News of the mass exploitation of ownCloud customers as a result of a zero-day vulnerability follows revelations earlier this month of a critical security vulnerability in Microsoft’s Azure cloud platform.
Reports of gaping security flaws in cloud services come at a bad time for cloud service providers in general and Microsoft in particular. The Seattle-based computing giant is currently doing its utmost to persuade the US, UK, and Australian governments that its Azure Government Cloud is the best way for the AUKUS trio to securely update cross-border information and enhance mutual collaboration. This might prove problematic for Microsoft, whose Azure platform was recently proven to have a critical vulnerability, and some of whose government clients suffered a series of serious breaches earlier this year.
News this month of the critical vulnerability in Microsoft’s Azure cloud platform follows revelations earlier in the year that China-based hacking group Storm-0558, which mainly targets government agencies with espionage and data theft, gained access to email accounts provided by Microsoft to 25 organizations in the public cloud including government agencies.
All these breaches point to a basic flaw in cloud computing as far as government agencies or other organizations safeguarding important data are concerned. Even last year, the logic behind cloud security seemed obvious and largely irrefutable. Only giant service providers such as Microsoft, Google, and Amazon, it was believed, had the technical resources to be truly on top of cybersecurity in a way that would ensure protection against constantly evolving threats.
The bigger the cloud, the bigger the target
What this argument failed to take into account is that the more comprehensive a cloud platform is and the more important its users are, the greater the target it becomes for cybercriminals. It may be that Big Tech has drastically underestimated its cyber opponents. Chinese hacking group Storm-0558 is only one of many extremely well-resourced groups based in potentially hostile states such as China, Russia, North Korea, and Iran that enjoy nation-state backing and have access to the very latest cyber tools. China alone is known to have at least two military regiments of full-time hackers dedicated to cyber espionage and intellectual property theft, and North Korea is known to be funding its ambitious missile program mainly through the proceeds from international cybercrime.
And, of course, the larger the cloud platform becomes, the more potential entry points it creates for skilled and determined threat actors based outside Western jurisdictions. Real-time monitoring of so many possible entry points soon becomes a practical impossibility, as evidenced by the recent breaches. For example, it appears to have been up to cyber-intelligence firm Greynoise to raise the alarm with ownCloud’s customers after observing mass exploitation by threat actors. According to sources close to the situation, there are also unverified reports of users having their data wiped and receiving threats from ransomware group LockBit. Similarly, the vulnerability in Microsoft Azure cloud was identified earlier this year by a security researcher working at cloud security specialist Prisma Cloud in Palo Alto, California.
Governments around the world and organizations with sensitive data or valuable intellectual property to protect should now be weighing the undoubted efficiencies and economies of scale offered by the leading cloud providers against their duty to protect not only their own mission-critical data but also their country’s long-term strategic interests.
