Hackers are redoubling their attempt to break into business applications and cloud infrastructure, according to an analysis of incidents investigated by one security operations center (SOC).
Managed detection and response company Expel said that ‘identity threats’’ – attempts to break into email or other business applications - accounted for 64% of all incidents its SOC investigated, and that these had increased in volume by 144% over 2022.
Analysis from the firm showed a 72% increase in cloud infrastructure incidents across the last year, with stolen or leaked credentials responsible for two-in-five incidents.
The identity threat incidents were either unauthorized email logins (accounting for 60%) or authentications to identity platforms, like Microsoft Entra ID (which was formerly known as Azure Active Directory), Okta, Ping, and Duo.
Organizations saw an average of eight identity-based incidents over the year, although one nonprofit organization was targeted 255 times, Expel said in its report.
Two-thirds of these incidents involved malicious logins from suspicious infrastructure, such as unexpected hosting providers or proxies. Expel said it had seen a shift toward using more proxies and VPNs by attackers, and that this would continue until organizations consistently put “effective roadblocks” in place like multifactor authentication (MFA).
Expel said the increasing volume of these attacks was a direct result of more phishing platforms becoming available, which make it easier to create convincing login pages that can trick unsuspecting users into handing over passwords.
The firm said one particular group known as “The Com” was responsible for the largest number of targeted identity attacks its SOC investigated this year. This group primarily targeted Okta and Microsoft accounts, attempting to abuse password policies.
These attackers will call into IT help desks, pretending to be a member of staff locked out of their account and asking for passwords be reset. If requests via the helpdesk or self-service system are successful, the attacker sends MFA pushes to the real user. If the user accepts the MFA push, the attacker gains access to the account.
Expel said it classifies any evidence of a compromised user password as an identity incident, even if the login is then blocked by MFA.
“Many authentication blocking methods are but a small speed bump for attackers and require our analysts to take further action to prevent potentially successful attempts,” the firm said.
“In fact, we’ve seen many instances when an attacker tried to login, was blocked by conditional access based on geolocation or MFA, and immediately switched to a bypass method, like a VPN or legacy protocol, resulting in successful login.”.
As such, organizations should thoroughly investigate any situation where users could have unknowingly compromised their passwords, the report said.
Expel said cloud infrastructure incidents were also accelerating, with stolen or leaked cloud credentials the biggest risk. These stolen credentials allow attackers to maintain persistent access to a cloud environment with the permissions connected to that identity or role.
Expel’s definition of an incident is an attacker gaining at least control plane or data plane access in the cloud environment.
RELATED RESOURCE
Find and fix security vulnerabilities in your team’s code before it’s too late
DOWNLOAD NOW
The company said 96% of the incidents it detected or responded to occurred in AWS, while the other 4% were split evenly between GCP and Azure. That’s even though about half of its cloud customers use AWS, around 33% use Azure, and roughly 17% use GCP.
It said this heavy skew towards AWS is likely the result of more AWS security research and auditing tools available for attackers to abuse.
Exposed credentials were the top cause of cloud infrastructure incidents seen by Expel: these can give attackers access to the cloud control plane either through a framework or command-line utility. These secrets can be exposed through accidental upload to repositories, vulnerability exploitation, or information stealing malware.
The secrets users accidentally uploaded to digital repositories were the ones most exposed. All in all, stolen or leaked credentials accounted for over 40% of the cloud incidents it investigated.
Server-side request forgery attacks, which trick a public-facing web application into exposing sensitive information, was the second most common incident type used to trick AWS EC2 instances into exposing secrets. The third most frequent incident type resulted from use of default credentials (19%), which were most often abused by attackers scanning the Internet to deploy crypto miners.
Expel said that to keep cloud infrastructure safe companies should ensure they are following strong identity management practices, regularly removing unnecessary keys and rotating access keys – and insisting on MFA for access to cloud consoles.
However, it acknowledged that “sometimes people forget to change passwords, no matter how often they’re told.” In this case, it said, companies should maintain an inventory of Internet-facing assets and ensure the availability of web-access logging. This data aids in investigating and identifying the root cause of an incident, it said.
Whether it’s attempts to compromise email accounts or business applications, or gain access to cloud infrastructure, there are key lessons to learn, Expel said.
Be careful with passwords and other credentials, watch out for odd log-in behavior, and use MFA where you can.
-
Cleo attack victim list grows as Hertz confirms customer data stolenNews Hertz has confirmed it suffered a data breach as a result of the Cleo zero-day vulnerability in late 2024, with the car rental giant warning that customer data was stolen.
-
Lateral moves in tech: Why leaders should support employee mobilityIn-depth Encouraging staff to switch roles can have long-term benefits for skills in the tech sector
-
The Wiz acquisition stakes Google's claim as the go-to hyperscaler for cloud security – now it’s up to AWS and industry vendors to reactAnalysis The Wiz acquisition could have monumental implications for the cloud security sector, with Google raising the stakes for competitors and industry vendors.
-
Microsoft’s EU data boundary project crosses the finish lineNews Microsoft has finalized its EU data boundary project aimed at allowing customers to store and process data in the region.
-
AWS expands Ohio investment by $10 billion in major AI, cloud pushNews The hyperscaler is ramping up investment in the midwestern state
-
Microsoft hit with £1 billion lawsuit over claims it’s “punishing UK businesses” for using competitor cloud services
News Customers using rival cloud services are paying too much for Windows Server, the complaint alleges
-
AWS re:Invent 2024 live: All the news and updates from day-three in Las VegasLive Blog ITPro is live on the ground in Las Vegas for AWS re:Invent 2024 – keep tabs on all the news and updates from day-three here
-
Westcon-Comstor bags major European distribution deal with AWSNews The company plans to launch a dedicated European AWS cloud business unit
-
AWS opens physical sites for fast data uploads – but it could cost you up to $500 an hourNews Amazon Web Service (AWS) has launched a new Data Transfer Terminal service to allow customers to upload data to the cloud from a physical site.
-
Microsoft's Azure growth isn't cause for concern, analysts sayAnalysis Azure growth has slowed slightly, but Microsoft faces bigger problems with expanding infrastructure
