Top 10 Cloud Attacks and What You Can Do About Them - Aqua

Top 10 Cloud Attacks and What You Can Do About Them

Cloud attacks are various types of cyber attacks that target cloud computing resources and infrastructure.

Amit Sheps
January 4, 2023

What Are Cloud Attacks?

A cloud attack is a cyber attack that targets cloud-based service platforms, such as computing services, storage services, or hosted applications in a platform as a service (PaaS) or software as a service (SaaS) model. 

Cloud attacks can have serious consequences, such as data breaches, data loss, unauthorized access to sensitive information, and disruption of services.  

As more organizations and individuals rely on cloud computing for storing and processing data, there is a corresponding increase in the number of potential targets for attackers. Many organizations may not be aware of the risks and vulnerabilities associated with cloud computing, or may not have sufficient measures in place to protect against these threats.

To protect against these vulnerabilities and risks, it is important for organizations to implement appropriate security measures and to regularly monitor and review the security of their cloud assets. This may include implementing access controls, encrypting data, implementing backup and recovery processes, and regularly updating and patching systems and applications.

In this article:

types of cloud attacks
Types of Cloud Attacks

10 Types of Cloud Computing Attacks 

1. Denial-of-Service Attacks

A denial-of-service (DoS) attack is a type of cyber attack that aims to make a computer or network resource unavailable to its intended users. DoS attacks typically involve flooding a cloud service with a large volume of traffic, which can overwhelm the system and make it unable to process legitimate requests.

DoS attacks can have serious consequences, including disrupting the availability of critical services, causing financial losses, and damaging an organization’s reputation. 

Cloud-based DoS attacks can be particularly challenging to defend against, as the scale and complexity of cloud environments can make it difficult to identify and mitigate the attack.

2. Account Hijacking 

Account hijacking in the cloud refers to the unauthorized access or control of a cloud computing account by an attacker. This can allow the attacker to use the associated resources for their own purposes, or to steal or manipulate data stored in the cloud. 

For example, attackers can use password cracking techniques to guess or steal login credentials and gain access to a cloud account. Account hijacking can lead to financial losses and damage to an organization’s reputation.

3. Security Misconfiguration

Security misconfiguration refers to the failure to properly configure cloud computing resources and infrastructure to protect against cyber threats. This can include failure to properly set access controls, failure to properly configure and secure systems and applications, and failure to regularly update and patch systems and applications.

4. User Account Compromise 

User account compromise typically involves an attacker gaining access to an account through the actions of the account owner, such as by tricking the user into revealing their login credentials or by exploiting a vulnerability in a system or application used by the user.  

This differs from account hijacking, which involves an attacker gaining unauthorized access to an account through means such as password cracking or exploiting vulnerabilities in the cloud infrastructure. 

5. Cloud Malware Injection Attacks

Cloud malware injection attacks are a type of cyber attack that involves injecting malicious software, such as viruses or ransomware, into cloud computing resources or infrastructure. This can allow the attacker to compromise the affected resources and steal or destroy data, or to use the resources for their own purposes.

There are several ways in which attackers can inject malware into cloud resources, including:

  • Exploiting vulnerabilities in the cloud infrastructure or in the systems and applications running on the cloud.
  • Adding a malicious service module to a SaaS or PaaS system, or an infected VM to an IaaS system, and diverting user traffic to it.
  • Gaining unauthorized access to cloud accounts and injecting malware through the use of malware-infected files or links. 

6. Insider Threats

Insider threats in a cloud environment refer to the risk of unauthorized access or misuse of cloud computing resources by individuals within an organization, such as employees or contractors. These individuals may have legitimate access to the cloud assets, but may misuse or abuse that access for their own purposes, or may accidentally expose the assets to risk through their actions.

Insider threats can be particularly challenging to detect and prevent because they often involve individuals who are authorized to access the cloud assets and who may not be acting maliciously. They can also be difficult to mitigate because they often involve a high level of trust and access within the organization.

7. Side-Channel Attacks

A side-channel attack involves exploiting information that is leaked through the physical implementation of a system, rather than through its logical interfaces. This information can include details about how the system is implemented or about the data being processed by the system. 

In a cloud environment, attackers can perform side-channel attacks by placing a malicious virtual machine on a legitimate physical host used by the cloud customer. This gives the attacker access to all confidential information on the victim machine. 

Side-channel attacks can be used to extract sensitive information from a system, such as passwords, encryption keys, or other sensitive data. They can also be used to disrupt the operation of a system or to manipulate its behavior.

