Your digital "Home of IT Security"
365 days a year: solutions, knowledge and networking.
Find and offer innovative IT security solutions, take part in our diverse action program and make and maintain contacts.
Become part of the it-sa 365 community!
Make an appointment with
So that you can make an appointment, the calendar will open in a new tab on the personal profile of your contact person.
Create an onsite appointment with
So that you can make an onsite appointment, the appointment request will open in a new tab.
Many companies are now working in the cloud. A close integration with traditional office applications is leading to new forms of attack that are currently being utilised. Possible security precautions exist, but are often not applied. In the Infocube on the subject of cloud security, professional hacker Philipp Kalweit spoke about the risks and the technical and organisational measures companies can take to protect themselves.
Attackers are currently targeting Microsoft's Azure cloud. The popularity of this cloud is leading to new forms of attack. Additional security measures are therefore necessary. In the video interview, expert Philipp Kalweit explains the dangers that arise when using the cloud and how to counter them.
Cloud attacks are on the rise. A current example shows how attackers are securing access to cloud resources. In the current wave of attacks, criminals are focussing on Microsoft's Azure cloud, which is very popular with many large companies and public authorities and is closely integrated with their desktop software.
Many companies store or process relevant data in the cloud - many employees often have access authorisations accordingly. This has not gone unnoticed by cyber criminals. As security researchers from the security specialist Proofpoint have discovered, executives and managers are the focus of attacks in the hope that they have access to important cloud resources. The attackers therefore initially penetrated Microsoft 365 applications and attempt to compromise other applications from there.
Attackers manipulate multi-factor authentication (MFA)
Once they have gained access to an account in the Azure environment, they attempt to manipulate multi-factor authentication (MFA) in order to secure permanent access to the compromised account. To do this, attackers prefer to register their own MFA methods. "We have observed that attackers choose different authentication methods, including registering alternative phone numbers for authentication via SMS or phone call. However, in most cases of MFA tampering, attackers preferred to add an authentication app with notification and code," say the Proofpoint researchers.
Data exfiltration, internal and external phishing and manipulation of mailbox rules then begin, according to the researchers. Criminals use internal company email systems to attack other user accounts with personalised phishing emails. As this attack starts within a company, it is particularly perfidious, as employees assume that they will be contacted by colleagues. The aim is ultimately to obtain financial resources. For this reason, internal e-mail messages are preferably sent to the HR and finance departments of the affected companies.
The more companies move their IT to the cloud, the more lucrative cloud instances become for attackers. It is not uncommon for companies to have hardly any IT on site. Instead, they utilise all the possibilities that Microsoft offers with Office365, for example. In addition, there are numerous Azure instances that run business-critical systems. Even database systems are operated there. If these contain sensitive data that represents the crown jewels of the respective company, there is an increased risk so that security precautions should be increased accordingly.
A wide range of countermeasures are available
Many companies are now even pursuing a cloud-first strategy, reports Philipp Kalweit. This results in large collections of data, "all in one pile", Kalweit continues. "That makes it interesting for attackers because there is a lot to find in", he explains as an interview partner in the it-sa Infocube format.
Philipp Kalweit is an IT security specialist and founded his own company at the age of 17. The specialist known as "Germany's youngest hacker" has thus "turned his hobby into a profession".
The probability of attacks on cloud instances is also increasing because "a lot of new technologies are being used there", says Kalweit. However, companies sometimes still lack the necessary expertise and experience. This often leads to misconfigurations and incorrect authorisation settings. As a result, "many roles have too many authorisations" and therefore more people have access than necessary.
There are various ways to counter this threat, as he explains. These include micro-segmentation, especially to separate processes that are particularly worthy of protection. The use of a web application firewall (WAF) should also be considered. The configuration of cloud systems often proves to be more complex than expected. IT administrators in charge should therefore be trained. Access rights and policies must be set so that only really necessary access is possible. However, as changes to the configuration occur time and again, regular audits are very helpful, recommends Kalweit.
Author: Uwe Sievers
The Cloud offers enormous advantages in terms of flexibility and scalability, but also brings with it specific security challenges.
Find out how you can effectively protect your data and systems in the cloud.
