While cloud security has increasingly posed problems across organizations, a new report by Palo Alto Networks’ Unit 42 highlighted how treacherous the attack surface has become.
For the “2023 Unit 42 Attack Surface Threat Report published on Thursday, threat intelligence researchers analyzed public internet data collected earlier this year by Cortex Xpanse, Palo Alto Networks’ attack surface management product. The report, which features 250 organizations with 10,000 employees or more across a variety of sectors, determined that a rapid move to the cloud imposed severe security risks.
Unit 42 described cloud as the “dominant attack surface” based on several petabytes of data collected that showed companies’ ongoing struggle with cloud management and misconfigurations. When comparing security exposures researchers observed in the cloud to on-premise networks, there was no competition.
“A vast 80% of medium, high, or critical exposures belonging to organizations analyzed were observed on assets hosted in the cloud,” Unit 42 wrote in the report.
The data showed only 19% of security exposures affected on-premise assets. Unit 42 attributed the large discrepancy to frequent cloud misconfigurations, confusion about shared responsibilities, shadow IT, a lack of visibility of assets, and cloud services’ “inherent connection to the internet.”
Security exposures related to the use of end-of-life (EOL) software and development infrastructure predominately affected cloud environments, while common on-premises exposures consisted of unencrypted logins, file sharing software use and internet-exposed databases. However, Unit 42 warned organizations to be aware of all exposures when migrating sensitive data to the cloud, as attackers have increasingly targeted file sharing products.
A Palo Alto Networks presentation during Black Hat 2023 further demonstrated attackers’ increasing cloud knowledge. Separately, a six-month study by Orca Security revealed attackers can find exposed assets at new alarming speeds.
Similarly, Palo Alto Networks researchers found that today’s attackers can “scan the entire IPv4 address space for vulnerable targets within minutes.”
“Exposures on publicly facing assets put them at risk of being compromised, and sometimes this leads to organizations becoming victims of opportunity as opposed to a targeted attack,” the Unit 42 report read.
The continued use of EOL software posed one of the biggest concerns despite the industry’s ongoing push to retire legacy systems and cyber insurers requiring it as part of their policies. The report determined that nearly 95% of EOL software systems exposed on the public internet were found in cloud environments.
“This suggests that organizations might be slower to retire outdated systems that are publicly accessible in cloud environments than on-premises ones, and also that it is comparatively easier for developers to create and deploy large volumes of new services with substantially outdated software in the cloud,” the report said.
Lack of visibility leads to attacks
Cloud asset visibility was another top concern as organizations struggled with inventory awareness. Unit 42 highlighted “cloud dynamism,” or the near-constant shift of cloud services on a monthly basis, as a major issue.
“Cloud-based IT infrastructure is always in a state of flux — on average over 20% of externally accessible cloud services change every month across the 250 organizations. Without continuous visibility, it is easy to lose track of accidental misconfigurations and the steady spread of shadow IT within an organization,” the report read.
Matt Kraning, CTO of Palo Alto Networks Cortex, attributed a lack of inventory awareness as the root cause of cloud-based attacks. It’s difficult for organizations to understand how many servers they have online and how many routers they own or even have confidence in the numbers they provide.
He told TechTarget Editorial that the real issue comes down to decentralized IT.
“Twenty years ago, people were the problem. But people are no longer the weakest link in organizations,” he said. “It’s the IT systems — IT that’s on the internet.”
Cloud visibility continues to be a problem because exposures may exist in cloud environments. But organizations are often unaware and not actively monitoring those assets even as more and more of them are moved to the cloud.
The third top contributor to cloud security concerns is mergers and acquisitions, as assets can fall to the wayside and remain unaccounted for. “It’s not that the cloud is inherently less secure. It’s that if you try and lift and shift everything and take people that don’t have as much cloud experience, it’s much easier to configure large amounts of systems badly,” he said.
In addition to cloud migration, the most common problems he’s observed with Palo Alto Networks customers involved remote desktop protocol (RDP) and patch management. The report found that over 85% of organizations left RDP internet accessible for at least 25% of the month, which researchers warned could lead to ransomware attacks or unauthorized login attempts.
“The prevalence of RDP exposures in each industry studied in this report, combined with the rarity of compensating controls like MFA [multifactor authentication], make it likely that ransomware attacks will continue for the foreseeable future,” the report read.
National government and professional and legal services were among the top industries to have an internet exposed RDP over the last 12 months. Additionally, Kraning said that file sharing attacks are the most common among law firms as well.
Regarding patch management, Kraning said the problem doesn’t lie with an organization understanding the attack or its ability to apply available patches. Instead, it’s figuring out where they should patch. During emergency situations, such as attacks against Microsoft Exchange servers or Progress Software’s MoveIT Transfer products, organizations are spending time searching environments rather than mitigating.
Kraning said Microsoft Excel and Outlook are the two most used tools during a cybersecurity emergency.
“You have all of these problems, but the best response most organizations have to deal with this is with Microsoft Office and Excel. They’re emailing around spreadsheets of what to patch, what they think their assets are. And there’s no actual system that they say, ‘A new attack has come out, and what do we do?'” he said. “It’s, ‘Who owns the systems in France? Let’s email them and see what they think.'”
Unit 42’s recommendations included using automated defenses to keep up with the attackers. That includes continuous visibility monitoring, securing remote access and addressing cloud misconfigurations.