com/wp-content/themes/threatpost-2018/assets/sprite/icons.svg#icon-search"></use>
</svg> Search</button>
<div class="c-site-search__overlay"></div>
</form>
POST https://threatpost.com/wp-comments-post.php
<form action="https://threatpost.com/wp-comments-post.php" method="post" id="commentform" class="comment-form">
<div class="o-row">
<div class="o-col-12@md">
<div class="c-form-element"><textarea id="comment" name="comment" cols="45" rows="8" aria-required="true" placeholder="Write a reply..."></textarea></div>
</div>
</div>
<div class="o-row">
<div class="o-col-6@md">
<div class="c-form-element"><input id="author" name="author" placeholder="Your name" type="text" value="" size="30"></div>
</div>
<div class="o-col-6@md">
<div class="c-form-element"><input id="email" name="email" placeholder="Your email" type="text" value="" size="30"></div>
</div>
</div>
<p class="form-submit"><input name="submit" type="submit" id="submit" class="c-button c-button--primary" value="Send Comment"> <input type="hidden" name="comment_post_ID" value="177112" id="comment_post_ID">
<input type="hidden" name="comment_parent" id="comment_parent" value="0">
</p>
<p style="display: none;"><input type="hidden" id="akismet_comment_nonce" name="akismet_comment_nonce" value="12c982939b"></p><!-- the following input field has been added by the Honeypot Comments plugin to thwart spambots -->
<input type="hidden" id="V5BQbZmoNzPERMj1IinHqsNcg" name="NDTmcpdGVDSeqV2paxRpibIRV">
<script type="text/javascript">
document.addEventListener("input", function(event) {
if (!event.target.closest("#comment")) return;
var captchaContainer = null;
captchaContainer = grecaptcha.render("recaptcha-submit-btn-area", {
"sitekey": "6LfsdrAaAAAAAMVKgei6k0EaDBTgmKv6ZQrG7aEs",
"theme": "standard"
});
});
</script>
<script src="https://www.google.com/recaptcha/api.js?hl=en&render=explicit" async="" defer=""></script>
<div id="recaptcha-submit-btn-area"> </div>
<noscript>
<style type="text/css">
#form-submit-save {
display: none;
}
</style>
<input name="submit" type="submit" id="submit-alt" tabindex="6" value="Submit Comment">
</noscript><textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100" style="display: none !important;"></textarea><input type="hidden" id="ak_js" name="ak_js" value="1639759189455">
</form>
GET https://threatpost.com/
<form class="c-site-search__form" role="search" method="get" action="https://threatpost.com/">
<input type="text" class="c-site-search__field" name="s" placeholder="Search">
<button type="submit" class="c-button c-button--secondary c-button--smaller c-site-search__button" value="Search"><svg class="icon fill">
<use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://threatpost.com/wp-content/themes/threatpost-2018/assets/sprite/icons.svg#icon-search"></use>
</svg> Search</button>
<div class="c-site-search__overlay"></div>
</form>
Text Content
Newsletter SUBSCRIBE TO OUR THREATPOST TODAY NEWSLETTER Join thousands of people who receive the latest breaking cybersecurity news every day. The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter. * * * * * * * I agree to my personal data being stored and used to receive the newsletter * * * I agree to accept information and occasional commercial offers from Threatpost partners * Name This field is for validation purposes and should be left unchanged. This iframe contains the logic required to handle Ajax powered Gravity Forms. The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter. Threatpost * Cloud Security * Malware * Vulnerabilities * InfoSec Insiders * Webinars * * * * * * * Search * Conti Gang Suspected of Ransomware Attack on McMenaminsPrevious article * InfoSec Insider CONVERGENCE AHOY: GET READY FOR CLOUD-BASED RANSOMWARE InfoSec Insider Oliver Tavakoli December 17, 2021 10:45 am 4:30 minute read Write a comment Share this article: * * Oliver Tavakoli, CTO at Vectra AI, takes us inside the coming nexus of ransomware, supply-chain attacks and cloud deployments. The two types of cyberattacks that have dominated the news over the past year have been ransomware, and software and service supply-chain attacks. The former have mainly been perpetrated by criminal enterprises looking to turn a quick profit. In contrast, the latter attacks have primarily been the domain of nation-states looking to expand their information-gathering capabilities. There’s a good chance these two approaches will start converging — and it’s going to happen in the cloud. One example of this already happening is the ransomware attack that leveraged Kaseya software – but that was a different kind of supply-chain attack in that the supply chain consisted of the managed security service providers (MSSPs) who were hosting Kaseya software on behalf of their customers. Kaseya itself (unlike SolarWinds) was not hacked, and all the action happened downstream. Why are