Fileless attacks surge as cybercriminals evade cloud security defenses

The number of fileless or memory-based attacks that exploit existing software, applications, and protocols have surged 1,400% in the last year. That's according to Aqua Security's 2023 Cloud Native Threat Report, which summarizes research and observations of threat actors' changing tactics, techniques, and procedures (TTPs), along with outlining strategies for protecting cloud environments.

Based on analysis by Aqua Nautilus researchers of 700,000 real-world attacks, the report covers three key areas: software supply chain, risk posture (including vulnerabilities and misconfigurations), and runtime protection. Among key findings is that threat actors are heavily investing resources to conceal campaigns and avoid detection to establish a stronger foothold in compromised systems. Meanwhile, various areas in the cloud software supply chain remain vulnerable to compromise and pose significant threats to organizations, the report stated.

Threat actors use multiple techniques to conceal campaigns

Threat actors are using many techniques to conceal their campaigns from agentless solutions, according to the report. Aggregated honeypot data collected over a six-month period showed that more than 50% of attacks focused on defense evasion. Attacks include masquerading techniques, such as files executed from /tmp, and obfuscated files or information, such as dynamic loading of code. In addition, threat actors used memory resident malware in 5% of attacks, Aqua said.

The most persuasive evidence of threat actors' increasing and successful efforts to evade agentless technology was found in the "HeadCrab" campaign, detected in early 2023. "This advanced threat actor uses state-of-the-art, custom-made malware that is undetectable by agentless and traditional antivirus technologies," the report read. Aqua found evidence that HeadCrab has taken control of at least 1,200 Redis servers, some of them belonging to security companies. "The malware uses Redis commands and creates new commands to increase capabilities on its victims' servers." Such evasive attack techniques highlight the importance of agent-based runtime security, Aqua said.

4 steps to tackling evasive, concealed attacks

Assaf Morag, lead threat intelligence researcher for Aqua Nautilus, advises businesses to implement four steps to mitigate the threats of attacks that use evasion/concealment to avoid cloud security defenses:

1. Regularly monitor and analyze logs. "Collect and analyze logs from various cloud services and infrastructure components,” Morag says. “Implement a robust log management system and employ security information and event management (SIEM) tools to detect and respond to suspicious activities and potential evasion attempts."
2. Implement network segmentation, as segmenting cloud networks into separate zones or virtual networks with different security controls helps contain the impact of a successful attack, Morag says. "This limits lateral movement within the cloud environment and reduces the chances of an attacker successfully evading detection."
3. Use intrusion detection and prevention systems (IDPS) to monitor network traffic and detect known attack patterns. "These systems can identify and block evasion techniques employed by attackers to bypass security defenses," he adds.
4. Use behavior-based anomaly detection. Employ advanced security solutions that conduct behavior analytics to identify abnormal activities and deviations from normal patterns, Morag says. "This helps detect evasive tactics employed by attackers that may be difficult to identify using traditional signature-based approaches, including defense evasion techniques."

Software supply chain complexity creates large attack surface

The report also highlights how software supply chain complexity presents a large attack surface that includes various applications, potentially leading to misconfigurations and vulnerabilities. Aqua's data indicates that supply chain attacks grew by more than 300% year-over-year. One area that the report focuses on is how threat actors exploit software packages and use them as attack vectors to subvert the wider software supply chain. "Through our research, we demonstrated how attackers can perform reconnaissance and exploit packages in the NPM package manager," Aqua wrote. This involved using NPM's API to detect private packages and identifying flaws in two-factor authentication that could enable account takeover attacks.

Furthermore, the firm discovered a logical flaw called "package planting," which allows attackers to disguise malicious packages as legitimate, as well as a vulnerability (CVE-2022-32223) in all Node.js versions that could allow the embedding of malicious code into packages and lead to privilege escalation/malware persistence in Windows environments. Aqua researchers found over 770 million logs of free-tier users exposed to the internet, and after downloading a sample of 7 million logs (~1%), they discovered tens of thousands of exposed tokens, secrets, and other credentials - 50% of these secrets and credentials were still active, according to the report.

Top 10 vulnerabilities scanned in 2022

Aqua's report lists the top 10 vulnerabilities scanned last year, with most related to remote code execution. "This reinforces the idea that attackers are looking for initial access and to run malicious code on remote systems. Additionally, we see that Apache servers and services are widely targeted, as Log4Shell, Text4Shell, Spring Framework, and other services are all related to Apache."

The top 10 vulnerabilities in the report are:

1. Log4Shell - Server CVE-2021-44228
2. Apache HTTP - Server CVE-2021-42013
3. Apache HTTP Server - CVE-2021-41773
4. Spring Cloud RCE - CVE-2022-22963
5. Text4Shell - CVE-2022-42889
6. Cisco ASA & FTD - CVE-2020-3452
7. Lua Sandbox Escape in Redis - CVE-2022-0543
8. RCE on VMware Identity Manager - CVE-2022-22954
9. XML XXE on Zimbra - CVE-2022-22954
10. Oracle WebLogic RCE - CVE-2022-42889

As for the severity of vulnerabilities in 2022, 27% were critical, 35% were high, 37% were medium, and 1% were low, according to Aqua.