McAfee Enterprise and FireEye recently teamed to release their 2022 Threat Predictions. In this blog, we take a deeper dive into cloud security topics from these predictions focusing on the targeting of API services and apps exploitation of containers in 2022.
5G and IoT Traffic Between API Services and Apps Will Make Them Increasingly Lucrative Targets
Recent statistics suggest that more than 80% of all internet traffic belongs to API-based services. It’s the type of increased usage that grabs the attention of threat developers hunting for rewarding targets.
Feature-rich APIs have moved from being just a middleware to applications and have evolved to become the backbone of most modern applications that we consume today. Examples include:
- 5G mobile applications – 5G connectivity and deployment of IoT endpoints have increased dramatically providing higher capacity for broader connectivity needs.
- Internet of Things – More than 30.9 billion IoT devices are expected to be in use worldwide by 2025. The industrial IoT market was predicted to reach $124 billion in 2021
- Dynamic web-based productivity suites – Global cloud-based office productivity software market is expected to reach $50.7 billion by 2026
In most cases, attacks targeting APIs go undetected as they are generally considered as trusted paths and lack the same level of governance and security controls.
The following are some of the key risks that we see evolving in the future:
- Misconfiguration of APIs resulting in unwanted exposure of information.
- Exploitation of modern authentication mechanisms such as Oauth/Golden SAML to obtain access to APIs and persist within targeted environments.
- Evolution of traditional malware attacks to use more of the cloud APIs, such as the Microsoft Graph API, to land and expand. We have already seen evidence of this in the SolarWinds attack as well as other threat actors such as APT40/ GADOLINIUM.
- Potential misuse of the APIs to launch attacks on enterprise data, such as ransomware on cloud storage services like OneDrive, etc.
- The usage of APIs for software-defined infrastructure also means potential misuse leading to complete infrastructure takeover or shadow infrastructure being created for malicious purposes.
Gaining visibility into application usage with the ability to look at consumed APIs should be a priority for organizations, with the goal of ultimately having a risk-based inventory of accessed APIs and a governance policy to control access to such services. Having visibility of non-user-based entities within the infrastructure such as service accounts and application principles that integrate APIs with the wider enterprise eco-system is also critical.
For developers, developing an effective threat model for their APIs and having a Zero Trust access control mechanism should be a priority alongside effective security logging and telemetry for better incident response and detection of malicious misuse.
Expanded Exploitation of Containers Will Lead to Endpoint Resource Takeovers
Containers have become the de facto platform of modern cloud applications. Organizations see benefits such as portability, efficiency and speed which can decrease time to deploy and manage applications that power innovation for the business. However, the accelerated use of containers increases the attack surface for an organization. Which techniques should you look out for, and which container risk groups will be targeted? Exploitation of public-facing applications (MITRE T1190) is a technique often used by APT and Ransomware groups. MITRE T1190 has become a common entry vector given that cyber criminals are often avid consumers of security news and are always on the lookout for a good exploit. There are numerous past examples in which vulnerabilities concerning remote access software, webservers, network edge equipment and firewalls have been used as an entry point.
The Cloud Security Alliance (CSA) identified multiple container risk groups including:
- Image risks
- vulnerabilities
- configuration defects
- embedded malware
- embedded clear text secrets
- use of untrusted secrets
- Orchestrator
- unbounded administrative access
- unauthorized access
- poorly separated inter-container network traffic
- mixing of workload sensitivity levels
- orchestrator node trust
- Registry
- insecure connections to registries
- stale images in registries
- insufficient authentication and authorization restrictions
- Container
- vulnerabilities within the runtime software
- unbounded network access from containers
- insecure container runtime configurations
- app vulnerabilities
- rogue containers
- Host OS Component
- large attack surface
- shared kernel
- improper user access rights
- host file system tampering
- Hardware
How do you protect yourself? Recommended mitigations include bringing security into the DevOps process through continuous posture assessment for misconfigurations, checks for integrity of images, and controlling administrative privileges. Use the Mitre ATT&CK Matrix for Containers to identify gaps in your cloud security architecture.