Executive Summary
In a review of recently observed attack methods, Insikt Group identified five attack vectors that currently pose the greatest potential threat to cloud environments. Three of these attack methods, vulnerability exploitation, endpoint misconfiguration, and credential abuse leading to account takeover, can grant threat actors initial access. In certain circumstances, these three attack methods can also be employed following initial access to gain increased permissions within a cloud environment, modify the cloud environment, and allow lateral movement, either to additional cloud environments, traditional on-premise environments, or user devices. The two remaining attack methods, cloud abuse and cloud ransomware, demonstrate impact actions threat actors can perform within a cloud environment.
Hunting for each of these threats often requires the implementation of robust logging within cloud environments to ensure that data such as network communications, user access, and cloud service usage metrics can be readily accessed and scrutinized for aberrations. Log data assists in both proactive discovery of suspicious activity originating at the edge of cloud environments, such as in instances where misconfiguration and vulnerability scanning occur, and in identifying instances where cloud accounts and resources are abused for malicious purposes.
To mitigate threats from impacting cloud environments, proper configuration of the environment is paramount, both at the edge of the cloud environment, including the methods by which users and services interact with the environment, and within the environment itself. Cloud environments that are configured appropriately minimize the risk of initial access and can significantly limit the malicious actions a threat actor is capable of performing post-initial access. Additionally, the most common cloud platforms provide native services focused on security for cloud environments, such as web application firewalls (WAF), identity and access management (IAM) services, secrets storage and management suites, and secure data connectors for hybridized cloud environments, that allow cloud architects to mitigate the threats discussed in this report with relative ease
Key Findings
- Most initial compromises start with exposed or misconfigured cloud endpoints, with attackers using open‑source scanners to identify misconfigured endpoints.
- Stolen or weak credentials, often gathered from initial access brokers (IABs) and previous malicious actions performed by the attacker, remain the fastest path to full‑tenant cloud takeover.
- Threat actors increasingly abuse legitimate SaaS and IaaS resources, shifting costs to the owners of victimized environments and abusing resources to complicate the detection of follow-on malicious actions, such as phishing campaigns.
- Ransomware groups have adopted cloud‑native tactics, encrypting S3 and Azure storage directly and disabling backups to maximize leverage.
- Hybrid infrastructure lets attackers pivot seamlessly between on‑premise and multi‑cloud environments, so visibility and controls must extend beyond the cloud environment to the devices and services that access it.
Introduction
During the past decade, a steady shift from traditional on-premise IT infrastructure to cloud-based infrastructure and hybrid cloud infrastructure has taken place. According to PwC’s 2023 Cloud Business Survey, 39% of private respondents stated that the entirety of their operations had been moved to cloud environments. Cloud computing has become a trusted and integral part of many corporations’ day-to-day operations. Since the time of PwC’s reporting, cloud computing as an industry has only grown with no signs of slowing.
The breadth of cloud products and the depth of services provided by cloud environments continue to grow daily. In a joint study conducted by Amazon and Telecom Advisory Services, cloud adoption accounted for a total of $1 trillion in the global gross domestic product, with a projected increase to $12 trillion between 2024 and 2030. This estimate indicates that traditional computing environments will continue to migrate to cloud environments rapidly in the coming years. That demand for cloud computing resources will continue to increase for the foreseeable future.
The success of cloud computing can be squarely attributed to the benefits that adopters are provided. When properly configured, cloud environments allow their adopters to shift costs associated with traditional on-premise environments, create high-availability to remote assets, and eliminate development overhead by gaining access to managed services. As cloud providers continue to offer additional services and products that make similar offerings for traditional environments less effective from cost and operational perspectives, cloud adoption will only continue to grow in the future.
Background
Cloud technologies, platforms, and services are increasingly implemented into corporate structures, providing all of the benefits of traditional on-premise environments while reducing costs associated with an on-premise environment in nearly every conceivable way. This relationship was demonstrated in PwC’s “2024 Cloud and AI Business Survey,” which reported that, out of a survey of 1,000 companies that implemented cloud technologies, 74% of the surveyed companies that have optimized their cloud environments reported increased profitability, and 65% of the same respondents reported increased cost savings. While these benefits are highly appealing to corporations, cloud environments pose unique risks and security challenges, challenges that require a fresh approach to cybersecurity to mitigate properly.
The advancement of cloud environments has also increased the number of network-accessible endpoints that an organization must monitor and defend. In instances where large enterprise entities have fully migrated their operations to cloud environments, the endpoints required to facilitate user access, deploy web applications, support data transfer, and provide many other kinds of access on a day-to-day basis add up quickly and create a diverse boundary that is constantly interacting with the broader internet. The technologies that interface with and are embedded within this boundary pose unique risks and security challenges. Looking inward, similar issues persist, with cloud defenders requiring a fresh understanding of how cloud environments can be effectively architected to provide the benefits of a cloud environment without allowing undue access to sensitive information and control over mission-critical assets hosted in these environments.
As Insikt Group discusses in this report, threat actors have become increasingly aware of the security challenges cloud defenders must address, as well as the opportunities that cloud technologies, environments, and services afford them. The overwhelming amount of data, applications, systems, and other assets hosted on cloud environments, coupled with the task of defending these assets, provides threat actors with novel opportunities to compromise information, abuse environment resources, and profit from illicit activities in ways previously unattainable in on-premise environments. Additionally, threat actors have begun to understand the usefulness of cloud resources as part of an attack chain, realizing they are afforded all of the same benefits of legitimate cloud users, with the added benefits of anonymity and reduced detection capabilities in a way that is unobtainable with traditional infrastructure.