Cookie poisoning in cloud applications refers to the unauthorized modification or injection of malicious content into a cookie, which is a small piece of data that is stored on a user’s computer by a website or web application. 

Cookies are used to store information about a user’s preferences and browsing history, and are often used to personalize the user’s experience or to track their activity. In SaaS and other cloud applications, cookies often contain credential data, so attackers can poison cookies to access the applications. 

9. Insecure APIs

Insecure APIs have vulnerabilities that can be exploited by attackers to gain unauthorized access to systems or data, or to disrupt the operation of the API.

Examples include:

  • Shadow APIs: APIs that are not properly documented or authorized, and may not be known to the organization that owns the API. These APIs can be created by developers or other users within the organization, and can expose sensitive data or functionality to unauthorized parties.
  • API parameters: The inputs and outputs of an API, which can be vulnerable to injection attacks if they are not properly validated and sanitized.

10. Cloud Cryptomining 

A cloud cryptomining attack is a type of cyber attack in which attackers use cloud computing resources to perform cryptomining without the knowledge or consent of the cloud provider or the owner of the resources. Cryptomining is the process of using computing resources to solve complex mathematical problems in order to verify and validate transactions on a blockchain network.

In a cloud cryptomining attack, the attackers use stolen or compromised credentials to access and exploit cloud computing resources, such as virtual machines or containers, for the purpose of performing cryptomining. They may also use malware or other techniques to gain unauthorized access to cloud resources.

Real-World Cloud Attack Examples

Kaseya

In July 2021, IT solution provider Kaseya experienced an attack on its remote monitoring and network perimeter security tools. It was a supply chain ransomware attack, designed to gain administrative control over Kaseya services and use them to infect the networks of managed service providers and their customers.

The attack took down the company’s SaaS servers and affected on-premise virtual SAN appliances (VSA) used by Kaseya customers in 10 countries. Kaseya was proactive in responding to the attack and alerted customers immediately. Later, the company deployed a VSA detection tool to allow its customers to analyze VSA services and identify signs of vulnerabilities.

Facebook

In April 2021, Facebook reported a vulnerability affecting hundreds of millions of user records, which were exposed on servers hosted by Amazon Web Services (AWS). Facebook said the problem was identified and quickly fixed.

The incident was sparked by the disclosure of records by two third-party developers employed by Facebook. The exposed databases contained personal information that could be used for social engineering and targeted phishing attacks.

Cognyte

In May 2021, cybersecurity analytics giant Cognyte made the mistake of leaving its cloud-based database unprotected without authentication. This paved the way for cyber attackers, exposing the records of 5 billion users. The leaked information included user credentials such as names, email addresses, passwords, and information about vulnerabilities within customer systems, which could be highly valuable to attackers.

The information was made public and indexed by search engines—this included Cognyte’s threat intelligence data, which contained information about historic security breaches. It took Cognyte 4 days to secure the data and remove it from the public domain.

Verizon

Verizon Communications, a telecommunications giant, experienced a series of cloud-related security incidents. In 2017, Verizon partner Nice Systems accidentally exposed user data due to a flaw in its Amazon S3 storage configuration. Then in 2020, Verizon experienced 29,207 security incidents, of which 5,200 were confirmed compromises. 

The attacks included DDoS, social engineering, and client-side web application flaws that led to compromise of server-side systems. Verizon said most of these attacks were due to the “human element”, as a result of remote work during the COVID-19 crisis.

Raychat

In February 2021, the online chat app Raychat experienced a massive cyberattack. A cloud database managed by Raychat was compromised, giving hackers free access to 267 million usernames, emails, passwords, metadata, and encrypted chats. Shortly thereafter, a targeted bot attack wiped out the company’s data.

An investigation showed that the data was exposed due to a MongoDB misconfiguration. This attack highlights that cloud-based NoSQL databases are easy targets for attackers if not secured properly.

Related content: Read our guide to cloud vulnerability

What You Can Do About Cloud Attacks: Prevention and Protection

Here are some best practices to help prevent and mitigate cloud attacks.

Encrypt All Data in the Cloud 

Encrypting data is important in the cloud because it helps protect sensitive and confidential information from unauthorized access, even if the data is stolen or accessed by an unauthorized party. When data is encrypted, it is converted into a format that is unreadable to anyone without the proper decryption key. This means that even if an attacker gains access to the data, they will not be able to read or make sense of it.

