Data from one cybersecurity firm’s ecosystem in Q1 has shown how complacence and indifference could put entire digitalized organizations at risk

Between January and March this year, one cybersecurity firm analyzed its own customer ecosystem’s identity and access management (IAM) configurations and usage activities involving 680,000 identities in 18,000 cloud accounts over 200 different organizations.

With this data, researchers calculated the effective permissions of every cloud identity, looked into the usage history of each permission, and identified the misconfigurations in the permissions policies within the customer ecosystem.

Researchers also researched hundreds of cloud malware samples detailing the operations of cloud threat actors across multiple offensive operations and several toolsets.

The following findings were reached for sample population:

  • 99% of cloud identities were overly permissive, and many involved permissions that were granted but never used
  • 53% of cloud accounts allowed weak password usage, and 44% allowed password reuse
  • 62% of organizations had publicly exposed cloud resources
  • The top threat actors targeting the cloud, as well as state-sponsored actors that have been known to use the cloud to conduct attacks, were determined in the sample population to be:
    • TeamTNT
    • WatchDog
    • Kinsing
    • Rocke
    • 8220
      • APT 28 (Fancy Bear): Used Kubernetes infrastructure to perform brute-force attacks
      • APT 29 (Cozy Bear): While the SolarWinds Orion platform is not considered to be a cloud application, there are legitimate cloud container images available that do allow organizations to build the application within a dynamic cloud environment. The targeting of this application presents a novel approach to cloud targeting operations by APT groups.
      • APT 41 (Gadolinium): Used the Azure cloud platform to host Command and Control resources in attacks, to appear more legitimate to detection and alert mechanisms

According to Unit 42, the threat intelligence arm of Palo Alto Networks which performed the research, the findings (at least for its customer base) indicate that when it comes to IAM in the cloud, organizations had struggled to put good governance in place, opening the door for malicious actors to have wider access to cloud environments.

This had given rise to Cloud Threat Actors (individuals or groups) that had threatened customer organizations through directed and sustained access to their cloud platform resources, services, or embedded metadata.