Professional Documents
Culture Documents
Horizons
September 2022 Threat Horizons Report
September 2022
For more information, visit gcat.google.com
Threat Horizons
For more information, visit gcat.google.com
Table of contents
Mission statement 03
Summary
View from the frontlines: Threat actors use weak or 06
compromised creds to target SSH, WordPress in Q2
Threat trends
Social engineering campaign disrupted and moved off of Google 08
2
Threat Horizons
For more information, visit gcat.google.com
Mission statement
The Google Cloud Threat Horizons Report
brings decision-makers strategic intelligence
on current and likely future threats to cloud
enterprise users and the best original
cloud-relevant research and security
recommendations from across Google’s
intelligence and security teams.
3
Threat Horizons
For more information, visit gcat.google.com
4
Threat Horizons
For more information, visit gcat.google.com
In many cases, these networks will be targeted with Moving infrastructure to the cloud can improve
a common tool set, with operations launched from resilience as enterprises gain visibility into their
some overlapping infrastructure. They might even have own systems and defense strategies can be
developed their own 0-day exploits in an attempt to deployed more reliably than on-premises
gain access to as many critical targets as possible techniques. The defensive advantages of scale in
before victims patch their systems. As we have seen the cloud also apply to stopping less sophisticated
in recent years with log4j and Microsoft Exchange but more widespread threats from cybercriminals,
vulnerabilities, state-sponsored actors are also skilled skilled individuals, and less-spectacular nation-
at rapidly adapting new vulnerabilities discovered by state efforts. Distributed denial-of-service attacks,
others for their own purposes. especially if targeted against time-critical services
or on key dates, can cause significant financial
What this means for network defenders is simple: damage. To paraphrase National Cyber Director
Because these adversaries are attempting to operate Chris Inglis, we want to create a situation where
at scale and as part of a larger intelligence apparatus, threat actors have “to beat all of us to beat any
threat-intelligence sharing and patching impairs the of us.”
scale at which even the most sophisticated threat
groups can gain access with their latest tools. Attackers Christopher Porter is the Head of Threat
might feel confident that they can gain access to any Intelligence for Google Cloud.
particular victim with a new exploit, but the very power
and usefulness of that exploit means they also face
high opportunity costs: if their first targets rapidly warn
other would-be targets, who then inoculate themselves,
those future operations won’t be as successful.
5
Threat Horizons
For more information, visit gcat.google.com
Summary
6
Threat Horizons
For
Formore
moreinformation,
information visit gcat.google.com
Threat trends
7
Threat Horizons
For more information, visit gcat.google.com
8
Threat Horizons
For more information, visit gcat.google.com
9
Threat Horizons
For more information, visit gcat.google.com
B. VT also found over 1 million signed malware Such techniques can impact Cloud clients. We reviewed
samples, 87% of which were signed via legitimate various Google-related VT data in the context of
certificates (the rest used revoked certificates, and the techniques described above. We found seven
so on). Apparently, attackers often fraudulently malware packages that included the Cloud-executable
accessed signing workflows or signing authorities GoogleCloudSDKInstaller.exe, which installs the Google
to sign their code – increasing the likelihood of its Cloud CLI capability on Windows machines.
downstream acceptance.
10
Threat Horizons
For more information, visit gcat.google.com
Here is VT data from one such package, Synaptics.exe, by” authenticated users. Using logged-in employees as,
and the legitimate GoogleCloudSDKInstaller.exe as one effectively, “conduits,” malware could mount Cross-Site
of its dropped files. Request Forgery-type attacks via HTTP, CLI, or similar
channels, undermining Cloud resources. Use vigilance
We found several Google non-Cloud examples of such regarding the techniques discussed in the VT report.
“file inclusion” in our VT data searches as well. Other
legitimate Cloud files could also be packaged with other
malicious installers.
11
Threat Horizons
For more information, visit gcat.google.com
12
Threat Horizons
For more information, visit gcat.google.com
13
Threat Horizons
For more information, visit gcat.google.com
1
Rascagneres, Paul, and Thomas Lancaster. “SharpTongue Deploys Clever Mail-Stealing Browser Extension “SHARPEXT.”” Volexity, Jul 28, 2022, https://www.volexity.com/blog/2022/07/28/
sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/. Accessed Aug 9, 2022.
2
Lee, Taewoo, et al. “Kimsuky, STOLEN PENCIL, Thallium, Black Banshee, Velvet Chollima, Group G0094 | MITRE ATT&CK®.” MITRE ATT&CK®, Aug 26, 2019, https://attack.mitre.org/groups/
G0094/. Accessed Aug 9, 2022.
