Cloud account threats increased 16-fold in 2023, with attackers adopting new techniques in these environments, according to Red Canary’s 2024 Threat Detection Report.
Researchers found that detections associated with T1078.004: Cloud Accounts, the MITRE ATT&CK technique for cloud account compromises, was the fourth most prevalent technique used by threat actors in 2023, up from 46th place in 2022.
These attacks impacted three-times as many organizations in 2023 compared to 2022, as more systems and data move to the cloud.
The report also noted that adversaries behave differently in the cloud compared to other systems. They typically steal short-term tokens to gain access to and abuse APIs for privilege escalation.
This malicious activity is difficult to detect as authorized users leverage these same tokens and APIs.
Once in possession of legitimate account access, attackers conduct systematic reconnaissance to explore available access points.
“This reconnaissance phase serves as a precursor to subsequent attacks, allowing adversaries to socially engineer help desk employees for password resets or take advantage of misconfigurations to access sensitive data,” the researchers wrote.
A Palo Alto Networks report in September 2023 found that 80% of security vulnerabilities observed in organizations across all sectors come from a cloud environment.
Evolving Social Engineering Techniques
Phishing actors leveraged a variety of techniques to bypass email security features to infect targets with ransomware and other malware, the report found.
Notable examples included:
- The use of compressed archives (ZIP, RAR) and container files (ISO, VHD) to avoid restrictions from Mark-of the-Web (MOTW) features.
- Abuse of OneNote files to deliver malware payloads like Qbot at the start of 2023. In May 2023, OneNote was updated to block embedded files with commonly abused extensions by default.
- The use of MSIX files to deliver malware. These files are often used by developers to deliver Windows applications within enterprises.
The researchers also highlighted an increase in non-email delivery vehicles for their malicious links in 2023. These included:
- Quishing: The use of QR codes in phishing attempts.
- SEO poisoning: Attackers using SEO techniques such as placing strategic keywords in the body or title of a webpage to make their malicious sites more prominent when results are returned on Google and other legitimate search engines.
- Malvertising: Purchasing fake ads on search engine pages that masquerade as legitimate websites.
Another notable trend highlighted in the report was a 600% rise in attackers using email forwarding rules to hide their activity when they successfully compromised users’ email accounts.
Forwarding emails to an external account is used to hide any malicious emails sent from that account. Messages sent from these accounts include sending emails to internal finance departments requesting to modify payroll information or send a wire transfer.
Additionally, this tactic can allow an adversary to continue receiving sensitive information after losing access to the account.
Keith McCammon, Chief Security Officer at Red Canary, said the report demonstrates that attackers are primarily targeting identities to attack organizations.
“To access cloud accounts and SaaS applications, adversaries must compromise some form of identity or credential, and one that is highly privileged can grant an adversary untold access to valuable accounts, underscoring the critical importance of securing corporate identities and identity providers,” he said.
How to Detect Ransomware Intrusion
Red Canary described the most common techniques, tools and procedures it observed across “pre-ransomware” intrusion stages.
- Initial access: A number of ransomware intrusions last year began with attackers exploiting vulnerabilities in internet-facing devices such as Confluence or Veritas. The researchers noted that these internet-facing devices are often unmonitored, with the intrusion only being detected when adversaries move off the initial device. Other ransomware intrusions started with common malware families like SocGholish and Qbot that were followed by reconnaissance demands.
- Lateral movement: Attackers commonly use compromised accounts obtained from credential dumping. These credentials enable them to move from unmonitored parts of the network.
- Reconnaissance: Malicious actors were frequently observed conducting reconnaissance with built in commands.
The ransomware-as-a-service (RaaS) ecosystem presented difficulties in detection and attribution in 2023, according to the researchers.
Commonly, an initial access broker would infiltrate a network and then pass access to affiliates. The SocGholish, Qbot and Raspberry Robin payloads were often delivered via initial access brokers that later pass off access to separate ransomware operators.