As more and more firms move to the Cloud, it has become a prime target for hackers. Cloud account hijacking is one such attempt to seize control of Cloud services for malicious purposes. So, understanding the risks and taking preventive measures to defend against Cloud account hijacking is essential.
What is Cloud Account Hijacking?
Cloud account hijacking is a standard method used in identity theft scams. It refers to the unauthorized access of a Cloud account critical to the operation, administration, or maintenance of a Cloud environment.
This can include subscriptions or other accounts that, if misused, can cause unwanted disruption in the Cloud environment.
During Cloud account hijacking, the hacker typically impersonates the account owner using a compromised email account or other stolen credentials.
How Cloud Account Hijacking Occurs?
Cloud account hijacking can occur in several ways:
- Passwords can be lost or stolen due to poor password protection or weak passwords. If users use the same passwords for other applications or services outside of work, a security breach in these applications can expose the Cloud console password.
- Credentials can be misused, such as including passwords in application source code or stored on file systems or storage buckets.
- Attackers can attempt to actively harvest credentials through phishing, malware, brute force, or credential stuffing.
Even if a credential is not lost or stolen, account access of this type is a high-value target for attackers. They may use alternative methods, such as Clickjacking, to subvert the authentication model of a Cloud provider without directly compromising a credential.
To prevent this, big Cloud providers employ strategies to avoid some of those attacks. They implement tactics such as response headers that control page rendering. However, smaller providers may offer different protections.
Ways to Prevent Cloud Account Hijacking
-
Enforce Multi-Factor Authentication (MFA)
MFA requires the users to verify themselves using two or more methods to access the resources on Cloud applications. Firms must use MFA with strong password policies to prevent common Cloud hijacking activities.
If implementing MFA is difficult for Cloud applications, firms must set a policy encouraging employees to call and verify if the person requesting a wire transfer is legitimate. Moreover, firms must consider various methods of automated access to Cloud tools.
These include TLS mutual authentication certificates for web APIs, authentication tokens, and API keys. It is crucial to understand how someone can log in via the console or programmatically and take necessary protective measures for each access method.
-
Segregate Access Duties
Some teams usually require access to the payment and billing sections of a Cloud’s console. But, are they required to create new storage buckets, launch new virtual instances, or change functions running in a serverless PaaS?
Similarly, teams overseeing objects in an IaaS environment may not require access to detailed billing records. So, it is best to disallow unnecessary access as much as possible, to the extent that Cloud providers allow it.
-
Trust but Verify
Like internal accounts, it is essential to validate that the access levels are right. Establishing termination and job change procedures is critical to ensure that access is modified accordingly when individuals leave or switch roles.
Additionally, it is necessary to conduct regular credential usage audits to ensure they are being used appropriately. Using existing tools, such as privileged identity management (PIM), is worth considering in the organization’s access strategy.
PIM tools can keep track of credential use, while Cloud access security broker tools can assist in logging console access.
-
Enforce the Zero Trust Principles
Zero Trust is a security concept that treats all networks, devices, and users as untrusted. All users must authenticate their identity before being granted access to corporate files and resources.
A key element of Zero Trust is the principle of least privilege, which ensures that employees are given only the minimum level of corporate access needed to perform their jobs. This prevents hackers from using an employee’s account to steal sensitive data, making it harder for them to succeed.
Also Read: Best Approaches to Prevent and Mitigate Risks of Account Take Over (ATO)
-
Use SaaS Data Loss Prevention (DLP) Solution
Identity and access management (IAM) principles are crucial for securing Cloud applications. However, relying on IAM alone is not enough. The IAM strategy should be combined with a more solid approach to Cloud security management that focuses on access control at the data level.
A robust DLP solution provides real time visibility into user behavior and data movement in the Cloud.
It helps monitor user activity and uses automation and pattern recognition to detect and prevent suspicious behavior. Also, DLP uses predefined policies to identify, classify, and protect unstructured data across the Cloud applications, ensuring that only authorized and verified users can access sensitive data.
Case Studies
-
Imperva
In 2019, Imperva, a cybersecurity provider, revealed that the hacker had stolen customer data by exploiting a misconfigured AWS instance. The company states that the attackers used an admin API key found on one of the company’s AWS accounts.
This enabled the hackers to access the database snapshot having email addresses and passwords. The security breach resulted in the exposure of customer data, including email addresses, hashed and salted passwords, and TLS and API keys.
The company explained that the exposure of customer data happened because of these errors-
- While evaluating AWS, Imperva had created a database snapshot for testing.
- Even though it contained an AWS API key, Imperva had made an internal compute instance accessible to the public.
- Hackers compromised the compute instance and stole the AWS API key. They used the AWS API key to access the database snapshot and all its data.
Since the incident, Imperva has enhanced its security protocols.
- The company applied tighter security access controls and increased the audit of snapshot access.
- It decommissioned inactive compute instances and put all the internal compute instances behind their VPN by default.
- It rotated credentials, strengthened its credential management processes, and increased the frequency of infrastructure scanning.
-
Uber
In 2022, Uber, a ride-sharing company, revealed that in 2016, hackers had stolen the personal data of over 50 million passengers and 600,000 US driver records.
Hackers could access Uber’s GitHub repository because the company had not enforced MFA. The repositories contained necessary AWS credentials, which the attackers used to access Uber’s AWS S3 data stores.
Uber states that they took immediate steps to secure the data and shut down further unauthorized access at the time of the incident. They identified the individuals and sought assurances about the data being destroyed.
They also enforced security measures to restrict access and strengthen controls on their Cloud-based storage accounts.
Conclusion
As per Crowdstrike’s 2024 Global Threat Report,
- Cloud-conscious cases increased by 110% YoY
- Cloud environment intrusions increased by 75% YoY
- From 2022 to 2023, Cloud-conscious cases increased by 110%, and Cloud-agnostic cases increased by 60%.
While Cloud providers take significant initiatives to prevent account hijacking, it remains a common issue faced by users of Cloud computing networks.
However, firms can prevent exposure to security threats caused by hackers or intruders by enforcing proactive measures such as setting up protocols, using two-factor authentication strategies, encryption management systems, and proactive monitoring.
Also, understanding the security policies and service level agreements (SLAs) of the Cloud provider before signing up for a Cloud network can help users prevent unauthorized access to their accounts.
Check Out The New ITsecuritywire Podcast. For more such updates follow us on Google News ITsecuritywire News.
