The cloud has aided the growth of remote work, but as users gain more access to data from various locations, they are becoming more vulnerable to exploitation. As a result, those trying to hack accounts and benefit from the data they can exploit have their sights set on the cloud.
The increased frequency of phishing attacks targeting cloud accounts is a troubling recent security trend. As businesses migrated their data and workloads to the cloud, cybercriminals began to pay attention. A compromised cloud account not only gives the attackers the keys to the kingdom and nearly all corporate data that is now stored in the cloud, but it may also be used to launch more attacks.
Attackers used to target the corporate perimeter, but now that the user is the new perimeter, they are concentrating their efforts on cloud identities. Several elements are assisting this shift. The daily news of massive breaches, for example, provides attackers with credentials for large-scale password-spraying or credential-stuffing attempts. This is exacerbated by many users’ continuous carelessness in using the same easy passwords across different applications. Organizations that fail to adopt basic security measures such as multi-factor authentication or an effective password change policy exacerbate this bad habit.
Cloud Attacks being pursued by larger groups
Even the initial access broker’s criminal ecosystem is moving to the cloud. According to the latest Lacework Quarterly Cloud Threat Report, administrator accounts for Google Cloud, Amazon AWS, and Azure are gaining popularity in underground marketplaces because they offer a good return on investment compared to the relative difficulty of the attack. This is the case because of the amount and value of data and resources that can be obtained when targeting these services.
State-sponsored groups taking interest in the cloud
To add to the turmoil, opportunistic threat actors aren’t the only ones pursuing cloud accounts. APT28 (AKA Fancy Bear), a Russian cyber-espionage group, is a forerunner in this field. It has been compromising cloud accounts since at least 2016, when the first OAuth phishing attempt targeting Gmail users was found. It has subsequently become a more prevalent method of hacking into cloud accounts.
They haven’t given up their bad habits, it appears. The CISA, NSA, NCSC, and FBI issued a joint notice in July this year, warning about a large-scale brute force operation against cloud and on-premise accounts that has been active since mid-2019 and is being carried out with the help of a Kubernetes cluster. Furthermore, it is not just the Russian state-sponsored groups that is interested – password spraying the cloud is appealing to Iranian groups, as evidenced by another recent attack targeting more than 250 Office 365 tenants.
Businesses must evaluate vulnerabilities in their supply chain as they attempt to defend their own users’ access to the cloud.
Compromised cloud accounts pose a threat
Beyond the most basic password policies, the first step in decreasing the threat of compromised cloud accounts is to enable multi-factor authentication with role-based access control and division of duties.
Another important aspect of maintaining a good security posture is keeping track of audit logs. To detect anomalous activity that could indicate a compromised cloud account, a cloud access security broker (CASB) coupled via API to a corporate cloud application can examine audit logs and impose user and entity behaviour anomaly (UEBA) controls.
As part of a security service edge (SSE) solution, CASB can impose conditional access control regulations (for example, the cloud application can be designed to allow only connections from the security edge) and implement access control with additional measures (step-up authentication).
Individual users have always been the weakest link in a company’s security architecture, and with the cloud, they are even more vulnerable. If businesses wish to function securely and confidently from the cloud, they should respond to this growing threat by deploying simple protocols like CASB, two-factor authentication, and conditional access policies.
For more such updates follow us on Google News ITsecuritywire News