Q&A: Sophos poll shows how attackers are taking advantage of cloud migration to wreak havoc

By Byron V. Acohido

Cloud migration, obviously, is here to stay.

Related: Threat actors add ‘human touch’ to hacks

To be sure, enterprises continue to rely heavily on their legacy, on-premises datacenters. But there’s no doubt that the exodus to a much greater dependency on hybrid cloud and multi-cloud resources – Infrastructure-as-a-Service (IaaS) and Platforms-as-a-Service (PaaS) – is in full swing.

Now comes an extensive global survey from Sophos, a leader in next generation cybersecurity, that vividly illustrates how cybercriminals are taking full advantage. For its State of Cloud Security 2020 survey, Sophos commissioned the polling of some 3,500 IT managers across 26 countries in Europe, the Americas, Asia Pacific, the Middle East, and Africa. The respondents were from organizations that currently host data and workloads in the public cloud.

Sophos found that fully 70% of organizations experienced a public cloud security incident in the last year. Furthermore, 50% encountered ransomware and other malware; 29% reported incidents of data getting exposed; 25% had accounts compromised; and 17% dealt with incidents of crypto-jacking. The poll also showed that organizations running multi-cloud environments were 50% more likely to suffer a cloud security incident than those running a single cloud.

Those findings were eye-opening, yes. But they were not at all surprising. Digital commerce from day one has revolved around companies bulling forward to take full advantage of wondrous decentralized, anonymous characteristics of the Internet, which began a military-academic experiment.

Corporations became obsessed with squeezing productivity out of an intrinsically insecure construct —  and threat actors became expert at quickly pouncing on fresh attack vectors opened up by this obsession. And now we have that same pattern playing out, once more, with cloud migration.

Deeper implications

Last Watchdog had the chance to drill down on the deeper implications of Sophos’ cloud security findings, as well as its recent report – The State of Ransomware 2020

with two of its top experts, Paul Murray, senior director of product management in Sophos’ Public Cloud Security Group, and John Shier, senior security advisor.  Here are excerpts of our discussion, edited for clarity and length:

LW: Can you frame how threat actors’ view the current trajectory of cloud migration?

Murray:  In the eyes of the adversary, cloud migration brings their targets  one step closer, introducing the potential for them to search for and target a larger and more dispersed attack surface area over the Internet. Organizations are typically very aware of physical security measures. However, in the transition to the cloud, the management plane itself is now accessible from anywhere, and organizations need to ensure their configurations are implemented securely in order to prevent discovery by attackers.

LW: So what are cyber criminals focusing on at the moment?

Murray: Attackers are going after the low hanging fruit. New cloud PaaS services, such as shared storage, containers, database services and serverless functions etc. typically cannot have a security agent running on them, so it’s left up to the organization to securely configure these services.

You won’t have to look far to find stories of Amazon S3-related data breaches caused by misconfiguration, where S3 security settings were set to ‘Public.’  AWS has even released an update to help customers from running afoul of this, one of the biggest causes of cloud data breaches. And shared storage breaches are by no means limited to Amazon customers.

LW: Isn’t it more than just taking advantage of low hanging fruit?

Murray: Yes, attackers are moving to more sophisticated attacks, as well. As part of Living off the Land (LOTL) attacks, attackers are automating searches to exploit vulnerabilities in virtual machines. They can exploit cloud provider metadata services, for instance, to access temporary identity and access management (IAM)credentials. This enables them to  footprint the customer environment. From there they can gain access to central storage, amongst other things, and finally proceeded to exfiltrate data.

We recently released an article about a malware we dubbed Cloud Snooper. This is a rootkit that establishes an APT-like command-and-control client on a machine . . . In essence it makes the command-and-control traffic look like benign traffic.

LW: Your cloud security report shows how misconfigurations can translate into a major exposure. How so?

Murray: Reading about the thousands of cases out there, you’d be forgiven for thinking that attackers are only after an organization’s sensitive data in these attacks. In addition to financial data and personal information, one of the main uses of cloud storage accounts like Amazon S3 buckets is to host static website content like HTML files, JavaScript and Cascading Style Sheets (CSS.) Attacks targeting these resources aren’t targeting exposed data. Instead, they look to maliciously modify website files; this is being done in order to steal the website visitors’ financial information.


Both attack chains look the same at the start, with attackers scanning the Internet for misconfigured S3 buckets, using automated S3 scanners. But this is where the attack paths diverge. In your typical S3 data breach, attackers will list and sync the valuable contents to a local disk and then access all the data that was misconfigured in ‘public’ mode.

In the case of a data modification attack, once access is gained, attackers look for JavaScript content and modify it to include malicious code. Now, when a user visits the infected website, the malicious JavaScript code loads, logging all credit and debit card details entered onto payment forms. This data is then sent to the criminal’s server.

