Credentials Account For Over Half of Cloud Compromises

Written by

Over half (55%) of public cloud compromises investigated by Google in the first three months of the year were down to a missing or weak password, the tech giant has revealed.

The findings come from Google Cloud’s latest Threat Horizons report, which compiled the figures from the firm's incident response engagements.

The report argued that “strong identity management guardrails” would help to mitigate these risks in public cloud environments.

The second most common compromise factor in the period was misconfiguration, which accounted for 19% of incidents. Google said misconfigurations could also be linked to other compromise factors such as exposure of sensitive UIs or APIs, which accounted for 12% of incidents.

“An example of how these two factors are associated could include a misconfigured firewall that unintentionally provided public access to a UI,” it explained.

Read more on public cloud threats: Public Cloud Customers Admit Security Challenges

The top risk action leading to compromise in Google Cloud environments was overwhelmingly cross-project abuse of access token generation permission (75%). This can be associated with the MITRE ATT&CK tactic of privilege escalation and the technique of “valid accounts: cloud accounts,” Google noted.

In second place came replacement of existing compute disks or snapshots, which accounted for 12% of alerts detected by Google. These alerts are triggered when a compute disk or snapshot is deleted and replaced by one with the same name – a common occurrence during cryptocurrency mining, the report explained.

The report also revealed how threat actors are trying to bypass Google Play Store malware detections to get their malicious apps listed on the official marketplace. An increasingly popular tactic is “versioning.”

“Versioning occurs when a developer releases an initial version of an app on the Google Play Store that appears legitimate and passes our checks, but later receives an update from a third-party server changing the code on the end user device that enables malicious activity,” the report explained.

Google recommended organizations take a defense-in-depth approach to mitigate the risk, including regular device updates, mobile device management and application allowlists.

What’s hot on Infosecurity Magazine?