Crowdstrike warns of increased attacks on the cloud using stolen credentials

As business uptake of cloud solutions increases, security experts are sounding the alarm over a surge in cloud system attacks, driven largely by the use of stolen credentials by threat actors.

“Cloud adoption is exploding as companies realize the potential for innovation and business agility that the cloud offers. Due to this growth, the cloud is rapidly becoming a major battleground for cyber attacks,” CrowdStrike said in its global threat report emphasizing  the need for businesses to prioritize cloud security measures to mitigate risks.

“Businesses need full cloud visibility, including into applications and APIs, to eliminate misconfigurations, vulnerabilities and other security threats,” it said.

According to CrowdStrike, incidents of cloud environment intrusions have spiked by 75% from 2022 to 2023, with threat actors exploiting cloud features to facilitate their malicious activities.

Notably, cybercrime group Scattered Spider has emerged as a prominent threat group, demonstrating sophisticated tactics within targeted cloud environments.

One of the primary tactics employed by attackers is the use of valid credentials obtained through various means including brute-force attacks, phishing, and access brokers to gain initial access.

“Throughout 2023, Scattered Spider demonstrated progressive and sophisticated tradecraft within targeted cloud environments to maintain persistence, obtain credentials, move laterally and exfiltrate data,” CrowdStrike said.

The new CrowdStrike report aligns with recent IBM's findings highlighting the growing prevalence of credential abuse in cyber attacks.

Cloud account credentials have become highly sought-after commodities on the dark web, as the provide an easier route into target systems. Cybercriminals are able to gain access into their victim environments posing as legitimate users.

Consequently, attackers work to escalate privileges and broaden their access within compromised systems. Techniques such as modifying policies or or adding identities to privileged groups or roles are commonly employed to extend the reach of the attacker and maximize the impact of their attacks.

For example, during an intrusion at a software company, Scattered Spider attackers escalated their privileges by attaching a new administrator access policy to an existing cloud user.

The shrinking timeframe known as "breakout time," referring to the window between initial access and further intrusion, poses a significant challenge for defenders. CrowdStrike said the average breakout time decreased from 84 minutes in 2022 to 62 minutes in 2023, while he fastest observed breakout time was only 2 minutes and 7 seconds.

Attackers have become increasingly adept at swift exploitation of vulnerabilities meaning timely detection and response are critical to thwarting cyber threats.

Malware-free attacks, including phishing and social engineering, are also on the rise, comprising the majority of detected incidents. Consequently, organizations need to implement comprehensive security measures, including phishing-resistant multi-factor authentication and proactive threat hunting.

To combat this new wave of cyber threats, CrowdStrike recommends that companies enhance their understanding of cloud infrastructure and adopt a holistic approach to security.

By integrating identity, cloud, endpoint, and data protection telemetry, organizations can better detect and mitigate unauthorized activities within their digital ecosystems.