Shadow IT and misconfigured application programming interface (APIs) accounted for the vast majority of security incidents in the cloud last year, according to the 2021 IBM Security X-Force Cloud Threat Landscape Report. In particular, the report revealed that two-thirds of the incidents studied involved improperly configured APIs.

This year, IBM augmented the 2020 report with new and more robust data spanning Q2 2020 through Q2 2021. Data sets used include dark web analysis, IBM Security X-Force Red penetration testing data, IBM Security Services metrics, X-Force Incident Response analysis and X-Force Threat Intelligence research. These multiple data sources help better understand how threat actors are getting into cloud environments, what types of malicious activity are pursued once they’re inside and how organizations can prepare and react to security incidents involving their cloud environments more effectively.

Cloud Environments Need to Be Better Secured

Cloud accounts/resources on the dark web. There is a thriving dark web market for public cloud access, with advertisements for tens of thousands of cloud accounts and resources for sale. In 71% of cases, threat actors offered Remote Desktop Protocol (RDP) access to cloud resources, enabling attackers to have direct access and conduct malicious activity. In some cases, account credentials to access cloud environments were being sold for a few dollars.

Passwords & Policies: The vast majority of X-Force Red penetration tests of cloud environments found issues with either passwords or policies.

Hardening systems: Based on X-Force research, two-thirds of breaches to cloud environments would likely have been prevented by more robust hardening of systems, such as properly implementing security policies and patching systems.

Vulnerabilities in cloud-deployed applications surge: Almost half of the more than 2,500 disclosed vulnerabilities in cloud-deployed applications recorded to date were disclosed in the last 18 months. While some of this growth can be attributed to better tracking (cloud vulnerabilities were added to MITRE’s CVE standards in January 2020), this steep growth emphasizes the importance of closely managing this growing risk as more vulnerabilities are exposed.

Threat Actors Target Cracks in the Armor

Public API policies represented a significant security gap. Two-thirds of the incidents analyzed involved improperly configured Application Programming Interface (APIs) based on analysis of X-Force Incident Response data of impacted clients. 

Michelle McLean, Vice President at Salt Security, a Palo Alto, Calif.-based provider of API security, says, “APIs are the heart of applications, powering business functionality and serving up data. In the current Q3 State of API Security report, Salt Labs found that API traffic had increased 141% in the past six months while malicious API traffic increased a whopping 348%. And 94% of respondents had experienced an API security incident in the past 12 months.

“Perhaps the clearest indicator that this market has reached a tipping point comes in recent Gartner research. In its August 25, 2021, report entitled “Advance your PaaS Security,” Gartner modified its long-standing security reference architecture to add a distinct pillar dedicated to API security. For years, Gartner noted three components to securing services:

• WAF, WAAP, API gateway, and CDNs for edge security
• CWPP for data-plane security
• CSPM for control-plane security

“Over those years, Gartner nested API security under the WAF/WAAP pillar. In its verbiage, the firm would acknowledge that some organizations might need dedicated API security. But the “picture” didn’t show it separately. By adding API security as a standalone core element of this security reference architecture, Gartner has acknowledged that protecting APIs requires dedicated API security tooling.

“This explosive growth in the API security market brings both good news and bad news for buyers. On the upside, customers gain choices, and competition should improve product capabilities. On the downside, separating signal from noise gets harder as the noise gets louder and more voluminous, so organizations will need to dig in and better evaluate both the technical capabilities as well as the customer penetration and success each platform delivers.”

In addition, one of the top attack vectors X-Force observed targeting cloud was threat actors pivoting from on-premises environments into cloud environments. This lateral movement was seen in almost a quarter of incidents X-Force responded to in 2020.

IBM estimates that over half of breaches to cloud environments occurred due to “shadow IT,” emerging via unauthorized systems spun up against security policies that likely lacked vulnerability and risk assessments, as well as hardened security protocols.

Cryptominers and ransomware remain the top dropped malware into cloud environments, accounting for over half of detected system compromises based on the data analyzed. Threat actors continue to pursue clouds in their malware development, with new variants of old malware focusing on Docker containers and new malware written in programming languages, like Golang, that run cross-platform.

 APIs are silently but rapidly becoming one of the most critical pieces of the software supply chain, says Setu Kulkarni, Vice President, Strategy at NTT Application Security, a San Jose, Calif.-based application security provider. He adds, “Organizations are now one vulnerable API call away from a potential major breach. An underlying challenge that gets obscured is that APIs today are facades to legacy systems that were never designed to be online or used in an integrated B2B or B2C setting. By creating an API layer, these legacy transactional systems are enabled to participate in digital transformation initiatives. This pattern of API enablement of legacy systems creates security issues which otherwise would not have been issued in the controlled trusted zones the legacy systems were designed to operate in.”