There are typically three stages at which data needs to be encrypted:

  • At-rest encryption: This refers to encrypting data when it is stored, such as on a hard drive or in a cloud storage service. This ensures that data is protected when it is not in use and can’t be read or accessed by unauthorized parties.
  • In-transit encryption: This refers to encrypting data when it is being transmitted across networks, such as when it is sent to or from a cloud service provider. This ensures that data is protected during transit and cannot be intercepted and read by unauthorized parties.
  • In-use encryption: This refers to encrypting data when it is being used or processed. This is useful when data needs to be processed in its encrypted form; this is possible using a technique called homomorphic encryption, where the computation is performed on the ciphertext, thus the data is always protected.

Control Access to Cloud Services

Restricting access to cloud services is necessary because it helps to limit the potential attack surface. Organizations can reduce the likelihood of a successful attack by limiting the number of people who have access to cloud resources and data. Additionally, by granting access only to those who need it, organizations can reduce the potential impact of a successful attack.

Here are a few examples of how restricting access can help prevent cloud attacks:

  • Limiting access to cloud storage resources can prevent attackers from being able to access and steal sensitive data.
  • Restricting access to cloud-based applications can prevent unauthorized users from launching a denial-of-service attack against the application, which could make it unavailable to legitimate users.
  • By controlling access to cloud-based infrastructure, organizations can prevent unauthorized users from compromising virtual machines, which could lead to data breaches.
  • By controlling access to cloud services, organizations can prevent privileged insiders from misusing their access and stealing or damaging data.

Enforce Secure API Access 

Ensuring that clients only access cloud applications via secure APIs is important for several reasons:

  • Security: APIs are the main entry point for clients to access cloud applications and data, so it is crucial to ensure that these APIs are secure and that only authorized clients can access them. This helps to prevent unauthorized access to data and resources, as well as to protect against various types of attacks, such as injection attacks, cross-site scripting, and other malicious activities.
  • Authentication and authorization: Secure APIs can use various mechanisms such as token-based authentication, multi-factor authentication, and role-based access controls to ensure that only authorized clients can access the cloud application and its resources.
  • Data validation: By using secure APIs, organizations can validate the data received from clients before processing it. This ensures that the data is in the correct format and does not contain malicious payloads.

Leverage a CSPM Solution

A cloud security posture management (CSPM) solution is a tool that helps organizations manage and secure their cloud assets. It can help protect against cloud attacks in several ways:

  • Asset management: A CSPM solution can help organizations identify and inventory their cloud assets, including the systems and applications running on the cloud, the data stored in the cloud, and the users and groups that have access to the cloud. This can help organizations better understand their cloud environment and identify potential vulnerabilities that could be exploited by attackers.
  • Compliance: By providing visibility into the security posture of cloud assets, a CSPM solution can help organizations identify and remediate any compliance issues that could expose them to risk.
  • Threat detection: By monitoring cloud assets for unusual activity or potential vulnerabilities, a CSPM solution can help organizations identify and mitigate threats before they can cause damage.

Preventing Cloud Attacks with Aqua

The Aqua Cloud Native Security Platform empowers you to unleash the full potential of your cloud native transformation and accelerate innovation with the confidence that your cloud native applications are secured from start to finish, at any scale.

Aqua’s platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads across VMs, containers, and serverless functions wherever they are deployed, on any cloud.

Secure the cloud native buildshift left security to nip threats and vulnerabilities in the bud, empowering DevOps to detect issues early and fix them fast. Aqua scans artifacts for vulnerabilities, malware, secrets and other risks during development and staging. It allows you to set flexible, dynamic policies to control deployment into your runtime environments.

Secure cloud native infrastructure—Automate compliance and security posture of your public cloud IaaS and Kubernetes infrastructure according to best practices. Aqua checks your cloud services, Infrastructure-as-Code templates, and Kubernetes setup against best practices and standards, to ensure the infrastructure you run your applications on is securely configured and in compliance. 

Secure cloud native workloads—protect VM, container and serverless workloads using granular controls that provide real-time detection and granular response, only blocking the specific processes that violate police. Aqua leverages modern micro-services concepts to enforce immutability of your applications in runtime, establishing zero-trust networking, and detecting and stopping suspicious activities, including zero-day attacks.

Amit Sheps
Amit is the Director of Technical Product Marketing at Aqua. With an illustrious career spanning renowned companies such as CyberX (acquired by Microsoft) and F5, he has played an instrumental role in fortifying manufacturing floors and telecom networks. Focused on product management and marketing, Amit's expertise lies in the art of transforming applications into cloud-native powerhouses. Amit is an avid runner who relishes the tranquility of early morning runs. You may very well spot him traversing the urban landscape, reveling in the quietude of the city streets before the world awakes.