Protecting against cloudy targeted attacks

Alexander Adamov - April 26, 2016 -

Recently, we’ve seen a more sharpened focus on targeted attacks as a powerful tool of numerous cyber espionage campaigns affecting high-profile victims, including government organizations such as the White House and US State Department, which were attacked by CozyDuke APT.

The main problem with targeted attacks is that they can be difficult (if not impossible) to detect using a standard set of security solutions such as network and host Intrusion Detection/Prevention Systems because these systems rely on well known attack signatures, which requires a greater number of known infections than we typically see with these particular attacks. What’s more, targeted attacks can stay undetected for long periods while an attacker is building and maintain an espionage network. That is why they are called Advanced Persistent Threats.

Social engineering techniques and 0-day exploits are usually used to bypass intrusion detection scanners and install surveillance software.

Currently, attackers appear to have three main interests:

  1. Destroying facilities using a cyber weapon. For example, Stuxnet was used to sabotage the Iranian nuclear program by compromising SCADA servers and modifying behaviors of programmable logic controllers (PLCs) to change the rotating frequency of centrifuges for uranium enrichment, effectively taking them out of operation.
  2. Cyber espionage, mostly to set up surveillance over government and military organizations.
  3. Gaining financial profit, either by executing a cyber bank robbery (Carbanak APT), or by encrypting data using cryptolockers in order to force an organization into paying a ransom.

 

The cryptolocker attack can be loosely defined as targeted, because as it may cover a rather large set of targets. Cryptolockers are propagated the same way as regular targeted attacks – through phishing emails and hijacked websites daily visited by employees (otherwise known as a “watering hole attack”).

One example is the recently discovered Linux.Encode.1 targets Web hosting providers, encrypting the “apache2”, “nginx”, “mysql”, and “www” folders on Linux servers. Cryptolockers can be equipped with sophisticated passive and active self-protection methods. For example, the latest versions of TeslaCrypt use API call obfuscation to bypass antivirus protection and terminate monitors and configuration tools that malware analysts and forensics experts can use to diagnose an infection.

Another interesting aspect of these attacks is that clouds can become not only targets, but an actual component of the attack itself. Cloud infrastructure is used by attackers to upload stolen information and download backdoors’ updates. For example, CloudAtlas used the CloudMe public storage and Minidionis/CloudLook – Onedrive. Previously, Dropbox has been used to deliver new versions of malware by the NrgBot/DorkBot botnet.

If you want to learn more on how to protect your cloud against targeted attacks, please attend our OpenStack Summit talk “Using Open Source Security Architecture to Defend against Targeted Attacks” in Austin, TX. We’ll see you there!

banner-img
test
tst
tst
Deploy Mirantis Secure Registry on any Kubernetes (Minikube, EKS, GKE, K0S, etc.)

Note: this blog post was originally published by Avinash Desireddy on Medium. You can view the original post here. Docker Containers, Kubernetes, CNCF, and many other relevant projects completely changed how we package, ship, and run applications. As you all know, Kubernetes has become a defacto standard for running applications. At the same time, container registries and chart repositories play a …

Deploy Mirantis Secure Registry on any Kubernetes (Minikube, EKS, GKE, K0S, etc.)
Software Supply Chain Security on Any Kubernetes with Mirantis Secure Registry 3.0

Security and cloud infrastructure availability concerns have been in the news of late with the recent Log4j vulnerabilities and outages at some of the world’s largest public cloud providers. The security and integrity of your container-based images has never been more important. Many have taken to Kubernetes to assist in the deployment and management of their container-based workloads, and are leveraging …

Software Supply Chain Security on Any Kubernetes with Mirantis Secure Registry 3.0
A Year in Review: A Look Back at the Most Powerful Mirantis Resources from 2021

2021 has been quite the year - and while there have been plenty of not-so-good times, we at Mirantis would like to take a moment to focus on the good. We are thankful for the opportunity to provide our readers with informative, accurate, and, above all, educational content via our company blog. We try not only to include helpful information …

A Year in Review: A Look Back at the Most Powerful Mirantis Resources from 2021
WHITEPAPER
The Definitive Guide to Container Platforms
READ IT NOW
LIVE WEBINAR
Getting started with Kubernetes part 2: Creating K8s objects with YAML

Thursday, December 30, 2021 at 10:00 AM PST
SAVE SEAT
Mirantis Webstore
Purchase Kubernetes support
SHOP NOW