Cloud Service Providers Risk Landscape

Executive Summary

This report examines recent publicly reported incidents involving major Cloud Service Providers (CSPs), encompassing both cyberattacks and non-cyberattack disruptions such as service outages. The analysis underscores the multifaceted threats CSPs face and the cascading impact these incidents can have on businesses. The incidents discussed highlight the critical need for robust security measures, proactive incident response, transparent communication, and business continuity planning. The report concludes by emphasizing the shared responsibility of CSPs and their customers in maintaining a secure and resilient cloud environment and offers recommendations for mitigating risks.

Introduction

Cloud computing has transformed business operations by offering scalability, flexibility, and cost-efficiency. However, this increased reliance on cloud services also expands the attack surface for cybercriminals. This analysis focuses on publicly reported incidents related to Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP), recognized as leaders in cloud services according to 2022's Magic Quadrant for Cloud Infrastructure and Platform Services (Figure 1).

Figure 1. 2022's Magic Quadrant for Cloud Infrastructure and Platform Services

Recent publicly reported incidents (Figure 2) involving these major Cloud Service Providers (CSPs) have highlighted not only diverse cyber threats but also vulnerabilities from non-cyber incidents, such as the CrowdStrike-Microsoft outage that disrupted businesses globally. These disruptions underscore the critical need for robust business continuity and disaster recovery plans.

Figure 2. Summary of 2024 Cloud Service Incidents

This report examines various incidents affecting CSPs (Figure 3 and Annex B for details), their impacts, and the lessons learned. It also offers recommendations for mitigating risks and enhancing the security and resilience of cloud environments. This report provides situational awareness based on publicly reported incidents gathered from Google News using an in-house developed Python scripts leveraging the GoogleNews, langchain and langchain-google-genai libraries (Refer to the Annex A for more details on the Python scripts). It does not represent a comprehensive list of all incidents, as some may not be publicly reported.

Figure 3. 2024 Incidents

Lessons Learned

Recent cyber incidents involving CSPs have provided valuable lessons for both CSPs and their customers:

• Shared Responsibility: Security in the cloud is a shared responsibility between CSPs and their customers. CSPs are responsible for securing the underlying infrastructure, while customers are responsible for securing their data and applications.
  

• Proactive Incident Response: CSPs need to have robust incident response plans in place to quickly detect, contain, and remediate cyber incidents. Timely communication with customers is also crucial to minimize the impact of incidents.
  

• Transparency and Communication: CSPs should be transparent with their customers about security incidents, providing timely and accurate information about the impact and remediation efforts.
  

• Continuous Monitoring and Improvement: CSPs need to continuously monitor their environments for threats and vulnerabilities and implement improvements to their security posture.  

• Customer Education and Awareness: CSPs should educate their customers about security best practices and help them understand their role in maintaining a secure cloud environment.  

• Redundancy and Business Continuity: The reliance on cloud services necessitates robust redundancy and business continuity plans. Organizations should consider multi-cloud or hybrid cloud strategies to mitigate the impact of service outages from a single CSP. The CrowdStrike-Microsoft outage, where CrowdStrike CEO stepped in to assist affected customers, emphasizes the importance of partnerships and alternative solutions during disruptions.  

Mitigations

To mitigate the risks associated with cloud services, the following are some recommended measures to consider:

• Strong Authentication and Access Control: Implement multi-factor authentication (MFA) and least privilege access to minimize the risk of unauthorized access.
  

• Encryption: Encrypt data at rest and in transit to protect it from unauthorized access.
  

• Regular Backups: Regularly back up data to ensure that it can be recovered in the event of a cyber incident.
  

• Security Awareness Training: Provide security awareness training to employees and contractors to help them identify and avoid threats.
  

• Incident Response Planning: Develop and test incident response plans to ensure that organizations are prepared to respond to cyber incidents.
  

• Third-Party Risk Management: Assess and manage the risks associated with third-party vendors and suppliers.  

• Cloud Security Solutions: Leverage cloud security solutions to enhance visibility, detect threats, and automate security processes.  

• Multi-Cloud or Hybrid Cloud Strategies: Implementing multi-cloud or hybrid cloud strategies can provide redundancy and ensure business continuity in the event of a service outage from a single CSP.  

