A recent report from cybersecurity firm SentinelOne sheds light on a concerning trend in the cyber threat landscape: the expansion of a cloud credential stealing campaign targeting Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP).
This development underscores the increasing value of cloud service credentials to threat actors and emphasizes the need for organizations to prioritize their cloud security strategies.
As cloud services have become more prevalent, cybercriminals have adapted their tactics to exploit the wealth of data stored in these platforms. The report from SentinelOne reveals the expansion of a cloud credential stealing campaign, initially focused on AWS credentials, to now include Azure and GCP. This evolution demonstrates the increasing maturity of threat actors and their ability to adapt their tooling to target a broader range of cloud environments.
Credential stealing is consistently ranked as one of the top initial attack vectors, alongside vulnerability exploitation. Timothy Morris, Chief Security Advisor at Tanium, discussed the report and credential stealing:
"The natural evolution for credential stealing is to target cloud services, as this report illustrates, because that's where the data is. The research paper shows that the attackers have upped their game going after cloud credentials. They have taken what they've learned harvesting AWS creds and applied that skill to now target Azure and GCP. It is evident their maturity has increased with better formatting and a modular scripting approach. That is also a tale tell sign that more is to come, and they will only get better and stealthier."
Historically, Azure and GCP have enjoyed some level of protection from cyberattacks due to the "security by obscurity" principle. However, as organizations increasingly adopt multi-cloud environments, these platforms are growing in popularity, attracting the attention of threat actors.
Teresa Rothaar, Governance, Risk, and Compliance Analyst at Keeper Security, warns that relying on "security by obscurity" is not a long-term strategy:
"Historically, Azure and GCP have been somewhat shielded from cyberattacks due to 'security by obscurity.' Because these cloud service providers weren't as popular as AWS, threat actors weren't attacking them as often, akin to how most viruses attack Windows PCs instead of Macs. This may have caused some organizations to relax their security on those platforms in the face of fewer threats.
However, as organizations increasingly shift to a multi-cloud environment, Azure and GCP are increasing in popularity. As a result, threat actors are increasing their attacks against them accordingly. This shows that 'security by obscurity' isn't something you can count on over the long term."
One key aspect highlighted by cybersecurity professionals is the significance of proper configuration for cloud resources, particularly Docker containers. Rothaar stresses that organizations must secure not only human credentials but also credentials used by applications and services.
Misconfigurations that expose Docker containers to the open internet present opportunities for attackers. Ensuring that containers are properly configured and restricted to authorized access is crucial to mitigating risk.
Joseph Carson, Chief Security Scientist and Advisory CISO at Delinea, highlights the persistent challenge of misconfigurations in cloud environments:
"As organizations continue to move legacy applications and systems to cloud infrastructure, they still struggle with misconfigurations exposing cloud environments. This makes them easy targets for cybercriminals. Identities and credentials are a top target, and when attackers find a common misconfiguration that many organizations repeat, it is only a matter of time before they automate the discovery.
Cloud is becoming even more popular for attackers looking for ways to exploit user identities and credentials, allowing them to find more ways to obtain unauthorized access to victims networks. It must be a top priority for organizations to be proactive and discover these misconfigurations before the attackers do. They must secure those systems and improve the existing security with solutions such as privileged access management (PAM) and multifactor authentication (MFA) so even if they do discover misconfigurations, it becomes more difficult to easily abuse them."
As attackers increasingly target AWS, Azure, and GCP credentials, organizations must adapt their security strategies to protect their valuable data and resources.
Monitoring cloud assets, adhering to security best practices, and implementing robust security measures such as PAM and MFA are essential steps to safeguard against credential stealing campaigns. By staying ahead of cyber threats and remaining proactive, organizations can fortify their cloud environments and mitigate the risk of compromise.
Follow SecureWorld News for more stories related to cybersecurity.
