Stolen credentials continue to be 'coin of the realm' for threat groups targeting cloud environments, and the range of tactics they use to get them – from phishing and business email compromise (BEC) campaigns to keylogging and brute force – prove that out.
Also high on the list of tools is infostealer malware that is specifically designed to harvest cloud platform and services credentials, according to IBM’s X-Force threat intelligence unit.
In the latest edition of their annual IBM X-Force Cloud Threat Landscape Report released Tuesday, the researchers found that phishing attacks over the past two years accounted for 33% of cloud-related cyber incidents, with bad actors increasingly using adversary-in-the-middle (AITM) techniques. Such attacks involve the hackers positioning themselves between the victim and a legitimate service to intercept communications.
“This type of attack is particularly dangerous because it can bypass some forms of MFA [multi-factor authentication], making it a powerful tool for cybercriminals,” Austin Zeizel, threat intelligence consultant with X-Force, wrote in an accompanying blog post. “Once inside a victim’s environment, threat actors seek to carry out their objectives.”
Those objectives include BEC attacks and credential theft, Zeizel wrote. BEC attacks accounted for 39% of incidents since 2022, with the bad actors typically using harvested credentials from phishing attacks to take control of email accounts and run further attacks.
IBM developed the report through threat intelligence it gathered, incident response engagements, and partnerships with Cybersixgill, a cyber intelligence company that monitors the dark web, and Red Hat Insights software-as-a-service (SaaS) tool.
MSSPs and Cloud Security
Such information is critical for MSSPs, who place a central role for many organizations as they continuing moving more workloads and applications to the cloud.
“The vast majority of businesses – businesses that are not in the Fortune 500 – don’t have the capacity to secure these perimeter-less, ephemeral, ragged-edged environments that we’re all living in,” Chris Gonsalves, chief research officer at Channelnomics, told MSSP Alert.
Those companies rely on MSSPs to ensure their security posture is strong and for capabilities from extended detection and response (XDR) and identity and access management (IAM) capabilities, Gonsalves said.
The Human Factor
Threats like phishing and BEC are all about IAM. Humans have long been seen as the weak link in cybersecurity, with many still falling for phishing emails or other social engineering schemes. Studies by the likes of the Cloud Security Alliance (CSA) and Thales have found the human factor ranking high among the threats facing cloud environments, with Thales putting human error and misconfiguration – at 31% – as the top cause of cloud data breaches.
This despite a global cybersecurity training market that is expected to grow from $4.1 billion in 2022 to $19.2 billion by 2032.
The demand for cloud credentials is unrelenting despite what appears to be an oversaturation on the dark web, according to IBM. The average price for compromised cloud credentials on the dark web this year is $10.23, a 12.8% drop since 2022. That combined with a 20% decrease in the overall mentions of SaaS on dark web marketplaces indicates that the supply of stolen cloud credentials may be catching up to demand.
That doesn’t mean that hackers are becoming less interested in such credentials.
“It also reflects an increasing availability of these credentials for threat actors to leverage before and during attacks,” IBM’s Zeizel wrote. “Thus, it’s no surprise that more than a quarter of cloud-related incidents involved the use of valid credentials, making it the second most common initial attack vector. As the price of for-sale cloud credentials decreases, it’s becoming more cost effective (and stealthier) for attackers to compromise organizations by logging in using valid credentials.”
Hackers Follow Businesses to the Cloud
He noted that given the modern business environment – with organizations shifting more of their business-critical data to the cloud – the need for strong cloud security is important. The migration to the cloud is being followed by cybercriminals, who also are moving their focus to the cloud and evolving their capabilities.
“This growing dependence on cloud infrastructure has only widened the attack surface for threat actors to exploit and underscores why securing the cloud is more crucial than ever,” he wrote.
This is putting more responsibility on MSSPs, Channelnomics’ Gonsalves said. Tools like multi-factor authentication (MFA) and IAM are critical in cloud security, but they also put a huge burden on organizations’ IT teams. MSSPs can come in with the capabilities and skills to manage this in the cloud.
Which is good, “because for most people, MFA seems like a pain in the butt,” Gonsalves said.