Businesses are still introducing security risks into cloud environments

Over the past ten years, cloud computing has become omnipresent with innovation and growth, and cybercriminals have closely observed cloud migration to introduce their innovations to exploit the platforms. Most of these exploits result from suboptimal setups and human error. According to recent IBM Security X-Force data, many companies adopting the cloud lag behind fundamental security best practices, increasing risk to their organizations.

The 2022 X-Force Cloud Threat Landscape Report reveals that the most typical method of cloud compromise continues to be vulnerability exploitation, a tried-and-true infection method. Some of the major findings from the report were generated between July 2021 and June 2022 using data from X-Force Threat Intelligence, hundreds of X-Force Red penetration tests, X-Force Incident Response (IR) engagements, and data supplied by report contributors.

Over the past six years, there has been a sixfold increase in new cloud vulnerabilities, and 26% of cloud compromises that X-Force responded to were brought on by attackers using unpatched vulnerabilities, making this the most typical entry point seen.

Through users' excessive privileges and permissions, X-Force Red successfully compromised client cloud environments in 99% of pen testing engagements. This kind of access might enable attackers to change direction and move laterally throughout a victim's environment, heightening the impact of an attack.

Cloud account sales on illegal marketplaces have increased by 200%, according to X-Force, with remote desktop protocol and stolen credentials being the most common types of cloud account sales.

The leading cause of cloud compromise is unpatched software

More and more IoT devices are connecting to cloud environments, increasing the potential attack surface and posing serious problems for many businesses, such as proper vulnerability management. As an illustration, the report found that known unpatched vulnerabilities were exploited to cause more than 25% of the cloud incidents it studied. While the Log4j vulnerability and a vulnerability in VMware Cloud Director were two of the more frequently exploited vulnerabilities seen in X-Force engagements, the majority of vulnerabilities found that were used to compromise applications mostly affected the on-premises versions, sparing the cloud instances.

As expected, there is a steady rise in cloud-related vulnerabilities; in fact, X-Force has seen a 28% increase in new cloud vulnerabilities just in the past year. Businesses struggle to keep up with the need to update and patch an expanding volume of vulnerable software because over 3,200 cloud-related vulnerabilities have been reported. The increase in vulnerabilities that can give attackers access to more sensitive and important data and opportunities to launch more damaging attacks is evidence that the number of cloud-related vulnerabilities is growing but so is their severity.

To ensure the most effective risk mitigation, businesses should pressure test their environments to identify weaknesses like unpatched, exploitable vulnerabilities. Businesses should also prioritize these weaknesses based on their severity.

Excessive privileges help bad actors

The report also sheds light on another concerning trend in cloud environments: lax access controls, with 99% of X-Force Red's pen testing engagements succeeding due to users' excessive permissions and privileges. Businesses mistakenly create a stepping stone for attackers to gain a deeper foothold in the victim's cloud environment by giving users excessive access to numerous applications across their networks.

The trend highlights the need for businesses to transition to zero trust strategies to reduce the risk further that user behaviors exhibiting excessive trust introduce. Businesses can implement the appropriate policies and controls to scrutinize connections to the network, whether made by an application or a user and iteratively verify their legitimacy using zero-trust strategies. Additionally, it's crucial that businesses properly secure their hybrid, multi-cloud environments as they adapt their business models to innovate quickly and adapt easily. Modernizing their architectures is essential to accomplishing this. Since not all data require the same level of control and supervision, it is crucial to identify the right workloads and place them where they are needed. This enables companies to manage their data effectively and put effective security controls around it, supported by appropriate security technologies and resources.

Cloud accounts are the hottest items on dark web marketplaces

As cloud computing becomes more popular, more cloud accounts are being sold on the Dark Web, as seen by X-Force, which has seen a 200% increase in the past year alone. Over 100,000 cloud account ads were found by X-Force on Dark Web marketplaces, with some account types being more popular than others. Remote Desktop Protocol (RDP) access accounts accounted for 76% of cloud account sales, a slight increase from the previous year. 19% of the cloud accounts advertised in the marketplaces that X-Force examined were compromised cloud credentials.

These accounts are readily accessible to the average bidder because the going rate for this access is incredibly low. RDP access costs an average of $7.98, and compromised credentials cost an average of $11.74. The simplicity of compromised credentials and the fact that postings advertising credentials frequently include multiple sets of login information—possibly from other services that were stolen along with the cloud credentials—are probably to blame for their 47% higher selling price. This increases the ROI for cybercriminals.

Organizations must work to enforce stricter password policies by advising users to frequently update their passwords and implementing multifactor authentication as more compromised cloud accounts appear across these illegal marketplaces for malicious actors to exploit (MFA). Businesses should use Identity and Access Management tools to fight credential theft from threat actors and lessen their reliance on username and password combinations.