What Cloud-First Organizations Can Learn from the Latest Cyjax Cloud Threat Landscape Report

Threat actors and APT (advanced persistent threat) groups around the globe are increasingly targeting cloud infrastructure as more organizations utilize cloud services for efficiency, cost-effectiveness, and potential security improvements. Over 98% of organizations are believed to use the cloud in some capacity, creating an immense and extensive attack surface.

The Cyjax Cloud Threat Landscape report portrays a significant positive trend for attacks using or targeting cloud services over the past six months. This report outlines the notable threat actors, attacks, vulnerabilities, and service abuse observed and these events’ impact on the threat landscape.

“Digital Transformation projects are moving quickly in many organizations to put systems in public clouds. Updating cloud threat models – especially when it comes to the growing external cloud attack surface of the organization is vital to protect those systems,” says Ian Thornton-Trump, CEO at Cyjax.

Threats targeting cloud environments

As the threat landscape constantly develops, new threat actors, attack methods, and malware strains are identified and observed targeting cloud services. Malicious groups are known to target the cloud and continue to attack misconfigured systems and cloud containers, while new malware strains have been developed and identified in the wild. Additionally, DDoS (Distributed Denial-of-Service) attacks from threat actors have caused significant disruption to services such as Microsoft Azure.

Misconfigurations and malware

TeamTNT is a German-speaking threat group known for targeting misconfigured Docker and Kubernetes systems to spread cryptocurrency mining malware. The threat group weaponizes developer tools and custom malware, and open-source tools. The group was observed operating previously undiscovered malware to steal proprietary data and software. A threat actor exhibiting similar behavior to the TeamTNT group exfiltrated AWS credentials but has recently expanded its tactics to steal Azure and Google Cloud Platform credentials.

It is not only commonly used cloud services targeted in attacks against cloud infrastructure. For example, Linux cloud workloads are also impacted, portraying the widespread nature of threat actor tactics used against these services. With such attacks affecting the cloud landscape, organizations are constantly working to patch vulnerabilities and mitigate threats. However, tools offered by cloud providers are often available only to premium users, leaving non-premium users on the search for cloud monitoring and auditing tooling.

DDoS attacks

Throughout June 2023, Microsoft services were targeted by hacktivist group AnonymousSudan, an alleged member of pro-Russia Killnet. The group is known to conduct DDoS attacks against organizations in various sectors. It often carries out these attacks in relation to geopolitical developments, such as the ongoing war in Ukraine. Attacks like these disrupt services that may require consistent and immediate access, especially for organizations using cloud services to store critical and sensitive information. DDoS attacks can last several hours, impacting operations significantly longer as the provider recovers.

Supply chain attacks

Organizations can utilize cloud services to reduce local storage and performance strain or improve operational effectiveness. However, transferring data compromise risks to a third party can result in significant damage when the organization’s supply chain is targeted.

For example, the Cyjax report mentions the devastating effects of zero-day vulnerability exploitation by the Cl0p ransomware group. Data breaches resulting from such vulnerabilities can have disastrous consequences for affected organizations depending on the type, sensitivity, and volume of the leaked data.

“Although not surprising, the main threat identified in the report is supply chain compromise - when exploring Cl0p's recent attacks, the danger and potential damage cloud service compromise can cause becomes abundantly clear. Hundreds of companies have been named on Cl0p's leak site, and data is still being periodically released from the initial compromise on 27 May,” explains Adam Price, Cyjax Intelligence Analyst and Report Author.

What is worrying, though, is that leaked files analyzed from these attacks indicate that end users did not encrypt files in transit or at rest on the hosting service, allowing the attackers unrestricted access to sensitive information.

Threat actors utilize cloud services (instead of attacking them)

Although threat actors target cloud services for compromise and exploitation, attackers also use cloud infrastructure during campaigns. “An interesting aspect of the landscape highlighted during the report’s writing was cloud service abuse. Threat actors are utilizing cloud services, notably file storage solutions like DropBox and Google Drive to host malicious payloads,” notes Adam Price.

Rather than attacking cloud services, these groups utilize cloud services to aid their attacks. A common tactic is to host malicious payloads and C2 servers on cloud hosting providers to prevent permanent infrastructure from being taken down or flagged as malicious. Once the malicious behavior is detected, a threat actor can transfer the payload to another instance or hosting service.

For example, Kimsuky, which is believed to be an arm of the North Korean General Reconnaissance Bureau, specializes in network infiltration through sophisticated spear-phishing campaigns that abuse legitimate tools, such as cloud services, including Google Drive. These services are leveraged to host malicious documents containing embedded macros that download a payload, connecting victim devices to the group’s C2 server.

Vulnerabilities and exploits affecting cloud services may allow attackers to conduct campaigns targeting vulnerable systems, resulting in targeted attacks with specific expected outcomes. In the past six months, Cyjax observed an increase in flaws affecting cloud services, with over 300 new vulnerabilities identified since January 2023.

The above flaws highlight the importance of regular vulnerability scanning and patching, specifically for critical-rated ones affecting publicly exposed or endpoint-facing instances due to their potentially destructive impact. Further policies and procedures, such as least privilege, should be followed, and patches should be implemented as soon as possible to mitigate potential attacks.

"We are seeing from the dynamic range of attacks and fast-paced tactical shifts that there appears to be, more than ever, a sharing of TTPs between Threat Actors indicating a fast-changing approach to 'state sponsored'; whereby APTs and hacktivists may be political knights and pawns in the current game of cyber chess with checkmate being the access through the cloud attack surface or the disruption of vital services. Capturing a holistic view of the changing threat landscape is not only necessary but vital in these fast-moving times," says Chris Spinks, Cyjax Head of Operations

“The threat actors develop their strains of malware, leverage misconfigurations of cloud resources and software, and quickly weaponize proof-of-concept vulnerability exploits.  Its critical organizations understand what cloud security controls need to be deployed to detect, respond, and prevent adversaries from gaining a successful cloud foothold,” concludes Ian Thornton-Trump.

To learn more about the evolving cloud threat landscape, download the Cyjax report.