• Disaster Recovery Planning: Organizations should develop and test disaster recovery plans to ensure they can quickly recover from service outages or other disruptions.  

• Regular Testing and Monitoring: Regularly test and monitor cloud environments to identify and address potential issues before they cause service outages.

Conclusion

The growing dependence on cloud services has made Cloud Service Providers (CSPs) a prime target for cybercriminals. Recent incidents highlight the diverse threats CSPs face and the extensive impact these can have. To mitigate these risks, CSPs and their customers must collaborate to implement robust security measures, proactive incident response plans, and transparent communication. By embracing a shared responsibility model and continuously enhancing their security posture, organizations can reap the benefits of cloud computing while minimizing associated risks.

Moreover, the report underscores that risks linked to cloud services extend beyond cyberattacks. Service outages, technical glitches, and other non-cyber incidents can also significantly affect businesses. Therefore, organizations must adopt a comprehensive risk management approach addressing both cyber and non-cyber threats. By integrating robust security measures, proactive incident response plans, and effective business continuity strategies, organizations can maximize the advantages of cloud computing while minimizing potential risks.

Annex A

The data for this report was collected and processed using two main Python scripts:

Script 1: News Article Identification and Date Extraction

1. Search: The script utilizes the GoogleNews library to search for public reports related to cloud service providers (CSPs), using specific keywords such as “azure cyber incident or cyber attack", "amazon web services cyber incident or cyber attack" and "Google Cloud Platform cyber incident or cyber attack"

2. Date Extraction: It then extracts the date associated with each search result. However, the date obtained from the search results may not always be accurate due to inconsistencies in how websites present timestamps.

3. URL Verification: To ensure accuracy, the script visits the URL of each public report to extract the article date directly from the web page.

4. Filtering: Reports that do not have an accessible article date or have dates outside the relevant time frame are filtered out.
   

Script 2: Article Summarization and Information Extraction

1. Text Retrieval: The script visits the URL of each remaining report and retrieves the article text.

2. Summarization: It leverages the LangChain and LangChain-Google GenAI libraries to automatically summarize the article using Google Gemini generative AI.

3. Manual Summarization: Articles that cannot be automatically summarized due to the structure of the webpage are manually summarized in generative AI portals like Gemini or ChatGPT.

This two-step process ensures a comprehensive and accurate dataset of publicly reported incidents related to CSPs. The resulting data is then used to analyze trends, identify vulnerabilities, and derive lessons learned for the cloud computing industry.

Annex B

1.     Microsoft Azure DDoS Outage

a.     Date and Duration: July 30, 2024, nearly 10 hours

b.     Cause: Distributed Denial-of-Service (DDoS) cyberattack

c.     Amplification: Error in Microsoft's DDoS protection mechanisms amplified the attack's impact

d.     Affected Services:

                                        i.     Azure Front Door

                                       ii.     Azure Content Delivery Network

                                      iii.     Azure cloud services

                                     iv.     Microsoft 365 products

                                       v.     Microsoft Purview

                                     vi.     Services such as Azure App Services, Application Insights, Azure portal, and Azure IoT Central

e.     Impact:

                                        i.     Service disruption for a subset of Azure customers globally

                                       ii.     Affected businesses, including critical infrastructure, banks, courts, and utilities

                                      iii.     Specific services impacted included Office, Outlook, Starbucks' mobile app, and Minecraft

f.      Response and Mitigation:

                                        i.     Initial mitigations and failovers by 14:10 UTC

                                       ii.     Further actions taken around 18:00 UTC to normalize failure rates

                                      iii.     Full recovery by 19:43 UTC

                                     iv.     Preliminary Post Incident Review to be published within 72 hours, and a full report within 14 days

g.     Current Status: Most services have returned to normal, with some users in New Zealand still facing issues accessing Microsoft 365 services

h.     Additional Information:

                                        i.     Hacktivist group "SN_blackmeta" claimed responsibility for the attack

                                       ii.     DDoS attacks are on the rise, with a 20% year-on-year increase in Q2 2024 and a 112% increase from 2022 to 2023

                                      iii.     Microsoft has identified the source of the DDoS attack and is working on further mitigation

                                     iv.     Microsoft has apologized for the inconvenience and committed to improving cybersecurity measures

2.     AWS Outage

AWS experienced a significant outage impacting services across its global network. Users reported issues accessing critical AWS services, including EC2 instances, S3 storage, and RDS databases. Amazon acknowledged the problem, stating they were investigating connectivity issues affecting multiple AWS services and working to resolve them quickly. The outage caused widespread disruptions for businesses relying on AWS for hosting, storage, and various other cloud services, including Amazon's own subsidiaries like Ring, Whole Foods, and Alexa.

