homepage
Menu
Open menu
  • Training
    Go one level top Back

    Training

    • Courses

      Build cyber prowess with training from renowned experts

    • Hands-On Simulations

      Hands-on learning exercises keep you at the top of your cyber game

    • Certifications

      Demonstrate cybersecurity expertise with GIAC certifications

    • Ways to Train

      Multiple training options to best fit your schedule and preferred learning style

    • Training Events & Summits

      Expert-led training at locations around the world

    • Free Training Events

      Upcoming workshops, webinars and local events

    • Security Awareness

      Harden enterprise security with end-user and role-based training

    Featured: Solutions for Emerging Risks

    Discover tailored resources that translate emerging threats into actionable strategies

    Risk-Based Solutions

    Can't find what you are looking for?

    Let us help.
    Contact us
  • Learning Paths
    Go one level top Back

    Learning Paths

    • By Focus Area

      Chart your path to job-specific training courses

    • By NICE Framework

      Navigate cybersecurity training through NICE framework roles

    • DoDD 8140 Work Roles

      US DoD 8140 Directive Frameworks

    • By European Skills Framework

      Align your enterprise cyber skills with ECSF profiles

    • By Skills Roadmap

      Find the right training path based on critical skills

    • New to Cyber

      Give your cybersecurity career the right foundation for success

    • Leadership

      Training designed to help security leaders reduce organizational risk

    • Degree and Certificate Programs

      Gain the skills, certifications, and confidence to launch or advance your cybersecurity career.

    Featured

    New to Cyber resources

    Start your career
  • Community Resources
    Go one level top Back

    Community Resources

    Watch & Listen

    • Webinars
    • Live Streams
    • Podcasts

    Read

    • Blog
    • Newsletters
    • White Papers
    • Internet Storm Center

    Download

    • Open Source Tools
    • Posters & Cheat Sheets
    • Policy Templates
    • Summit Presentations
    • SANS Community Benefits

      Connect, learn, and share with other cybersecurity professionals

    • CISO Network

      Engage, challenge, and network with fellow CISOs in this exclusive community of security leaders

  • For Organizations
    Go one level top Back

    For Organizations

    Team Development

    • Why Partner with SANS
    • Group Purchasing
    • Skills & Talent Assessments
    • Private & Custom Training

    Leadership Development

    • Leadership Courses & Accreditation
    • Executive Cybersecurity Exercises
    • CISO Network

    Security Awareness

    • End-User Training
    • Phishing Simulation
    • Specialized Role-Based Training
    • Risk Assessments
    • Public Sector Partnerships

      Explore industry-specific programming and customized training solutions

    • Sponsorship Opportunities

      Sponsor a SANS event or research paper

    Interested in developing a training plan to fit your organization’s needs?

    We're here to help.
    Contact us
  • Talk with an expert
  • Log In
  • Join - it's free
  • Account
    • Account Dashboard
    • Log Out
  1. Home >
  2. Blog >
  3. Cloud Attacks: What’s Old is New – Part 1
370x370_Ryan-Nicholson.jpg
Ryan Nicholson

Cloud Attacks: What’s Old is New – Part 1

While cloud and on-prem infrastructure deployments differ greatly, many cloud attacks are similar to traditional on-prem attacks.

December 12, 2023

The Cloud Threat Landscape

New Environment, Same Issues

When migrating applications and services to a cloud environment, whether it be Infrastructure as a Service (IaaS), Platform as a Service (PaaS), or Software as a Service (SaaS), customers will very quickly discover the similarities and differences in how these environments are managed.

Let’s use virtual machines (VMs), or as Amazon Web Services (AWS) and Google Cloud Platform (GCP) call them, instances, as an example (I will call this type of resource a VM from here on out to save some confusion). The deployment of these resources can be quite different from building physical or virtual machines on-premises. However, the maintenance of the systems differs minimally, if at all, as we often use management tooling which can leverage Secure Shell (SSH), Remote Desktop Protocol (RDP), or Windows Remote Management (WinRM). This brings us to another subtle difference: how to connect to these systems over a network. This requires the end user to understand cloud networking which, as you will see shortly, is well understood. But is the security of these connections understood? That remains to be seen.

Shodan is a tool which is primarily used to search scan results of internet-facing devices. From an attacker’s perspective, this is fantastic as Shodan is the one performing the work of scanning for alive systems, determining which ports are listening, which services may be listening on those ports, and even provides screenshots of login pages and video stills of IP-enabled cameras. This allows the attacker to avoid early detection as, if they were the ones performing the scan, this could easily make their presence known. Of course, security teams can leverage this service as well to see what the world can likely access directly and address any concerning findings before an attacker can take advantage.

