Cloud security breaches surge on a wave of stolen credentials
Cloud security attacks are growing in both scale and intensity, according to new research from CrowdStrike, with threat actors leveraging stolen credentials to devastating effect
Security experts have warned of a concerning rise in cloud security attacks over the last year as threat actors ramp up attempts on cloud-based systems using stolen credentials.
Cloud computing adoption across business continues to rise, but firms are not doing enough to protect these systems against attackers who are often using legitimate - but stolen – account details, according to CrowdStrike.
“Cloud adoption is exploding as companies realize the potential for innovation and business agility that the cloud offers. Due to this growth, the cloud is rapidly becoming a major battleground for cyber attacks,” the firm said in its 2024 global threat report.
“Businesses need full cloud visibility, including into applications and APIs, to eliminate misconfigurations, vulnerabilities and other security threats,” it said.
According to CrowdStrike, cloud environment intrusions increased by 75% from 2022 to 2023, with an even bigger rise in incidents where the attackers were able to take advantage of cloud features for their own purposes.
Cyber crime group Scattered Spider was specifically highlighted as a notable threat group with regard to cloud attacks.
“Throughout 2023, Scattered Spider demonstrated progressive and sophisticated tradecraft within targeted cloud environments to maintain persistence, obtain credentials, move laterally and exfiltrate data,” CrowdStrike said.
Cloud Pro Newsletter
Stay up to date with the latest news and analysis from the world of cloud computing with our twice-weekly newsletter
The security company said attackers mostly relied on valid credentials to achieve their initial access. These are credentials acquired in any number of ways, perhaps by accidental leakage, brute-force attacks, phishing and social engineering, or via access brokers (who gain access to systems in order to sell on), or insecure self-service password-reset services.
The CrowdStrike research aligns closely with a recent study from IBM, which also found the abuse of valid accounts is on the increase.
“As defenders increase their detection and prevention capabilities, attackers are finding that obtaining valid credentials is an easier route to achieving their goals”, IBM revealed.
It said cloud account credentials make up 90% of the for-sale cloud assets on the dark web, making it “easy for threat actors to take over legitimate user identities to establish access into victim environments”.
Using stolen credentials, threat actors often attempt to escalate privileges to gain greater access, perhaps by modifying policies or adding identities to privileged groups or roles. For example, during an intrusion at a software company, Scattered Spider attackers escalated their privileges by attaching a new administrator access policy to an existing cloud user.
Attackers have also been known to harvest credentials from password stores and were also spotted moving back and forth between on-prem and cloud environments.
Scattered Spider attackers often used their access to Microsoft 365 environments to search for VPN set-up instructions which they then used to log onto the VPN and move across on-premise servers too. They were also spotted using the open source S3 browser to exfiltrate data to a cloud storage bucket they controlled.
Some hackers are also learning as they go along. CrowdStrike said that in February last year it responded to a ransomware incident where the attackers exfiltrated credentials from cloud-based credential manager Azure Key Vault.
Logs show that the ‘Indrik Spider’ attackers also visited ChatGPT while interacting with the Azure Portal, presumably in an attempt to understand how to navigate in Azure, as well as browsing search engines and searching on GitHub.
“Using search engines and visiting ChatGPT indicate that though Indrik Spider is likely new to the cloud and not yet sophisticated in this domain, it is using generative AI to fill these knowledge gaps,” CrowdStrike said.
Cloud security attacks are gaining pace
The CrowdStrike report also found that attackers are moving faster, wherever they find a breach.
After gaining their initial access to a network, adversaries want to move on from that first compromised device. The time it takes for them to do this – the “breakout time” — is key because the first device the attackers land on is rarely the one they need to achieve their goals, whether that’s stealing data or deploying ransomware.
For defenders, then, reacting within the breakout time window can stop an attack before it has a chance to get established. However, that window is shrinking.
CrowdStrike said the average breakout time decreased from 84 minutes in 2022 to 62 minutes in 2023. The fastest observed breakout time was only 2 minutes and 7 seconds.
More generally, how attackers get into networks in the first place is changing too.
Nearly 90% of attack time was dedicated to breaking in and gaining access. By reducing or eliminating this time, attackers can free up resources for more attacks.
As a result, they are moving away from malware toward quicker ways of gaining access – like phishing, social engineering, and exploiting vulnerabilities. Malware-free attacks accounted for 75% of detections in 2023 — up from 71% in 2022.
Defending against this shift in attacks is challenging. CrowdStrike said companies need to implement phishing-resistant multifactor authentication and extend it to legacy systems.
“Addressing sophisticated access methods such as SIM swapping, MFA bypass and the theft of API keys, session cookies and Kerberos tickets requires proactive and continuous hunting for malicious behavior,” it warned.
Companies also need to have a better understanding of their cloud infrastructure.
“Adversaries often use valid credentials to access cloud-facing victim environments and then use legitimate tools to execute their attack, making it difficult for defenders to differentiate between normal user activity and a breach,” the security firm said.
“To identify this type of attack, you need to understand the relationship between identity, cloud, endpoint and data protection telemetry, which may be in separate systems.”
Earlier this year, a separate survey found a 72% increase in cloud infrastructure incidents across 2023, with stolen or leaked credentials responsible for two-in-five incidents.
Steve Ranger is an award-winning reporter and editor who writes about technology and business. Previously he was the editorial director at ZDNET and the editor of silicon.com.