There’s never been a more important time to understand how hackers target the cloud. While the cost and scalability benefits of the cloud are undeniable, it’s also a vast attack surface that opens any firm - regardless of size, industry, or even geographical location - up to the interest of hacking groups.
Almost every business now has a cloud environment to worry about, with PwC’s 2023 Cloud Business Survey finding that 78% of business executives had extended cloud across the majority or the entirety of their business. With this in mind, leaders must know the main avenues of attack for the cloud and the myriad strategies threat actors may explore to breach, infect, or destroy their valuable cloud assets.
A chain is only as strong as its weakest link and when it comes to valuable cloud assets it really is imperative that leaders know where and how their attack surface can come under strain.
Vulnerabilities leave the door unlocked
Extending the metaphor of that weak link, existing vulnerabilities within a business’ cloud environment are the first port of call for any hacker.
Cloud misconfiguration is of particular concern, as it could allow sensitive data to be leaked onto the public internet, or allow hackers to enter systems outright without the need for authorized access.
In Splunk’s State of Security 2024 report, misconfigured systems were identified as the most frequent threat vector with 38% of attacks arising from these mistakes. These user errors can be simple to overlook but enable serious attacks on the cloud
For example, Home Depot recently suffered a data breach that arose from a misconfigured software as a service (SaaS) application and researchers have discovered misconfigured access controls within NetSuite’s SuiteCommerce which could allow hackers to steal customer data.
Misconfigurations are the path of least resistance for hackers – once identified, threat actors can launch successful attacks in less than ten minutes.
To stay ahead of the threat, it’s important that IT teams keep a close eye on cloud configurations, using third-party tools if necessary to help them monitor potential weak points and close gaps in their defensive wall before hackers take notice.
Attacks driven by subterfuge
An effective attack vector for targeting the cloud is credential theft. Login details for company accounts can be obtained directly through data breaches, found on hacking forums in the wake of a breach, or stolen through targeted social engineering and phishing attacks on employees.
Credential theft can be especially difficult to detect because attackers will appear to be legitimate users. Identifying which accounts have been subject to credential theft can be as simple as checking whether users have been implicated in recent data breaches to the trickier task of identifying which user accounts are exhibiting anomalous behavior.
One of the main ways in which businesses can combat this threat is via identity management protocols as well as through investing in identity and access management (IAM) solutions. These can automatically identify anomalous behavior and be used by security teams to strip users of certain privileges from a central console.
Just because your organization hasn’t been noticeably breached doesn’t mean that it’s safe. Some threat groups choose to quietly breach firms and then skulk in their IT estates for years.
During this time, hackers gather data on users to identify who has privileged access, what behaviors will and will not fly under the radar, and the times of day that their victim will be most vulnerable to attack.
Attackers can benefit from entering systems as quietly as possible to do more damage down the line, using the interim to collect more information or identify potential vulnerabilities that they can exploit to steal valuable information or disrupt cloud services.
Once attackers have breached an enterprise cloud environment, they are often able to move laterally throughout systems to wherever their attacks will do the most damage.
It's in situations like these that businesses can benefit from zero trust network access (ZTNA), in which no one user profile is treated as automatically safe as a matter of policy.
Malware and other forceful attacks
Once inside a network, attackers will often seek to spread malware such as cloud ransomware is a top threat to businesses.
One of the main reasons hackers will target the cloud with ransomware is because it makes for excellent leverage with which to pry a payment from their victims. Not all businesses may choose to pay the ransom demanded by their attackers – but threat actors know that few businesses can stand cloud downtime for too long without reputational damage and severe loss of profits.
A growing concern of the past few years has been the lowering barrier to entry for would-be ransomware groups, as the ransomware as a service (RaaS) becomes more entrenched. This allows any hacker to purchase effective strains of ransomware via the dark web and then use it against victims’ infrastructure and cloud.
Hackers can also use dark web services such as Dark Utilities C2 to launch other campaigns such as distributed denial of service (DDoS) attacks.
Undoubtedly the most blunt way hackers opt for when targeting the cloud is a DDoS attack. This approach sees threat actors overwhelm a website or cloud instance with a massive number of access requests to knock it offline. Like cloud ransomware, this attack methodology is all about maximum damage, and bouncing back will hinge on whether a business has a concrete backup strategy.
But even cloud ransomware comes with the promise – however untrustworthy – of data decryption if the price is paid. DDoS attacks tend to be far more two-dimensional, the downtime being the entire point rather than the means to a profitable end for the perpetrators.
Often, attackers will leverage the combined output of a botnet, a horde of infected devices they control around the world. Using these zombie IoT networks, they wield DDoS capabilities measured in the millions of requests per second (rps) – Google Cloud measured a 398 million rps attack in 2023.
Some firms offer mitigation against DDoS attacks, but they remain an effective avenue of attack for threat actors and are on the rise.
Recovering from a DDoS attack can be a complex process. On the one hand, leaders will be keen for their systems to be brought back online as quickly as possible to stem reputational damage and loss of revenue – a particular concern if the attack successfully knocked out front-end systems like the homepage of your company’s website.
Leaders must also ensure their cloud environment is restored intact and give security teams the time to have complete confidence that everything is configured correctly when it’s stood back up.
This cuts to the heart of the problem for businesses looking to thrive in the cloud. Operating in this modern environment is a constant balancing act of making the most of the expansion and tools at your disposal and keeping one eye on how each cloud instance could be compromised.
Knowing what’s out there is essential, but this process never ends. Leaders must constantly refresh their understanding of threats and bad actors and keep their employees trained to deal with the latest cloud threats.