3.     CrowdStrike-Microsoft Outage

a.     Microsoft Azure outage caused flight groundings and disruptions for multiple airlines globally.

b.     CrowdStrike CEO George Kurtz stepped in to assist affected customers.

c.     The outage was caused by a faulty content update for Windows hosts, not a cyberattack.

d.     CrowdStrike emphasized The importance of cybersecurity partnerships in mitigating such disruptions.

e.     The incident highlighted The vulnerability of cloud-dependent systems and The need for redundancy and strong cybersecurity measures.

4.     ConfusedFunction Vulnerability in Google Cloud Platform Let Attackers Escalate Privileges

a.     Summary:

                                        i.     Discovered by Tenable Research

                                       ii.     Impacts GCP Cloud Functions and Cloud Build services

                                      iii.     Allows attackers to escalate privileges and access other GCP services

b.     Discovery and Impact:

                                        i.     Vulnerability occurs when creating or updating Cloud Functions

                                       ii.     Default Cloud Build service account with excessive permissions is attached to the Cloud Build instance

                                      iii.     Attackers can exploit this to gain access to other GCP services (e.g., Cloud Storage, Artifact Registry)

c.     Technical Details:

                                        i.     Affects both first- and second-generation Cloud Functions

                                       ii.     Cloud Build service account token is extracted using malicious dependencies

                                      iii.     Example of malicious dependency in package.json file is provided

d.     Response and Remediation:

                                        i.     GCP has partially remediated the issue for Cloud Build accounts created after mid-June 2024

                                       ii.     Tenable recommends replacing legacy Cloud Build service accounts with least-privilege service accounts

                                      iii.     Users should monitor and take preventive actions to secure their environments

5.     Microsoft Azure Vulnerability Let Attackers Bypass Firewall Rules

a.     Affected Azure Services:

                                        i.     Azure Application Insights

                                       ii.     Azure DevOps

                                      iii.     Azure Machine Learning

                                     iv.     Azure Logic Apps

                                       v.     Azure Container Registry

                                     vi.     Azure Load Testing

                                    vii.     Azure API Management

                                  viii.     Azure Data Factory

                                     ix.     Azure Action Group

                                       x.     Azure AI Video Indexer

                                     xi.     Azure Chaos Studio

b.     Severity and Impact:

                                        i.     Classified as a Security Feature Bypass issue.

                                       ii.     High severity rating due to impact on data integrity and confidentiality

                                      iii.     Microsoft Security Response Center (MSRC) rated as Important and awarded a bounty.

c.     Solution and Recommendations:

                                        i.     Microsoft created centralized documentation on usage patterns for service tags.

                                       ii.     Users should add authentication and authorization layers to defend assets.

d.     Timeline of Disclosure:

                                        i.     January 24, 2024: Vulnerability disclosed to Microsoft.

                                       ii.     January 31, 2024: MSRC confirms behavior and awards bounty.

                                      iii.     February 26, 2024: MSRC updates documentation and addresses variants.

                                     iv.     June 3, 2024: Coordinated disclosure.

e.     Importance:

                                        i.     Highlights the need for robust security measures and continuous monitoring.

                                       ii.     Users should implement additional authentication and authorization layers.

6.     Hackers Exploiting Amazon, Google & IBM Cloud Services To Steal Customer Data

a.     Cloud Services Targeted: Amazon AWS, Google Cloud, IBM Cloud, Blackblaze B2 Cloud

b.     Technique:

                                        i.     Exploitation of static website hosting feature in cloud storage to store malicious HTML files

                                       ii.     Use of "HTML meta refresh" to redirect users to phishing sites

                                      iii.     Spam emails and SMS messages contain links to these malicious cloud-hosted pages

c.     Phishing Process:

                                        i.     Scammers send SMS messages with links to seemingly legitimate cloud-hosted websites

