Researchers used an infrastructure of nodes deployed globally in which they misconfigured key services within a cloud-based setup –including remote desktop protocol (RDP), secure shell protocol (SSH) and server message blocks. They found attackers jumped at the opportunity to exploit the misconfigurations, with 80% of the 320 experiments compromised within 24 hours and all compromised within a week, researchers disclosed in a recent report.
Moreover, some attacks occurred within minutes, with one particularly speedy cyber criminal compromising 96% of the 80 accounts within 30 seconds. This is fairly shocking news, as typically vulnerabilities are measured in days or months before they are exploited. The study shows how quickly these common misconfigurations can lead to data breaches or attackers taking down an entire network – especially given that “most of these internet-facing services are connected to some other cloud workloads,” researchers said.
“When a misconfigured or vulnerable service is exposed to the internet, it takes attackers just a few minutes to discover and compromise the service. There is no margin of error when it comes to the timing of security fixes.”
To lure attackers, researchers intentionally configured a few accounts with weak credentials such as admin:admin, guest:guest, administrator:password, which granted limited access to the application. They reset the experiments after a compromising event—i.e., when a threat actor successfully authenticated via one of the credentials and gained access to the application. Researchers also blocked a list of known scanner IPs on a subset of the accounts, updating firewall policies once a day based on the observed network scanning traffic.
The team analysed attacks according to a variety of attack patterns, including: the time attackers took to discover and compromise a new service; the average time between two consecutive compromising events of a targeted application; the number of attacker IPs observed on a honeypot; and the number of days an attacker IP was observed.
While this study shows an alarming number of successful compromises, the good news for businesses that are making common cloud configuration mistakes is that they are easy to avoid. To safeguard services from being breached by attacker IPs, cloud administrators can implement a guardrail to prevent privileged ports from being open, as well as create audit rules to monitor all the open ports and exposed services. Researchers also suggest that admins create automated response and remediation rules to fix misconfigurations automatically and deploy next-generation firewalls to block any malicious traffic.