3
Goodin, Dan. “North Korea-backed hackers have a clever way to read your Gmail.” Ars Technica, Aug 3, 2022, https://arstechnica.com/information-technology/2022/08/north-korea-backed-
hackers-have-a-clever-way-to-read-your-gmail/. Accessed Aug 9, 2022.
14
Threat Horizons
For more information, visit gcat.google.com
Observations
In this case, the initial infection vector is via phishing 4. Expected and trusted application. Access
and results in the installation of a developer-mode requests are only submitted as part of an access to
browser extension which, through a DevTools a web app, browser plugin, or similar that the user
workaround, has its security warnings suppressed and intends to access. Hence, the access request is
targets a user’s cloud-accessed data (such as online expected and has high trust with the user.
email applications). 5. Third-party data leakage. Apps and browser
extensions that leverage these permissions may
While this malware specifically targets certain resources also be retaining user account data to third-party
(Gmail and AOL mail), this is a design feature to reduce hosting, resulting in unintended data leaks.
the likelihood of detection and need not be so targeted.
6. Single point of access and failure. The potential
The value of this method is to embed with the browser,
breadth of an SSO compromise is vast and, without
which maintains the SSO and allows permission to the
swift remediation, can result in an unknown level
apps to leverage that access. This could theoretically
of compromise as the attacker can access a wide
be achieved with any application and it is assessed
range of company infrastructure and data.
that future Trojans may use similar techniques to evade
detection and inherit the valuable SSO accesses. 7. Lack of user awareness. Depending on the initial
infection vector, the user may be unaware of the
4
Rascagneres, Paul, and Thomas Lancaster. “SharpTongue Deploys Clever Mail-Stealing Browser Extension “SHARPEXT.”” Volexity, 28 July 2022, https://www.volexity.com/blog/2022/07/28/
sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/. Accessed 9 August 2022.
15
Threat Horizons
For more information, visit gcat.google.com
Mitigations
1. Raise user awareness. We are yet to normalize
user awareness around SSO access permissions to
the same level as link verification in phishing emails,
and it is an important addition to any SSO-enabled
environments’ user security training.
2. SSO account and access monitoring. It is vital
to implement effective monitoring of SSO account
activity and automated remediation methods as
a standard in order to detect and remediate SSO
account compromise.
3. Managing SSO-enabled software installation.
Avoid allowing installation of unvetted software
on corporate devices that could erroneously
request user access permissions. Manage such
software through centralized software provisioning
processes that allow for the verification of
legitimate software, and regularly review and verify
installed software. Zero-trust environments such as
BeyondCorp Enterprise implement these sorts of
policies at a fundamental level.
4. Enterprise browser management. This attack, as
with many that target the browser, succeeds due
to stealthy manipulation of the users’ settings and
the ability to run scripts based on browser activity.
Correctly configured, implementing an enterprise-
wide browser management solution (such as
that implemented in Chrome Enterprise) can
help prevent the successful running of malicious
extensions.
16
Threat Horizons
For more information, visit gcat.google.com
security reviews and a The goal is to use the cloud’s scalability, analytics,
and other features. But security issues can arise
data discovery process without appropriate IT governance:
5
Ermetic, “IDC Survey Report: State of Cloud Security 2021,” Ermetic [web survey access], 2021, https://l.ermetic.com/wp-idc-survey-results-2021, (accessed May 12, 2022).
6
Gatlan, Sergiu, “FBI warns of MFA flaw used by state hackers for lateral movement,” BleepingComputer, Mar 15, 2022, https://www.bleepingcomputer.com/news/security/fbi-warns-of-
mfa-flaw-used-by-state-hackers-for-lateral-movement/, (accessed Jul 29, 2022).
17
Threat Horizons
For more information, visit gcat.google.com
• According to a security publication, and security examined the financial implications stemming from
vendor TrendMicro, in 2021, cybercriminal certain cloud architecture choices. For instance:
group TeamTNT launched a campaign against • The NY Department of Financial Services
misconfigured Docker REST APIs exposed in (NYDFS) Cybersecurity Regulation, 23 NYCRR
many public cloud instances. 7 Exploiting weak 500, requires banks, insurance companies, and
API passwords, promiscuous instance firewall other financial institutions operating in NY State
rules, and other flaws, the threat actor pulled and to maintain an information security program.
installed malicious container images from the Providing sufficient funding to implement
Docker Hub central repository into these cloud modern data security standards, maintaining
instances. The malicious container code then an incident response process, and other tenets
tried stealing AWS login credentials, installed are the requirements. If there is a breach due to
cryptomining software, and tried other means improper implementation of such requirements,
of VM/container abuse. By late 2021, 150K of financial penalties can rise to $1,000 per user
TeamTNT’s malicious images were downloaded per violation – which could be significant if many
via Docker Hub, suggesting relatively widespread users or records are compromised. In June 2022,
compromise. for example, the NYDFS fined several Carnival
• In a Q4 2021 security-industry survey sponsored Cruise Line companies (CCLC) a total of $5M.
by vendor CyberArk, security leaders indicated During years 2019-2021, CCLC was impacted by
that over 80% of an organization’s internal ransomware, phishing, and other data breaches
applications – including Google Cloud and other and a NYDFS examination indicated that CCLC
cloud-based platforms such as AWS, Salesforce, lacked MFA processes, procedures for monitoring
and ServiceNow – experienced access abuse from unauthorized network traffic, and other key
internal staff over the past 12 months.8 security controls.9
• Without a data oversight process, a firm may
also overspend on data storage. If data-access
Regulatory and business risk frequency is not examined, companies may
Improper cloud oversight leads to regulatory and store data in a CSP’s more expensive “standard”
business risks, too. Some organizations have not storage tier. However, storing infrequently used
devoted proportional security resources to understand data in the “cold” or “archive” storage tiers would
corresponding vulnerabilities. For example, they may cost less. It costs more to retrieve data from such
forget that operations by low-skill cybercriminal groups tiers, but storing infrequently used data in such
can lead to much larger fines on the organization than tiers leads to considerably higher savings overall.
potentially anticipated. Or organizations might not have
7
Gatlan, Sergiu, “Cryptojacking worm steals AWS credentials from Docker systems,” BleepingComputer, Aug 18, 2020, https://www.bleepingcomputer.com/news/security/cryptojacking-worm-
steals-aws-credentials-from-docker-systems/, accessed Jul 27, 2022; and Trend Micro Research, “Compromised Docker Hub Accounts Abused for Cryptomining Linked to TeamTNT,” TrendMicro,
Nov 9, 2011, https://www.trendmicro.com/en_us/research/21/k/compromised-docker-hub-accounts-abused-for-cryptomining-linked-t.html, accessed Jul 26, 2022.
8
CyberArk, “CyberArk Research: Lack of Security Controls and Visibility Into User Activity Continue to Put Organizations at Risk,” CyberArk, Nov 2, 2021, https://www.cyberark.com/press/cyberark-
research-lack-of-security-controls-and-visibility-into-user-activity-continue-to-put-organizations-at-risk/. Accessed Jul 12, 2022.
9
Peter Baldwin, Bob Mancuso, and Jane Blaney, “New York Department of Financial Services Announces $5 Million Penalty in Most Recent Cybersecurity Enforcement Action,” Faegre Drinker
Biddle & Reath LLP, Jul 11, 2022, https://www.discerningdata.com/2022/new-york-department-of-financial-services-announces-5-million-penalty-in-most-recent-cybersecurity-enforcement-action/.
Accessed Sep 2, 2022.
18
Threat Horizons
For more information, visit gcat.google.com
Providing governance
Appropriate cloud governance can address the risks This process matches the effort of application
discussed earlier. As data volumes and application security reviews to the risk that different
capabilities grow, cloud administrators are interested in workloads present. It also permits data to be
understanding: annotated with its “characteristics” (like backup
• The cloud data’s location, including the projects it is locations, and so on), and redacted – at a
being shared with regular cadence. This kind of an approach (with
suggested Google Cloud tools mentioned on the
• If the data contains any sensitive information, and
next page), lets IT owners:
how data contents are changing over time
• Keep enterprise asset and application
• If applications and workloads are implementing
inventories (for example: CMDB) up to date
appropriate security controls, given data
classifications, including providing support for • Keep data classifications current, including
regulations – like data residency – as required as sensitive data is added/removed from
repositories
Application security reviews, which examine application
architecture, data security controls, likely threat • Align application security controls – including
scenarios, and similar aspects can answer such queries. data redaction – to better-understood
However, given the considerable manual effort involved, information security risks, including
such assessments are performed less frequently and adhering to regulations such as data-breach
on a smaller number of key applications. When there notification laws when in-scope data has been
are many applications to examine, or for real-time identified
monitoring, a more automated security process should
be created.
