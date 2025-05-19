Cloud environments have become a lucrative target for cyber-threat actors, a subject that will be discussed by experts during the upcoming Infosecurity Europe conference. Research has shown that nearly half of all data breaches now originate in the cloud, with 80% of organizations experiencing a cloud security breach in the past year. This is a result of organizations moving their key applications and data from on-prem to cloud environments to improve efficiency. Yet, in many cases, security strategies have not evolved to account for this shift, with some organizations believing they are offloading security responsibilities to their cloud service provider. However, under the shared responsibility model, the customer remains responsible for the protection of its data. Amid this trend, cloud-based threats have grown in scale and sophistication, with techniques continually changing. It is critical that security leaders understand the current cloud threat landscape, and the core priorities for protecting their organizations from damaging breaches.

How Attackers Are Targeting the Cloud Today Security experts Infosecurity spoke to shared insights into the main techniques threat actors are currently using to target the cloud. Vulnerability Exploitation Bar Kaduri, Head of Security Research at Orca Security, said that vulnerability exploitation is the number one attack vector in the cloud as the number of new vulnerabilities published grows each year and security teams struggle to keep up with patching. “We see an increase of organizations with public facing neglected assets – assets that have a lot of unpatched vulnerabilities, running on end of life operating systems or weren't updated for a while. Last year 81% of the organizations were running these assets, compared to 89% this year,” Kaduri noted. Christian Reilly, Field CTO EMEA at cloud service provider Cloudflare, told Infosecurity that Cloudflare had observed increased attempts to exploit zero day flaws in the cloud in the past year, with attackers getting quicker at targeting these vulnerabilities following public disclosure. Non-Human Credential Compromise Researchers have also observed an uptick in credential compromise in the cloud. In particular non-human credentials such as API keys, OAuth tokens and cloud provider access tokens that grant programmatic access to sensitive resources. In many cases, compromise of such credentials is enabled by accidental exposure. Martin Zugec, Technical Solutions Director at Bitdefender, noted: “Attackers actively scan public code repositories like GitHub for these inadvertently committed credentials, which can then be used for unauthorized access, data exfiltration and resource manipulation, bypassing traditional authentication mechanisms.” Zugec added that attackers are leveraging sophisticated scripts and bots to speed up their identification of these exposed secrets. Securing non-human identities is a growing cloud concern. Kaduri noted that identities such as API keys and service accounts are now at a rate of 50 to one human identity. This scale of identities is difficult for organizations to manage and maintain, growing the risk of breaches and even supply chain attacks, such as the tj-actions attack that affected 218 GitHub repositories. Exploiting Cloud Misconfigurations Improperly configured cloud system settings continue to be a common cause of breaches in these environments. Misconfigurations are errors or incorrect settings in cloud systems that create vulnerabilities that leave data publicly accessible or enable unauthorized access. “Cloudflare has observed a rise in attacks targeting open S3 buckets, unsecured Kubernetes clusters and exposed APIs,” commented Reilly. One way threat actors are leveraging cloud misconfigurations is in the development of DDoS botnets. Cloudflare has detected increasingly large DDoS attacks, many of which originated from vulnerable cloud instances that were hijacked or misconfigured. This included the record-breaking 5.6Tbps DDoS attack that the firm mitigated in October 2024. “Unlike traditional botnets relying on consumer devices, modern botnets are now largely built on compromised cloud workloads, with the consequence of offering attackers’ greater bandwidth and compute power,” Reilly explained. Evolving Social Engineering Campaigns Social engineering attacks designed to compromise cloud accounts have also surged, with techniques like phishing, vishing and smishing prevalent.