LW: How much of these new attack vectors stem from high-velocity software development involving ‘microservices’ assembled in ‘containers?’

Murray: DevOps is the great enabler. The challenge for many organizations is that the DevOps process will be employed to automate the build of this infrastructure. Security teams must therefore enable developers to secure their automated process with tools – this way security enables digital transformation, rather than holding it back, or, worse still, cause security measures to be worked around in order to maintain agility.

LW: What’s a concrete example of a pervasive exposure opened up by cloud migration?

Murray: We used our cloud security posture management tool, called Sophos Cloud Optix, to learn that two of the most widespread exposure points come from organizations exposing Remote Desk Protocol (RDP) and Secure Shell protocol (SSH.) Cybercriminals are actively searching for these entry points through automated searches. These protocols need to be accounted for.

Organizations need to secure virtual private cloud (VPC) traffic, as well. We all want a simple, sure-fire route to ensure we don’t accidentally make a private subnet public. The challenge – it’s been all too easy to do just that, with route tables in a VPC that can only be associated with subnets, and no simple way to specify routing rules to direct traffic to subnets through a firewall when entering VPCs.

LW: Your cloud security report shows a high level of awareness of these exposures — 96% concerned — yet an apparent low level of corporate will to do something about low staffing levels. How do you explain that?

Murray: Almost half of survey respondents didn’t fully understand their responsibilities for securing cloud environments. The problem is in all of the gray areas, where the responsibility is quite literally shared.  The platform vendors want to communicate that while they will provide the tools, such as security groups and IAM tools, the subscriber is responsible for implementing them correctly.

It’s the same thing as buying a firewall and only adding any-to-any rules. That sounds good in theory, but in practice it means that for a lot of the security provided by the platform, the ultimate responsibility is still with the customer. But just enabling something doesn’t make it secure. In order to properly secure a cloud environment, you need a good design and clear use case so you can wield the platform tools effectively and extend them with third party services where needed.

LW: Shifting gears a bit, what’s going on with ransomware? Your recent white paper shows it’s still at as high a level as in 2017? Why so?

Shier: The most significant shift in the ransomware landscape is the switch from a strictly opportunistic model to a more targeted one, and from individuals to businesses. While individuals are still being victimized, the most active ransomware gangs are laser-focused on breaching organizations.


Less skilled attackers, those focused on infecting individuals, have largely been pushed out of the market, driven by better protection and higher awareness, in favor of more capable professional gangs. This has meant a lower overall incidence of ransomware infections but with increased impact to victims.

LW: What do ransomware attack pattern across the globe look like today?

Shier: Attackers are choosing their targets more deliberately. These gangs still employ some opportunistic methods for target discovery. This includes using scanners to discover unpatched machines or exposed services (i.e. Remote Desktop Services) and the use of automated tools to gain brute-force access to said services. But once inside a network, the humans take over.

Some gangs have also resorted to shaming companies on social media in an effort to increase the likelihood of payment, leaking sensitive information if the victims don’t pay, or even urging the employees of victim organizations to put pressure on their IT departments to pay the ransom. We’ve also seen the higher end attackers continue to develop and improve their payloads in order to evade detection and increase the rate of successful infections.

LW: GDPR has been in effect for two years now, and your reports show that Europe’s tougher data protection laws appear to be contributing to a reduced rate of ransomware in the EU? How so?

Shier: Compliance with GDPR has provided an incentive for some companies to do the bare minimum. For example, this could be adding protection to servers where it might have been absent in the past, or implementing multi-factor authentication for all your externally facing accounts and services.

In other cases, encrypting your backups, a good practice from a data protection perspective, has also meant they were useless to criminals as additional extortion pressure. When companies build better security foundations it puts much of the proverbial low hanging fruit out of reach to cybercriminals.

GDPR compliance also requires better visibility into your assets and data. Today, more often than not, ransomware is the last stage acting as a distraction in an attack whose main motivation is data theft. This added visibility provides companies with a chance to spot the initial stages of any attack much sooner.

LW: Your reports show that the U.S. has done well, too. What impact has rising regulation played? I’m referring to the New York Department of Financial Services’ certification rules; and also California’s Consumer Privacy Act and the Department of Defense’s Cybersecurity Maturity Model Certification.

Shier: The increased adoption of next-gen security technologies, as well as, regulatory pressure has contributed to better resilience against ransomware attacks. This is true of the U.S. and other regions as well. This is offset, however, by widespread abuse of stolen credentials, lack of ubiquitous multi-factor authentication, too many exposed and vulnerable services, and careless user behavior.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone