Cloud threat actors investigate vulnerabilities and report findings
Cloud threat actors are expanding the scope of their efforts to gain unauthorized access to cloud data and resources. This emerges from Volume 3 of Lacework’s Cloud Threat Report, a semi-annual assessment of ongoing cybersecurity threats impacting the cloud.
Conducted over a six-month period, the Cloud Threat Report found that alongside the increased focus on cloud platforms beyond AWS, Microsoft Azure and Google Cloud, malicious actors are rapidly adapting new attacks on organizations in the cloud.
As governments around the world warn of the increasing threat of cybercrime, the report’s findings highlight some of the most common threats organizations should protect against.
Small businesses in particular are at risk from cloud access brokers selling access to cloud accounts online. According to the report, 78% of SMBs observed by the Lacework Labs team had compliance breaches in their cloud infrastructure, opening the door for attackers to gain initial access, escalate privileges, and compromise protected data.
Lacework Research Director James Condon says, “Threat actors continue to show sophistication as they design and adapt new attacks to compromise the cloud. Organizations moving more data to cloud infrastructure need to be just as agile, employing security best practices and modern tools with continuous monitoring to stay ahead of cybercriminals and protect critical information.”
This third edition of the Cloud Threat Report highlights four key areas of cloud security: cloud security posture, vulnerabilities and software supply chain, runtime threats and Linux malware, and proactive defense and intelligence.
Based on anonymized data across the Lacework platform from September 2021 to February 2022, the report found:
Flaws in cloud security posture are an open door for threat actors: 72% of monitored cloud environments had insecure configurations, giving attackers a warm welcome to gain first access, establish persistence, escalate privileges, and compromise protected data across clouds. The most common risks were found in the AWS services IAM, S3 and EC2, which were also the most frequently abused by attackers.
Every cloud is a destination, not just the Big 3: Despite AWS being one of the largest cloud service providers, AWS accounts account for only 16% of all illegal access hosting for sale, while lesser-known companies like HostGator and Bluehost make up half. Although corporate accounts range from as low as $300 and upwards of $30,000, the average price of a compromised AWS account is around $40. This high volume of lower-priced inventory suggests that attackers could take advantage of rising compliance breaches in SMB organizations and a lack of focus on securing consumer accounts.
Log4j remains a significant threat, and malware is rapidly adapting: 31% of malware infections observed by the Labs team use Log4j as the initial infection vector. Additionally, Muhstick, the most commonly observed malware family in the wild, can integrate vulnerabilities like Log4j into its operations within 48 hours, reinforcing how quickly threat actors respond to exploit vulnerability disclosure.
The Lacework Labs team also investigated compliance issues, exposed Docker APIs and malicious containers, and additional vulnerabilities within the software supply chain. Based on the findings of this report, Lacework Labs recommends defenders assess security infrastructure against industry best practices and implement proactive defense and reconnaissance tools with active vulnerability monitoring.