ransomware and the supply chain coming together? Historically, what started out as nation-state techniques make their way into pen-testing and red teaming tools and eventually become commoditized in attacks undertaken by hackers seeking profit. There’s no reason to think the same won’t happen in this case; thus, it is useful to consider tools and techniques employed in supply-chain attacks as a harbinger of what is to come to ransomware attacks. CLOUD LEVERAGE IN SUPPLY-CHAIN ATTACKS Nation-states have plenty of time and human capital to expend in supply-chain efforts, so the complexity or relatively unknown nature of the environment does not present a significant barrier. In fact, many nation-state attacks involve cloud components — they often mix and match traditional on-prem steps in an attack with steps taken in the cloud. The SolarWinds hack was a case in point. After hacking into SolarWinds and laboriously crafting and inserting a payload into the Orion software, Cozy Bear (aka the Russian SVR) waited for software updates to go out and the infected Orion servers to call home. What followed from there was a careful selection of high-value targets to pursue. One of the common approaches, which was observed across multiple targets, was that the attackers went on to steal the SAML certificate-signing key. The end goal was to be able impersonate an authenticated user accessing data in Office 365 or other software-as-a-service (SaaS)-delivered applications. More recently, that same threat actor (referred to by Microsoft as Nobelium) was reported to be hacking MSSPs, expressly to gain access to administrative account credentials. These were used to create accounts in Azure Active Directory (AD), and then onward to victim’s on-premise AD — the cloud was used again. This all comes against the backdrop of security monitoring having a particular scope (data center, cloud, federated identity, endpoints, etc.) — overall, security monitoring implemented by most organizations doesn’t do a good job of stitching these scopes together, and that presents another advantage to advanced attackers. As they hopscotch through these areas, they can generally count on any slightly suspicious behavior in one scope not leading to elevated concern in the next. THE TRADITIONAL NATURE OF RANSOMWARE ATTACKS In contrast, most ransomware attacks that have made the news have been relatively pedestrian. They have used well-known tool chains that are also used by pen-testers and red teams (think Mimikatz, Cobalt Strike, BloodHound, etc.) to perpetrate attacks on relatively traditional IT environments. There is generally very little reliance on zero-day vulnerabilities (Kaseya being an exception in that the attackers burned a couple of Kaseya VSA server zero-days). When software vulnerabilities are exploited as part of the attack, it’s typically via well-known vulnerabilities for which patches are already available but have not yet been applied by the target. The poster child for this was the EternalBlue exploit in the internal propagation of WannaCry in 2017 – Microsoft released the patch in March, while the large-scale outbreak of WannaCry happened in May. WHY RANSOMWARE WILL COME TO THE CLOUD There is also Willie Sutton’s famous quote when asked why he robbed banks: “Because that’s where the money is.” The migration of data and applications to the cloud which was already well underway at the end of 2019 has been supercharged by the pandemic. And as almost every piece of data of value moves to the cloud, either into SaaS applications or into public-cloud stacks, attackers will undoubtedly follow to the cloud as the pickings for on-premise attacks become slim. And thanks to the supply-chain attacks, detailed information on how clouds operate and how to attack them is becoming commoditized. So once the money moves to the cloud, the ability to attack there will not be limited to nation states. WHAT RANSOMWARE WILL LOOK LIKE IN THE CLOUD With most attacks, there is a question of what the initial point of entry will be and how that initial foothold will be expanded to gain access to valuable data. We have already seen multiple points of entry to attacks involving the cloud: * Account takeover – compromising an endpoint belonging to the organization by coaxing users to provide account credentials in seemingly legitimate exchanges. * Identity system takeover – stealing an organization’s SAML-signing key allows the attacker to authenticate as any account in the system. * Sprawling DMZ – workloads (often created by development teams) in the public cloud which are unpatched or unsecured, and are accessible to the internet without the organization’s security team being aware of them. Lateral movement (from point of entry to targeted data) in the cloud almost always involves stolen or impersonated credentials, or