Let us do a simple search in Shodan to look for overly exposed systems. As we see in Figure 1 below, a search conducted on November 6th, 2023, is simply looking for well-known management services ports (SSH, RDP, WinRM over HTTP, and WinRM over HTTPS). Shodan unveiled a considerable number of systems (32,299,678 to be exact) listening on those ports (22/TCP, 3389/TCP, 5985/TCP, and 5986/TCP, respectively). If you look closely at the Top Organizations information, you will see that the top five vendors consist of either cloud service providers (CSPs) or internet service providers (ISPs).

cloud_attacks_blog_p1_fig1.png
Figure 1: Shodan search results for common management ports

Does this mean that CSPs and ISPs are unwilling or unable to protect customer systems? The most likely answer is “no.” What this most often means is that the customers in those environments who can lock down their management communication to an appropriate audience (i.e., not the entire internet) are not doing so. This could be due to ignoring CSP or ISP environment security best practices.

Cloud Attack Techniques

Now, we’ve seen these types of flaws before. In fact, most compute-related security issues remain when migrating from an on-premises environment to a cloud environment. However, the cloud introduces a whole new world to attackers full of many new capabilities that allow them to deploy and manage resources.

Luckily, there is an online repository you may be familiar with, MITRE ATT&CK, that tracks common attacker techniques (and much more information regarding real-world attack groups). You can even find this information compiled into matrices in the repo. These matrices include column headers indicating the types of tactics employed by known attack groups. In other words, tactics are what the attacker is attempting to accomplish during their campaign—there are often multiple tactics in the same campaign. In each tactic column, a variety of techniques and sub-techniques which are used to achieve the desired tactic are listed.

There can be (and are) hundreds of techniques and sub-techniques (I will just call them techniques moving forward to keep things simple) that can be employed given an appropriate environment. With just a simple list of techniques, it can be hard to identify, without a ton of research, which techniques may apply in each type of environment. Fortunately, MITRE has created multiple matrices—one for each common environment or technology deployment—like the Cloud Matrix as shown in Figure 2 below.

cloud_attacks_blog_p1_fig2.png
Figure 2: MITRE ATT&CK Cloud Matrix

If you spend any amount of time looking over this matrix, you will quickly realize there are many techniques that are nearly identical attacks against both on-premises and cloud targets. Let us look at a few real-world examples.

What’s Old is New

Background and Sample Attack

Authentication attacks are interesting as they wildly depend on what the attacker is trying to successfully access as a legitimate user. One approach can be to log in to a cloud resource's management service (e.g., SSH on a Linux VM). So, how would this attack look in a cloud environment? Spoiler alert: the same as an attack against an on-premises system.

Hydra is an attack tool specializing in attacking login services like SSH, RDP, and web application login pages to name a few. I have deployed a Linux system in Azure with the SSH service overly exposed so the attacker can see it (let us assume they either did some active reconnaissance using a port scanner like Nmap or maybe even “outsourced” this work to Shodan where they found this system). You can see that it was overly exposed by taking a look at the Network Security Group (NSG) configuration for this VM in Figure 3.

cloud_attacks_blog_p1_fig3.png
Figure 3: Azure NSG exposing 22/TCP and 80/TCP to the world

The vendor I chose does not matter as it is up to me to lock down these types of management ports to only my expected audience like administrators and engineers. In fact, as you can see in Figure 3, Azure is trying to help by placing a warning icon (the yellow triangle with an exclamation point inside of it) to grab my attention and tell me this may be an unintended rule. Let’s see how Hydra can take advantage of this all-too-common misconfiguration. NSGs in Azure, Security Groups and Network Access Control Lists (NACLs) in AWS, and VPC Firewalls in GCP are used to allow or restrict traffic at layer three and layer four of the Open Systems Interconnection (OSI) model. Layer three refers to the network layer so, as it applies here, we are concerned about IPv4 or IPv6 addressing. Layer four refers to the transport layer, and this is our attempt at locking down the transport protocols in use and the port numbers used over these protocols (for example, 22/TCP which is the well-known port for SSH—the application protocol).

cloud_attacks_blog_p1_fig4.png
Figure 4: Successful Hydra attack finding a username of ubuntu and password of password123

As you can see in Figure 4 above, with only a properly guessed username and a list of candidate passwords (in which my password was on this list), Hydra identified a pair of valid credentials for the attacker. Yes, I know that is a super-weak password, but this was an example of just how easy it can be to discover valid authentication information. Besides, can you confidently say none of your systems administrators are using weak passwords?

How to Defend Against These Attacks

The defense against these types of attacks in a cloud environment are remarkably similar to protecting any management service. Some things that come immediately to mind are producing methods to restrict users from creating weak passwords. Password policies implemented on your Windows, Linux, and macOS systems can be extremely helpful here and there are even benchmark guides provided from security-focused providers and vendors that can come in handy to help implement and enforce these policies. For example, the Center for Internet Security (CIS) provides benchmark guides for most mainstream technologies ranging from operating systems, applications, cloud vendors, and even printers.

