How secure are your cloud providers?
New approach by Chinese hackers compromises MSPs, then infiltrates customers...
A new report details the innovative ways that a group of hackers growing their operation by compromising cloud service providers to get access to the data of their customers.
Previously groups of hackers were known to use hacked cloud services like ‘warehouses’ for attack tools and malware. However, this new strategy means that the ‘cyber espionage’ group in question can use the secure channels between cloud provider or MSP and client business to infiltrate malware and exfiltrate data with impunity, as most enterprises will whitelist their cloud service providers.
According to 2016 stats from the Cloud Industry Forum, more than four in five of the UK organizations have formally adopted at least one cloud service.
PWC UK and BAE Systems reports about a group of hackers known in the cybersecurity community by a range of monikers, including MenuPass (Trend Micro), APT10 (FireEye), CVNX (BAE Systems), Red Apollo (PwC), POTASSIUM (Microsoft), and Stone Panda (CrowdStrike).
The APT10 case or Operation Cloud Hopper, hacked managed IT service providers (or MSPs) to get unprecedented access to the personal details of the MSPs and their clients worldwide. The same group also targeted several Japanese enterprises in a separate similar campaign as shown in the report.
APT10 previously targeted employees in key enterprise environments with traditional spear-fishing techniques, but in the late 2016 switched to less-well secured MSP networks and their personnel. This resulted in a set of global hacks, including organizations in the United States, the United Kingdom, Japan, France, South Africa, Brazil, Canada, Australia.
The group has developed its own malware strains, as well as adapting existing Trojans in an evolving toolbox the report states is indicative of APT10’s “increasing sophistication”, which the authors believe is highly likely to continue. The hackers sensibly use a range of open-source, legitimate tools to minimize the risk of detection, and also use standard Windows functions such as ping.exe and net.exe for communication checks, with the same goal in mind.
Ilia Kolochenko, CEO of ImmuniWeb said: "Until we will get other details about the attacks, we can’t make any reliable conclusions about who is behind the APT10. Knowing how inattentive some cloud service providers are, I will not be surprised if we find out that they were conducted by a group of teenagers.
“Cloud services providers must better evaluate their risks, and do their best to mitigate all possible risks. For example, by means of cloud penetration testing. Security regulations, like ISO 27001, are able to essentially help ensure that the corresponding risks are continuously monitored and identified. For cybersecurity companies, CREST accreditation is also an important criterion to show the necessary standard of care about security for their own and clientele data.
Companies eager to secure their supply chain as well should prompt their suppliers to get ISO 27001 certification or provide proven insurance to cover any possible data leakage.”
PWC UK and BAE Systems reached a similar conclusion too, stating that the campaign highlights how important the complete visibility of the company’s and its supply chain’s attack surface is. Moreover, it should encourage enterprises to use continuous cloud penetration testing and to fully evaluate risks from their third-party cooperation.
Compromise via a third party isn’t a novel idea, but it certainly seems to be an effective one from the point of view of APT10, and one worthy of consideration for any enterprise. The report contains a range of technical indicators-of-compromise (IOCs), so it’s worth reading and updating firewalls and security appliances.