                                       ii.     Clicking the link redirects users to phishing sites disguised as legitimate pages (e.g., bank login pages

                                      iii.     Aim to steal personal and financial information

d.     Examples:

                                        i.     Google Cloud Storage: Attackers create a bucket to host a malicious HTML page using a meta refresh tag for automatic redirection

                                       ii.     Amazon AWS: SMS messages link to static websites hosted on AWS that redirect to malicious sites

                                      iii.     IBM Cloud and Blackblaze B2 Cloud: Similar techniques used for hosting phishing sites and redirecting users

e.     Impact:

                                        i.     Attackers bypass firewalls and security filters because the initial link originates from trusted cloud providers

                                       ii.     Increased success rate of phishing attempts as users trust links from reputable cloud services

f.      Objective: Financial fraud and data theft by stealing personal information through sophisticated phishing schemes

g.     Security Recommendations:

                                        i.     Users should be cautious of links in unsolicited SMS messages or emails, even if they appear to be from trusted sources

                                       ii.     Organizations should monitor and secure cloud storage services to prevent misuse

7.     Windows-based AllaKore Malware Abuses Azure Cloud for C2 Infrastructure

A new variant of the AllaKore Remote Access Trojan (RAT), named AllaSenha, has been discovered targeting Brazilian bank accounts. This malware employs a multi-stage infection chain that involves phishing emails, malicious LNK files disguised as PDFs, Python scripts, and a Delphi-developed loader. It uses Azure cloud infrastructure for its command and control (C2) communication, which has been active since March 2024.

8.     Google Cloud Accidentally Deletes $125 Billion Pension Fund’s Online Account

a.     Google Cloud accidentally deleted a $125 billion pension fund's online account due to an incorrect setup.

b.     The outage affected 620,000 members and caused concerns about cloud security.

c.     CEOs of UniSuper and Google Cloud apologized for the failure.

d.     The incident was caused by a misconfiguration that deleted the fund's cloud subscription.

e.      Google Cloud has implemented measures to prevent similar incidents.

f.      UniSuper restored services using backups from another provider.

g.     The incident highlights the importance of strong security and quick response systems in cloud services.

h.     UniSuper is working to fully restore services and prevent future incidents.

9.     Microsoft Azure Server Exposure

a.     Incident Duration: Internal secrets exposed for a month

b.     Contents Exposed:

                                        i.     Scripts, source code, and configuration files

                                       ii.     Passwords and credentials for accessing internal databases and systems

                                      iii.     Potential for further attacks and evasion of detection in target networks

c.     Security Flaw: Server lacked adequate security and password protection

d.     Discovery and Response:

                                        i.     Vulnerability discovered by SOCRadar researchers

                                       ii.     Microsoft notified on February 6, 2024

                                      iii.     Breach secured by Microsoft on March 5, 2024

e.     Microsoft's Statement: Credentials were temporary, internally accessible only, and disabled after testing

f.      Repercussions:

                                        i.     Could lead to further data leaks and compromised services

                                       ii.     Part of a series of security slip-ups for Microsoft

g.     Criticism:

                                        i.     2023 Exchange Intrusion report criticized Microsoft's lax security culture and risk management

                                       ii.     US Cyber Safety Review Board accused Microsoft of deprioritizing security investments

h.     Related Incidents:

                                        i.     2022 exposure of sensitive login credentials on GitHub by Microsoft employees

                                       ii.     Chinese-backed hack stealing an internal email signing key, accessing inboxes of senior U.S. officials

                                      iii.     Ongoing cyberattack by Russian state-backed hackers stealing source code and internal emails

10.  UNC1549 Hackers Abuse Microsoft Azure Cloud To Attack Defense Sectors

a.     Target: Aerospace, Aviation, and Defense industries in Israel, UAE, Turkey, India, and Albania.

b.     Attacker: UNC1549 (linked to Iran-Nexus)

c.     Methods:

                                        i.     Social Engineering: Fake job offers via email and social media.

                                       ii.     Cloud Infrastructure Abuse: Microsoft Azure for command and control (C2).

                                      iii.     Backdoors: MINIBIKE and MINIBUS (deployed since at least 2022).

                                     iv.     Tunneling: LIGHTRAIL (based on Lastenzug Sock4a proxy).

d.     MINIBIKE Malware:

                                        i.     Custom C++ backdoor for exfiltration, command execution, upload, and C2 communication.

