Cloud Security, Identity, Vulnerability Management, Network Security

Cloud account compromise a permanent feature of threat landscape

A hard drive is seen in the light of a projection of a thumbprint.
A hard drive is seen in the light of a projection of a thumbprint. (Photo by Leon Neal/Getty Images)

In reporting on cloud security earlier this year, Proofpoint said that its 2021 data found that more than 90% of monitored cloud tenants were targeted every month, with some 24% successfully attacked.

The lesson: Much like email-based phishing and malware delivery, attempted cloud account compromise has developed into a substantial and permanent feature of the threat landscape.

Brute-force attacks remain the method of choice for most threat actors, say the Proofpoint researchers. These attacks targeted 95% of organizations and managed to compromise nearly one-third (32%) of cloud tenants during 2021.

Proofpoint researchers also found that the number of cloud tenants targeted by precision attacks steadily increased over the course of the year. Some 75% of cloud tenants were targeted with a precise attack, with 60% being compromised as a result.

The surprising thing about the percentage of cloud tenants being attacked is that even at more than 90% attacked — it seems low, said Claude Mandy, chief evangelist, data security at Symmetry Systems. Mandy said these attacks (precision and brute force) both attempt to circumvent access controls — one of the primary if not only to protect data in the cloud. It also illustrates that anything connected to the internet will be discovered and therefore attacked at some point, said Mandy.

“There is no security by obscurity in the cloud,” Mandy said. “It’s important to remember that these types of attacks leverage data obtained through phishing and other credential compromises to increase their success rates, and cybercriminals don’t give up on their first failure. As a result, they are also almost inevitably going to succeed. For example the successful attack against Uber appears to have resulted as much from the sophistication of the social engineering as from MFA fatigue.”

Constant scanning from legitimate adversaries versus general traffic on top of potential bug bounty crawling systems leads to a ton of noise that adversaries can use as a cloak to hide their development of attacks, explained Matt Mullins, senior security researcher at Cybrary. Mullins said it’s doubly true with brute forces, as protections on certain points typically have (if implemented correctly) timeouts, so attackers merely need to “set it and forget it” until they get feedback that something worked.

“With attacks being pruned for maximum effectiveness and stealth over time, defenders have to be able to quickly detect and protect.. when most can't do this adequately with a longer time line,” Mullins said. “Cloud is a prime target and will be for some time, as a result of this.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.