19
Threat Horizons
For more information, visit gcat.google.com
10
Research Signals, “Cybersecurity factors powered by BitSight,” IHS Markit, Mar 31, 2022, https://cdn.ihs.com/www/blog/Cybersecurity-factors-powered-by-BitSight.pdf, (Accessed Jul 14, 2022).
20
Threat Horizons
For more information, visit gcat.google.com
21
Threat Horizons
For more information, visit gcat.google.com
11
Galloway, Jeremy, and Mitre. “Compromise Infrastructure, Technique T1584 - Enterprise | MITRE ATT&CK®.” MITRE ATT&CK®, Apr 20, 2022, https://attack.mitre.org/techniques/T1584/.
Accessed Aug 8, 2022.
12
Kopeytsev, Vyacheslav, and Seongsu Park. “Lazarus targets defense industry with ThreatNeedle.” Securelist, Feb 25, 2021, https://securelist.com/lazarus-threatneedle/100803/. Accessed
Aug 8, 2022
22
Threat Horizons
For more information, visit gcat.google.com
Key risks
The combination of techniques provides several
advantages to the attacker:
1. Legitimate access credentials. The initial
compromise leverages existing credentials, which
makes it difficult to differentiate from legitimate
admin access.
2. Cloud-access keys in public code repositories.
While capabilities to protect access credentials
exist for cloud (such as Google Cloud Secret
Manager), they are not always implemented
in infrastructure-as-code deployments and
credentials may be exposed through public code
repositories.
3. Customization of onward attack. With cloud
admin access, the fake web server (or equivalent
infrastructure) can be customized to further
obfuscate the malicious activity or improve the
technical implementation of the attack, increasing
the chances of successful compromise.
4. Stealthy pre-positioning. Once initial cloud
admin access is confirmed – provided that the
admin credentials are not changed – there is very
little detectable “presence” of the attacker in the
environment, which could allow them to remain
hidden for long periods.
5. Maskable persistence. Cloud infrastructure
provides an additional layer of persistence options
for an attacker as they can create cloud access
accounts, account reset options, and – as a
fallback – traditional persistence on new network
infrastructure (such as the new fake web server).
The increased scope of access and low
detectable presence increases the complexity
of persistence detection.
23
Threat Horizons
For more information, visit gcat.google.com
Observed events
A recent incident we tracked observed threat actors
leveraging compromised service-account credentials
to abuse targets’ infrastructure by provisioning cloud
resources. These resources can be used for any
purpose, including but not limited to cryptomining,
hosting malicious content, or pre-positioning for an
onward attack.
Figure 2. CPU resource usage over time showing a threat actor provisioning cloud resources in a customer environment using stolen
service-account credentials.
24
Threat Horizons
For more information, visit gcat.google.com
Mitigations
Taking the time to implement good security
configuration in cloud environments is vital:
• Set up private connectivity for your service
accounts so that, even if compromised, your
service-account credentials can only be accessed
through approved connections and connectivity
is restricted from IP ranges not in pre-approved
ranges
• Maintain a policy of least privileged access for all
of your accounts, including service accounts, to
reduce the impact of a successful compromise
• Monitor for leaked service-account credentials in
public code repositories and similar data stores
where cloud API development may occur
• Ensure that service-account credentials are
treated with appropriate levels of protections:
Encourage best-practice Secret Manager usage
for development work and ensure that developer
workflows avoid leaking those credentials to public
repositories
• As a further indicator of anomalous activity, ensure
appropriate budget alerts to signal where your
organization may be billed for resources that it did
not use
25
Threat Horizons
For more information, visit gcat.google.com
26
Threat Horizons
For more information, visit gcat.google.com
3.01 Changes made to logging settings Audit Logs - Admin Activity T1562.008
of permissions and can give attackers the ability to and permissions for accounts that are suspended
delete log sinks, filter logs, delete the log bucket, or deleted. Orphaned accounts with IAM roles and
or exfiltrate log data. Following the principle of permissions create more opportunities for attackers
least privilege, utilize either pre-defined roles and to achieve lateral movement within an organization.
permissions for Cloud Logging or create custom roles
with fine-grained permissions – rather than using the
available basic roles. When using a group for IAM rules,
organizations should implement a directory-syncing
mechanism with their source of truth to remove access
27
Threat Horizons
For more information, visit gcat.google.com
28
Threat Horizons
For more information, visit gcat.google.com
29