Cloud Accounts: A Growing Target for Opportunistic and State-Sponsored Threat Actors

The cloud has helped facilitate the boom in remote work, but as users have greater access to data from disparate locations, they are also becoming targets for exploitation. As a result, the cloud is now firmly in the sights of groups looking to compromise accounts and profit from the data they can exploit. 

One concerning recent security trend is the growing number of phishing attacks targeting cloud accounts. As companies have moved data and workloads to the cloud, the unwelcome attention of cyber-criminals has followed. A compromised cloud account not only delivers the keys to the kingdom and virtually all business data that now resides in the cloud directly into the hands of the attackers but can also be used to launch further attacks. Additionally, in the case of IaaS, the resources can be hijacked for malicious purposes like cryptomining. 

Traditional attacks aimed to break into the corporate perimeter, but as the user is now the new perimeter, attackers are focusing their efforts on cloud identities. This shift is being facilitated by several factors. For example, the daily war bulletin of mega breaches is providing attackers with credentials they can use for large-scale password-spraying or credential stuffing attacks. This is compounded by the persistent sloppiness of many users who reuse the same simple passwords for multiple applications. This bad habit is worsened by organizations that fail to implement basic security measures such as multi-factor authentication or an effective password change policy. In this context, it is no surprise to see the recent warning issued by Microsoft concerning the rise in password-spraying attacks targeting cloud accounts. This uptick has been motivated by the fact that this attack is low level and easily repeatable.

Bigger Groups Pursuing Cloud Attacks

Even the criminal ecosystem of the initial access brokers is expanding to the cloud. A recent study by Lacework has revealed how Amazon AWS, Google Cloud and Azure administrative accounts are gaining popularity in underground marketplaces since they provide a valuable return on investment compared to the relative complexity of the attack. This is due to the amount (and the value) of data and resources that can be accessed when targeting these services. The same concerns can be applied to SaaS services such as Google Workspace or Microsoft 365: if we consider Google Forms, recent research published by Sophos has detailed the multiple ways in which a compromised legitimate account can be exploited by bad actors, phishing (for traditional services or cloud applications), reconnaissance or data exfiltration. Attackers continue to prove their creativity and tenacity to achieve their objective, as shown by a recent phishing campaign in which they impersonated a security company to access Microsoft and Google email credentials.

"Attackers continue to prove their creativity and tenacity to achieve their objective"

State-Sponsored Groups Probing the Cloud

To add fuel to the fire, opportunistic criminals are not the only groups targeting cloud accounts. The Russian cyber-espionage group APT28 (AKA Fancy Bear) is a precursor in this space. It has compromised cloud accounts since at least 2016 when the first campaign targeting Gmail users via OAuth phishing was discovered. It has since become an increasingly common technique to compromise cloud accounts. Apparently, they haven’t quit their bad habits. In July this year, a joint alert was issued by the NSA, CISA, NCSC and FBI warning about a large-scale brute force campaign against cloud (and on-premise) accounts that has been active since mid-2019 and carried out using a Kubernetes cluster (from the cloud to the cloud). Russian state-sponsored groups are not the only ones; password spraying the cloud is attractive for Iranian groups, as shown by another recent campaign against more than 250 Office 365 tenants.

More recently, in early October this year, Google notified 14,000 Gmail users from various industries of a widespread spear-phishing campaign carried out by the same state-sponsored group. This massive operation accounted for 86% of the warnings Google sent out during the same month. 

As businesses look to protect their own users’ access to the cloud, they must still consider vulnerabilities within their supply chain. For example, Microsoft (again) recently sent out another advisory warning about nation-state activity associated with NOBELIUM, the threat actor known for the SolarWinds supply chain attack. This latest campaign took place between July 1 and October 19 and aimed to gain access to downstream customers of multiple cloud service providers (CSP), managed service providers (MSP) and other IT services organizations, targeting 609 customers 22,868 times.

Mitigating the Risk of Compromised Cloud Accounts

Beyond implementing the most basic password policies, enabling multi-factor authentication with role-based access control and segregation of duties is the first step to mitigating the risk of compromised cloud accounts. Unfortunately, it seems that this security measure is overlooked by 78% of Microsoft 365 administrators (and consequently, 97% of Microsoft 365 users don’t have it either). 

Monitoring audit logs is another key element of a correct security posture. A cloud access security broker (CASB) integrated via API to a corporate cloud application can analyze the audit logs and enforce user and entity behavior anomaly (UEBA) controls to detect abnormal activities that could indicate a compromised cloud account.

Implementing CASB, as part of a security service edge (SSE) solution, can enforce conditional access control policies (for example, the cloud application can be configured to accept only those connections originating from the security edge) and apply access control with additional measures (such as step-up authentication).

Individual users have always been the most fallible point in a business’ security architecture, and with the advent of the cloud, they are more exposed than ever. Businesses must respond to this growing threat by implementing simple protocols like two-factor authentication, CASB and conditional access policies if they want to operate securely and confidently from the cloud. 

What’s Hot on Infosecurity Magazine?