Trend Micro Incorporated : 1H’2021 Security Review Shows Active Cloud Attacks

Threats Impacting Cloud Environments

In our first half report, we highlight an APT group named TeamTNT that has been targeting clouds for quite a while now. They have focused most of their efforts on planting crypto-mining malware on cloud servers in an effort to mine Monero coins, but we have also seen them utilize DDoS IRC bots, steal cloud account credentials, and exfil data. As you can see from the above diagram, all of these are end goals for most attacks.

Speaking of data exfil, in the first half we saw APT actors utilize cloud-based file storage to exfiltrate their stolen data. For example, we found that Conti operators use the cloud storage synchronization tool Rclone to upload files to the Mega cloud storage service. Similarly, DarkSide operators used Mega client for exfiltrating files to cloud storage, 7-Zip for archiving, and PuTTY application for network file transfers. This use of known, legitimate tools is not new; we call that ‘living off the land’ and have seen this tactic pick up recently, including usage by ransomware actors. Many organizations now need to look at ways of monitoring legitimate tools usage within their networks to identify any malicious uses.

Cloud Security Architecture

When developing your cloud security architecture and strategy, it is important to always keep the ends in mind. In this case, what are the motivation and end goals of an attacker?

As you see in the image above, most cloud attacks are going to fall into one of these areas. Depending on what you are doing as part of your cloud infrastructure, you should be able to identify if any or all of these end goals could be targeted in your environment. From there, you can work backwards to develop your strategy for protecting those initial access areas tied to the different attacks.

A challenge many organizations face is that the cloud isn’t simple, and many of the technologies that make up the cloud are new, with new features being deployed all the time. Understanding how these work and – more importantly – how to secure them can be very difficult. Utilizing a security platform approach can help build your cloud to be more secure, but educating your architects and administrators will also help. One key area is hardening your cloud account credentials, as these will be regularly targeted by malicious actors. Using multi-factor authentication to access all accounts can minimize this risk tremendously. Take a look at Trend Micro Cloud One, part of our complete cybersecurity platform, to learn more.

The cloud is only one aspect of our full 1H 2021 report. To get more details on all the different threats and attacks we observed, download and read the full report here.