Cloud Account Attacks Surged 16-Fold in 2023

According to Red Canary’s 2024 Threat Detection Report, cloud account threats surged by 16 times in 2023, with attackers adopting new strategies tailored for cloud environments. Attacks exploiting T1078.004: Cloud Accounts, a technique outlined by MITRE ATT&CK for cloud account compromises, rose to become the fourth most prevalent method used by threat actors, a significant increase from its 46th position in 2022. These attacks affected three times as many organizations in 2023 as compared to the previous year, reflecting the growing migration of systems and data to the cloud.

Researchers also observed that adversaries behave differently in cloud environments, often stealing short-term tokens to exploit APIs for privilege escalation. This activity is challenging to detect as authorized users also utilize these tokens and APIs. Once they gain legitimate account access, attackers conduct systematic reconnaissance to identify potential access points, laying the groundwork for subsequent attacks, such as social engineering help desk employees for password resets or exploiting misconfigurations to access sensitive data.

Security Officer Comments:
Moreover, researchers at Palo Alto Networks in September 2023 revealed that 80% of security vulnerabilities in organizations across all sectors originated from cloud environments. The report also highlighted evolving social engineering techniques employed by phishing actors, including the use of compressed archives, container files, and MSIX files to deliver malware. Additionally, attackers utilized non-email delivery methods such as QR codes in phishing attempts, SEO poisoning, and malvertising to increase the visibility of their malicious sites. A significant trend identified in the report was a 600% increase in attackers using email forwarding rules to conceal their activities after successfully compromising users' email accounts. This tactic enables adversaries to continue receiving sensitive information even after losing direct access to the compromised account.

Suggested Corrections:
In light of red canary’s reporting, the NSA recent published a guide titled, “NSA Launches Top 10 Cloud Security Suggested Corrections Strategies, it’s available here:

“To mitigate the risks associated with cloud misconfigurations and security vulnerabilities, organizations should prioritize implementing the NSA's recommended mitigation strategies. These strategies encompass a wide range of security measures, including upholding the Cloud Shared Responsibility Model, implementing secure identity and access management practices, encrypting data, and enforcing network segmentation. Additionally, organizations should leverage the accompanying cybersecurity information sheets provided by the NSA, which offer detailed steps for implementing each strategy, along with best practices and additional resources for further exploration. By adopting a proactive approach to cloud security and implementing these mitigation strategies, organizations can effectively enhance their resilience against cyber threats in cloud environments”, (IT-ISAC Daily Report, March 12th, 2024).