BACKGROUND:
It has been reported that a new cyber espionage campaign directed against the aerospace and telecommunications industries, primarily in the Middle East, with the goal of stealing sensitive information about critical assets, organisations’ infrastructure, and technology while remaining in the dark and successfully evading security solutions. Boston-based cybersecurity company Cybereason dubbed the attacks “Operation Ghostshell,” pointing out the use of a previously undocumented and stealthy remote access trojan (RAT) called ShellClient that’s deployed as the main spy tool of choice. The first sign of the attacks was observed in July 2021 against a handpicked set of victims, indicating a highly targeted approach.
<p>Considering that cloud-based data goes wherever it’s needed, SaaS apps and cloud services are common attack targets with huge risk surfaces. Not only is the cloud a common target, but it’s also leveraged by attackers as a threat vector used to carry out reconnaissance and exfiltrate sensitive data. Leveraging legitimate cloud services as a threat vector can help attackers avoid detection because their communication is coming from reputable platforms. This enables attackers to use these services, such as Dropbox, as command-and-control (C2) communication points between themselves and targeted compromised systems. There’s been a significant rise in such malicious cloud tactics, which has made cloud governance a critical priority for many organizations. </p>
<p>This incident exemplifies how cloud services are not 100% secure, but most cloud exposures and breaches are due to abuse and misuse of the cloud and due to user errors. Some organizations rely too heavily on the minimal native security controls that many cloud and SaaS apps have in place. There needs to be more recognition of the shared responsibility model in securing these assets. There needs to be a two-party system where you store your apps and data with the cloud provider, but secure access and data handling with a third-party cloud access security broker (CASB) solution. As people access these services from more places, there also needs to be a way to ensure that mobile users and devices are included in that system. Doing so enables you to continuously monitor all traffic to your cloud and apply user behavior analytics to identify malicious activities. In turn, this creates strong adaptive access controls to ensure only authorized users interact with your infrastructure. Adaptive controls include the ability to distinguish between corporate and non-corporate access from the same app – which is key for enforcing dynamic access and data loss prevention (DLP) policies.</p>