Understanding the threat posed by these adversaries, this report was created to shed light on the most impactful and emerging tactics, techniques, and procedures (TTPs) displayed by threat actors that target and abuse cloud environments. In doing so, it aims to provide an understanding of how threat actors are impacting and abusing cloud environments at a granular level, as well as how to mitigate these threats and hunt for indicators of compromise associated with them so that cloud defenders are better able to identify and respond when necessary.
Methodology
This report identified five main threats to cloud environments, each of which are explored their respective sections:
- Cloud Abuse
- Exploitation
- Endpoint Misconfiguration
- Cloud Ransomware
- Credential Abuse and Account Takeover
Each section includes radar charts that measure the following attributes associated with a given threat. These determinations were derived by Insikt Group investigating instances where this threat vector was observed to answer the following questions:
- Cost of Impact: How much would this threat cost a victim in terms of monetary, reputational, and operational losses? In the radar chart, the higher the number, the higher the cost the victim can expect to incur monetarily, reputationally, operationally, or otherwise.
- Commonality: How often is this threat vector observed in attack chains against cloud environments in the wild? In the radar chart, the higher the number, the more likely a cloud defender is to observe this behavior in their own environment.
- Evolution Potential: What is the potential for threat actors to further “evolve” this attack vector in terms of new tools, attack methods, and TTPs that can be employed to achieve this threat vector? In the radar chart, the higher the number, the more likely it is threat actors will be able to perform actions demonstrating this threat in ways previously unobserved, thus complicating detection of the behavior.
- Effort to Perform: What are the technical and monetary costs associated with performing this threat vector? In the radar chart, the higher the number, the greater the barrier for an attacker to demonstrate this threat against a cloud environment, generally in terms of monetary cost or technical capability
Threats To Cloud Environments
Cloud Abuse
Key Takeaways
- Attackers registered their own cloud infrastructure to host malicious content and exfiltrate stolen data to their own cloud environments.
- Uses for compromised cloud environments varied heavily and were determined by the responsible threat actor’s goal or proficiency.
Figure 1 illustrates and compares attributes associated with cloud abuse. A description of each attribute can be found in the Methodology section of this report.
Cost of Impact: 4 (High)
Attacks where threat actors abuse victim cloud environments are highly costly, whereas instances where threat actors register and abuse legitimate services are comparatively less costly. In both instances, threat actors are able to masquerade as legitimate entities, leading to reputational losses for the abused environment and owner. Instances where threat actors abuse compromised victim cloud infrastructure often result in increased costs to the owner of the cloud environment.
Commonality: 4 (High)
Abuse of legitimate cloud infrastructure registered by a threat actor is very common, whereas abuse of compromised victim cloud infrastructure is comparatively less common. Many observed attacks against cloud infrastructure include threat actors attempting to gain control of cloud services for follow-on actions at some point, indicating that this type of threat remains common with respect to other cloud threats.
Evolution Potential: 4 (High)
Threat actors have demonstrated that there are a plethora of ways cloud abuse can be achieved and then leveraged to perform malicious actions within the past year. Additionally, novel techniques such as “LLMjacking,” where threat actors sell access to compromised, cloud-based LLM models, indicate that threat actors are continuously considering how to monetize the abuse of cloud services, forecasting an increase of cloud service abuse in the future.
Effort to Perform: 3 (Moderate)
Both the abuse of legitimately registered cloud infrastructure and compromised victim cloud infrastructure pose moderate difficulties to threat actors. In the former threat type, attackers must determine how to register for larger cloud platforms anonymously and conduct malicious actions without being detected, all while paying for the environment. In the latter threat type, threat actors are only able to abuse victim cloud infrastructure after adequately compromising cloud services and systems that are necessary for them to achieve their overarching goals.
Threat Summary
The term cloud abuse refers to two overarching behaviors threat actors have displayed when targeting cloud environments:
- Abuse of legitimate cloud infrastructure obtained by a threat actor to perform malicious activities
- Abuse of legitimate cloud infrastructure owned by a victim a threat actor compromises to perform malicious activities
In both instances, threat actors abuse legitimate cloud infrastructure for nefarious purposes; however, the behaviors demonstrated by threat actors in each of these scenarios differ significantly. In the former example, threat actors will mainly abuse these resources to appear as part of legitimate traffic and remain anonymous; this behavior is often used to carry out phishing campaigns, host malicious content, and act as part of the threat actor’s command-and-control (C2) infrastructure. In the latter example, threat actors may still abuse the cloud environment to masquerade as a legitimate entity, but they may also hijack the environment’s resources, shifting costs to the environment’s owner. In such an instance, additional actions such as cryptojacking and a more recent technique, LLMjacking, may occur and result in inflated monetary costs.
Outlook
Threat actors will almost certainly continue obtaining their own cloud infrastructure for several reasons:
- Threat actors are afforded all of the same benefits legitimate cloud users are provided, in addition to anonymizing factors that aid in malicious actions (see Figure 2).
- It is relatively easy to obtain cloud infrastructure from CSPs without extensive scrutiny from the provider, allowing attackers to create extensive cloud environments without suspicion.
- Abuse of legitimately registered cloud environments is often identified reactively following malicious actions originating from the environment, indicating that CSPs do not have a reliable method of detecting cloud abuse prior to victim compromise.
- Threat actors are easily able to pivot from one cloud provider to another and are able to mask their identities while performing malicious actions when abusing cloud resource
Source: RecordedFuture
Source Link: https://www.recordedfuture.com/research/cloud-threat-hunting-defense-landscape