                                       ii.     Installed with launcher and disguised as legitimate executable.

e.     MINIBUS Malware:

                                        i.     More flexible code execution and information gathering than MINIBIKE.

                                       ii.     Features: code execution interface, process enumeration, DLL export, C2 communication, lure themes.

f.      Indicators of Compromise (IOCs): Provided in the article for MINIBIKE, MINIBUS, LIGHTRAIL, Fake Job Offers, and C2 & Hosting Infrastructure.

g.     Additional Notes:

                                        i.     Attackers used domain names resembling legitimate sites to evade detection.

                                       ii.     This campaign highlights the challenges of defending against cloud-based C2 infrastructure.

11. Microsoft Azure Hit With The Largest Data Breach In Its History

a.     Scope: Hundreds of accounts affected, including senior executives (VPs, CFOs, CEOs).

b.     Discovery: Breach found by Proofpoint researchers.

c.     Method of Attack:

                                        i.     Techniques: Credential phishing and cloud account takeover.

                                       ii.     Phishing: Personalized links to malicious phishing webpages.

                                      iii.     MFA Disruption: Possible interference with multifactor authentication.

                                     iv.     Obfuscation: Use of mailbox rules to hide activities.

d.     Targets and Impact:

                                        i.     Victims: Senior executives and various employees.

                                       ii.     Access: Compromised accounts provided access to multiple levels of data and resources.

                                      iii.     Financial Motive: Objectives included data theft and financial fraud.

e.     Attack Origin:

                                        i.     Suspected Locations: Russia and Nigeria based on infrastructure and previous attack parallels.

f.      Criticism and Recommendations:

                                        i.     Microsoft Criticism: Poor security practices leading to multiple breaches.

                                       ii.     Recommendations: Identify account takeovers, monitor suspicious activities, enforce credential changes.

g.     Regulatory Response:

                                        i.     US Government: Mandatory disclosure of significant data breaches.

12.  Hackers Abusing Google Cloud Run to Deliver Banking Malware

a.     Incident: Large-scale malware distribution campaigns abusing Google Cloud Run

b.     Target: European and Latin American users

c.     Malware Types: Banking trojans such as Astaroth (Guildma), Mekotio, and Qusaban

d.     Technique:

                                        i.     Hackers use Google Cloud Run to host malicious webpages and files

                                       ii.     Emails with malicious links are sent, masquerading as invoices or government documents

                                      iii.     Victims clicking on links are redirected to malware hosted on Google Cloud Run

                                     iv.     Malware often delivered as malicious Microsoft Installer (MSI) files

e.     Language Focus: Majority of emails in Spanish, targeting LATAM; some Italian-language emails

f.      Observed Trends: Increase in related emails post-September 2023

g.     Examples of Email Posing: Argentina’s Administración Federal de Ingresos Públicos (AFIP) as the sender

h.     Malware Delivery:

                                        i.      Google Cloud Run service sometimes redirects to Google Cloud file location

                                       ii.     Malware often delivered in ZIP archives containing MSI files

i.       Malware Capabilities:

                                        i.     Astaroth: Anti-analysis/evasion, logs keystrokes, takes screenshots

                                       ii.     Mekotio: Extracts confidential financial data

                                      iii.     Qusaban: Steals sensitive data from financial institutions

j.       Research Insights: Potential cooperation between threat actors, using same storage bucket for malware distribution

k.     Recommendations: Implement robust malware protection to block Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits

13.  Microsoft says Russian hackers stole source code after spying on its executives

a.     Russian hackers (Nobelium) targeted Microsoft's corporate systems.

b.     Attackers gained access through a password spray attack on a non-production test tenant account without two-factor authentication.

c.     Hackers compromised a legacy test OAuth application with elevated access.

d.     OAuth applications were used to authenticate to Microsoft Exchange Online and target corporate email accounts.

e.     Microsoft discovered the attack on January 12th, 2024, after it began in late November 2023.

f.      Hewlett Packard Enterprise (HPE) reported a similar attack from the same group.

g.     Microsoft admitted to a lack of two-factor authentication on a key test account, raising concerns in the cybersecurity community.

h.     Microsoft claims that current mandatory policies and workflows would prevent such attacks in the future.