In the hit-sixties sci-fi movie The Andromeda Strain, a microbe forcibly enters a spaceship en route to Earth, and proceeds to infect the hapless population of Arizona, causing immense damage. The movie is considered the forerunner to many similar movies, working around the same theme of interstellar spaceships being invaded by hostile viruses residing in space. It is a theme that resonates with ufologists, who use the opportunity to endorse the adage that there is ‘life out there.’
Whatever truth this claim holds, one thing is certain for the cyberworld. Worms and viruses once thought to only cause stage on-prem disruptions, are very much a reality that is now proliferating in the cloud.
Cloud vs Cloud-native
When discussing cloud-native worms, it is pertinent to look first at the meaning of cloud and cloud-native, terms that are often confused with each other. In reality, they are different. The cloud or cloud computing (1) as it is sometimes known, is the delivery of:
- hardware and servers
- storage
- databases, and
- applications
These are availed by organizations and individuals via the web. Cloud services are provided by cloud service providers like Amazon Web Services, Google Cloud (2), or Microsoft Azure, which charge users based on the services availed by them.
Cloud-native on the other hand is the architecture associated with the running of scalable applications that are built on cloud-based services and delivery models. Cloud-native applications are built on top of the cloud’s infrastructure and leverage their dynamic and distributed nature that benefits users in terms of agility, scalability, reliability, and cost efficiency. Applications generally include
- Containerisation: which is storing an application and its dependencies in a self-contained unit that is compatible with any platform
- Microservices: which fragment services into smaller distinctive pieces to help manage complexity and improve the speed, agility, and scale of software delivery
- Automation: to achieve speed in operation, avoiding repetitive tasks
- Orchestration: which aims at providing an optimal workflow for automated activities of various processes to deliver the desired service
Cloud-native worms and how they work
Cloud-native worms (3) have been defined as viruses that use automated scripts that exploit vulnerabilities and misconfigurations in cloud environments to carry through a range of actions from reconnaissance to exploitation, and persistence. They need only minimal manual intervention and possess the capability to compromise multiple cloud containers, or other cloud assets, in a single automated attack.
Residing in cloud containers, these worms are often of a self-replicating variety (4), which in a way contributes to their name. Their spread is attributed to the popularity and wide usage of container platforms by organizations.
Typically, attackers attempt “hooking” into Application Programming Interfaces (APIs) exploiting vulnerable drivers. Worms need a single point of entry to cause damage over a wide area. Misfigured APIs serve as easily-identifiable attack surfaces for worms. Once the breach is effected, bad actors use an organization’s own cloud-based resources to further the attack, incognito.
On the rise
Cybersecurity experts are bemoaning their increase. Cloud security experts say that attackers are constantly finding new ways to perpetrate their attacks on environments, leveraging multiple attack components on established container platforms like Kubernetes, Docker, and OpenShift. Cryptominers – the malware that is deployed for cryptocurrency hacks on the cloud – leads the attack list, but reports say that other areas are also potential targets, considering finds of other worms like backdoors, rootkits, and credential seekers. Aqua Security (5) provides a disturbing statistic – nearly 51% of images in the container orchestration platform Kubernetes had worms. Further, both attacks via backdoors and worms are showing no signs of abating. Silentbob (7), perhaps the most infamous of worm attacks believed to have been unleashed by the shadowy hacker group TeamTNT in 2023 on cryptocurrency environments, was found to have affected multiple cloud technologies.
Dealing with the threat
Dealing with cloud-native worms is not easy due to the challenges inherent in cloud-native applications. These include limiting factors such as the requirement of sophisticated tools and processes to deal with distributed and moving cloud elements, huge costs involved, unavailability of suitable skill sets, inadequate internal risk management, and internal resistance including senior-level buy-in to assimilating and implementing cloud-native technologies and benchmark DevOps practices.
Organizations using the cloud would be well-advised to:
- Commission the services of professional Cloud Security Posture Management services
- Look for API vulnerabilities
- Review their infrastructure configuration
- Seriously review their access rights to users
- Install systems that identify malware
Experts are convinced that Drift Prevention – the process of ensuring the data elements in the cloud container do not move and thereby become unstable – is the best-known way presently to curb worm attacks. Forbes (6) is convinced that the high degree of immutability, visibility, and transparency is the key to effective working in the cloud – something that is best achieved by Drift Prevention.
Conclusion
In 2023, Forbes had predicted that cloud-native would see many significant changes for the better. For one, CISOs were expected to step up actions to ensure greater safety levels. It is a prediction that is seeing the light of day. Experts say that the only sure way for organizations to fortify their defenses is for them to have a complete understanding of the threats and impact involved, and take the necessary steps to roll out a consolidated cloud-native strategy.
In the closing stages of The Andromeda Strain, as efforts to control the damage caused by it gather momentum, the micro-organism mutates and escapes to the atmosphere, to live another day.
Cloud-native worms however, are going nowhere. If anything, they are going to multiply and carry out even more mayhem. It is up to organizations to ensure their cloud journeys remain secure and resilient, by adopting the right counter-measures.
References:
- Cloud Computing vs. Cloud Native: The Difference Revealed! (container-solutions.com)
- What Is Cloud Native | Google Cloud
- (27) Heard of cloud worms? This is why you should care… | LinkedIn
- 2024 Cybersecurity Predictions: Changes in the Attack Landscape (bitdefender.com)
- 2022 Cloud Native Threat Report: Key Trends in Cyber Attacks (aquasec.com)
- Data Transparency And Observability: Why Data Observability Keeps Data Healthy And Businesses On Track (forbes.com)
- Silentbob worm attack targets multiple cloud technologies | CSO Online