the leverage of available APIs. Cloud systems come with incredibly powerful APIs – particularly for privileged credentials – which enable attackers to rapidly progress to their ultimate goal. TAKEAWAYS There are things organizations can do to prepare for these attacks: * Ensure you keep your SAML-signing key under incredibly strict control and monitor any access to the system which uses the key. * Review your multifactor authentication (MFA) policies – I know, everyone claims to have MFA enabled for all accounts, but most Azure AD customers do this via conditional-access policies, which often contain a mess of contradictory logic which may or may not accomplish what you believe your policy to be. * Review permissions granted to your cloud-accessible identities and practice principles of least privilege. * Carefully monitor the creation of new privileged accounts as well as any use of privileged accounts. * Know thy internet-accessible footprint – where possible, implement overarching policies which prevent a developer from accidentally exposing your cloud footprint to the internet and constantly scan for such accidents on the assumption that such policies can fail. * Shift a substantial portion of your pen testing and red teaming efforts to your public cloud and SaaS applications – find out how hard a target you really are. And obviously, put strict controls over the data you most care about and practice restoring the data from isolated backups. Oliver Tavakoli is CTO at Vectra AI. Enjoy additional insights from Threatpost’s Infosec Insiders community by visiting our microsite. Write a comment Share this article: * Cloud Security * InfoSec Insider * Malware SUGGESTED ARTICLES CONTI GANG SUSPECTED OF RANSOMWARE ATTACK ON MCMENAMINS The incident occurred last weekend at the popular chain of restaurants, hotels and breweries, which is still facing disruptions. December 17, 2021 ‘TROPIC TROOPER’ REEMERGES TO TARGET TRANSPORTATION OUTFITS Analysts warn that the attack group, now known as ‘Earth Centaur,’ is honing its attacks to go after transportation and government agencies. December 16, 2021 ‘PSEUDOMANUSCRYPT’ MASS SPYWARE CAMPAIGN TARGETS 35K SYSTEMS It’s similar to Lazarus’s Manuscrypt malware, but the new spyware is splattering itself onto government organizations and ICS in a non-Lazarus-like, untargeted wave of attacks. December 16, 2021 1 DISCUSSION LEAVE A COMMENT CANCEL REPLY This site uses Akismet to reduce spam. Learn how your comment data is processed. INFOSEC INSIDER * CONVERGENCE AHOY: GET READY FOR CLOUD-BASED RANSOMWARE December 17, 2021 * 2022: SUPPLY-CHAIN CHRONIC PAIN & SAAS SECURITY MELTDOWNS December 14, 2021 * NEXT-GEN MALDOCS & HOW TO SOLVE THE HUMAN VULNERABILITY December 10, 2021 * NOT WITH A BANG BUT A WHISPER: THE SHIFT TO STEALTHY C2 December 8, 2021 * ARE YOU GUILTY OF THESE 8 NETWORK-SECURITY BAD PRACTICES? December 6, 2021 Newsletter SUBSCRIBE TO THREATPOST TODAY Join thousands of people who receive the latest breaking cybersecurity news every day. Subscribe now Twitter 1.8M+ attacks, against half of all corporate networks, are attempting to exploit #Log4Shell, including with a new r… https://t.co/dDky1faadm 18 hours ago Follow @threatpost NEXT 00:02 01:15 360p 720p HD 1080p HD Auto (360p) About Connatix V143023 Closed Captions About Connatix V143023 1/1 Skip Ad Continue watching after the ad Visit Advertiser website GO TO PAGE SUBSCRIBE TO OUR NEWSLETTER, THREATPOST TODAY! Get the latest breaking news delivered daily to your inbox. Subscribe now Threatpost The First Stop For Security News * Home * About Us * Contact Us * Advertise With Us * RSS Feeds * Copyright © 2021 Threatpost * Privacy Policy * Terms and Conditions * Advertise * * * * * * * TOPICS * Black Hat * Breaking News * Cloud Security * Critical Infrastructure * Cryptography * Facebook * Government * Hacks * IoT * Malware * Mobile Security * Podcasts * Privacy * RSAC * Security Analyst Summit * Videos * Vulnerabilities * Web Security Threatpost * * * * * * * TOPICS * Cloud Security * Malware * Vulnerabilities * Privacy Show all * Black Hat * Critical Infrastructure * Cryptography * Facebook * Featured * Government * Hacks * IoT * Mobile Security * Podcasts * RSAC * Security Analyst Summit * Slideshow * Videos * Web Security AUTHORS * Tara Seals * Tom Spring * Lisa Vaas THREATPOST * Home * About Us * Contact Us * Advertise With Us * RSS Feeds Search * * * * * * * InfoSec Insider INFOSEC INSIDER POST Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial. Sponsored SPONSORED CONTENT Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content. We use cookies to make your experience of our websites better. By using and further navigating this website you accept this. Detailed information about the use of cookies on this website is available by clicking on more information. ACCEPT AND CLOSE