Even with strong password policies in place, we really should focus on using multi-factor authentication (MFA). This requires an attacker to not only successfully acquire credentials (something you know) using active authentication attacks or credential stuffing (i.e., using already stolen credentials to access another application with the same credential pair) but to also provide either something you have, like an authenticator application on your smart phone or hardware token or something you are like a biometric as that makes you “unique” to another person.

The next logical step to limit an attacker’s opportunity to attack or access these management services is to restrict network access to trusted sources. Here is where the big differences come into play when implanting these types of networking controls in cloud. Since cloud contains the built-in services mentioned before, there is a learning curve to ensure these services are configured properly to address these concerns. As vendors want to make it “easy” for customers to get their VMs up and running, default rules can be the cause of these over-exposed systems. For example, when deploying a Linux system in AWS, Azure, or GCP, the vendor will populate an SSH rule that is exposed to, at least, the entire IPv4 internet. Customers should be aware of this (and you are now, so no excuses) and make the necessary adjustments to limit access to only expected sources.

What Did We Learn?

In this first blog post on cloud attacks, we discovered that some of the tried-and-true methods that attackers use when attacking on-premises systems continue to work just fine when targeting cloud workloads. In fact, we as a community are making it easier on attackers as there is a learning curve when migrating your security efforts into a cloud environment.

Read Part 2: Cloud Attacks: What's New Is New where I discuss novel methods used by real-world adversaries when specifically targeting cloud environments and resources.

To ensure you and your cloud security team are prepared with the knowledge, strategies, and capabilities to prevent attacks against your organization’s cloud infrastructure, I have authored and teach the SANS SEC488: Cloud Security Essentials and co-authored and teach the SANS SEC541: Cloud Security Attacker Techniques, Monitoring, and Threat Detection course. I hope to see you in class!

Share:
TwitterLinkedInFacebook
Copy url Url was copied to clipboard
Subscribe to SANS Newsletters
Receive curated news, vulnerabilities, & security awareness tips
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Cote D'ivoire
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Eswatini
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
North Macedonia
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Saudi Arabia
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania, United Republic Of
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City State
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Zambia
Zimbabwe

By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Tags:
  • Cloud Security

Related Content

Blog
Security Awareness, Artificial Intelligence (AI), Digital Forensics, Incident Response & Threat Hunting, Cloud Security, Cyber Defense, Offensive Operations, Pen Testing, and Red Teaming, Industrial Control Systems Security, Open-Source Intelligence (OSINT)
December 10, 2024
Top SANS Summit Talks of 2024
This year, SANS hosted 13 Summits from OSINT, ICS, Ransomware, DFIR to HackFest. Here were the top-rated talks of the year.
No Headshot Available
Alison Kim
read more
Blog
InstructorSpotlight_340x340.png
Cloud Security
March 22, 2023
Jon Zeolla: Instructor Spotlight
Get to know Jon Zeolla, instructor for SEC540: Cloud Security and DevSecOps Automation
Jon_Zeolla.jpg
Jon Zeolla
read more
Blog
powershell_option_340x340.jpg
Cyber Defense, Cybersecurity and IT Essentials, Cloud Security, Penetration Testing and Red Teaming
July 17, 2022
Month of PowerShell: Merging Two Files (Understanding ForEach)
A routine task (merging two files) leads us down the path of developing a better understanding of the ForEach command in PowerShell.
Josh Wright - Headshot - 370x370 2025.jpg
Joshua Wright
read more
  • Company
  • Mission
  • Instructors
  • About
  • FAQ
  • Press
  • Contact Us
  • Careers
  • Policies
  • Training Programs
  • Work Study
  • Academies & Scholarships
  • Public Sector Partnerships
  • Law Enforcement
  • SkillsFuture Singapore
  • Degree Programs
  • Get Involved
  • Join the Community
  • Become an Instructor
  • Become a Sponsor
  • Speak at a Summit
  • Join the CISO Network
  • Award Programs
  • Partner Portal
Subscribe to SANS Newsletters
Receive curated news, vulnerabilities, & security awareness tips
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Cote D'ivoire
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Eswatini
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
North Macedonia
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Saudi Arabia
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania, United Republic Of
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City State
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Zambia
Zimbabwe

By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
  • Privacy Policy
  • Terms and Conditions
  • Do Not Sell/Share My Personal Information
  • Contact
  • Careers
© 2025 The Escal Institute of Advanced Technologies, Inc. d/b/a SANS Institute. Our Terms and Conditions detail our trademark and copyright rights. Any unauthorized use is expressly prohibited.
  • Twitter
  • Facebook
  • Youtube
  • LinkedIn