Hackers are redoubling their attempt to break into business applications and cloud infrastructure, according to an analysis of incidents investigated by one security operations center (SOC).
Managed detection and response company Expel said that ‘identity threats’’ – attempts to break into email or other business applications - accounted for 64% of all incidents its SOC investigated, and that these had increased in volume by 144% over 2022.
Analysis from the firm showed a 72% increase in cloud infrastructure incidents across the last year, with stolen or leaked credentials responsible for two-in-five incidents.
The identity threat incidents were either unauthorized email logins (accounting for 60%) or authentications to identity platforms, like Microsoft Entra ID (which was formerly known as Azure Active Directory), Okta, Ping, and Duo.
Organizations saw an average of eight identity-based incidents over the year, although one nonprofit organization was targeted 255 times, Expel said in its report.
Two-thirds of these incidents involved malicious logins from suspicious infrastructure, such as unexpected hosting providers or proxies. Expel said it had seen a shift toward using more proxies and VPNs by attackers, and that this would continue until organizations consistently put “effective roadblocks” in place like multifactor authentication (MFA).
Expel said the increasing volume of these attacks was a direct result of more phishing platforms becoming available, which make it easier to create convincing login pages that can trick unsuspecting users into handing over passwords.
The firm said one particular group known as “The Com” was responsible for the largest number of targeted identity attacks its SOC investigated this year. This group primarily targeted Okta and Microsoft accounts, attempting to abuse password policies.
These attackers will call into IT help desks, pretending to be a member of staff locked out of their account and asking for passwords be reset. If requests via the helpdesk or self-service system are successful, the attacker sends MFA pushes to the real user. If the user accepts the MFA push, the attacker gains access to the account.
Expel said it classifies any evidence of a compromised user password as an identity incident, even if the login is then blocked by MFA.
“Many authentication blocking methods are but a small speed bump for attackers and require our analysts to take further action to prevent potentially successful attempts,” the firm said.
“In fact, we’ve seen many instances when an attacker tried to login, was blocked by conditional access based on geolocation or MFA, and immediately switched to a bypass method, like a VPN or legacy protocol, resulting in successful login.”.
As such, organizations should thoroughly investigate any situation where users could have unknowingly compromised their passwords, the report said.
Expel said cloud infrastructure incidents were also accelerating, with stolen or leaked cloud credentials the biggest risk. These stolen credentials allow attackers to maintain persistent access to a cloud environment with the permissions connected to that identity or role.
Expel’s definition of an incident is an attacker gaining at least control plane or data plane access in the cloud environment.
RELATED RESOURCE
Find and fix security vulnerabilities in your team’s code before it’s too late
DOWNLOAD NOW
The company said 96% of the incidents it detected or responded to occurred in AWS, while the other 4% were split evenly between GCP and Azure. That’s even though about half of its cloud customers use AWS, around 33% use Azure, and roughly 17% use GCP.
It said this heavy skew towards AWS is likely the result of more AWS security research and auditing tools available for attackers to abuse.
Exposed credentials were the top cause of cloud infrastructure incidents seen by Expel: these can give attackers access to the cloud control plane either through a framework or command-line utility. These secrets can be exposed through accidental upload to repositories, vulnerability exploitation, or information stealing malware.
The secrets users accidentally uploaded to digital repositories were the ones most exposed. All in all, stolen or leaked credentials accounted for over 40% of the cloud incidents it investigated.
Server-side request forgery attacks, which trick a public-facing web application into exposing sensitive information, was the second most common incident type used to trick AWS EC2 instances into exposing secrets. The third most frequent incident type resulted from use of default credentials (19%), which were most often abused by attackers scanning the Internet to deploy crypto miners.
Expel said that to keep cloud infrastructure safe companies should ensure they are following strong identity management practices, regularly removing unnecessary keys and rotating access keys – and insisting on MFA for access to cloud consoles.
However, it acknowledged that “sometimes people forget to change passwords, no matter how often they’re told.” In this case, it said, companies should maintain an inventory of Internet-facing assets and ensure the availability of web-access logging. This data aids in investigating and identifying the root cause of an incident, it said.
Whether it’s attempts to compromise email accounts or business applications, or gain access to cloud infrastructure, there are key lessons to learn, Expel said.
Be careful with passwords and other credentials, watch out for odd log-in behavior, and use MFA where you can.
-
Using DeepSeek at work is like ‘printing out and handing over your confidential information’News Thinking of using DeepSeek at work? Think again. Cybersecurity experts have warned you're putting your enterprise at huge risk.
-
Can cyber group takedowns last?ITPro Podcast Threat groups can recover from website takeovers or rebrand for new activity – but each successful sting provides researchers with valuable data
-
Is AWS' cloud dominance waning? New stats show the hyperscaler's IaaS market share is decreasing while Microsoft and Google record gainsNews AWS maintained its lead in the IaaS market last year, but its share decreased while Microsoft and Google recorded gains.
-
AWS says only Europeans will run its European Sovereign Cloud serviceNews The firm wants to reassure customers that sovereign really does mean sovereign
-
‘Misses the mark’: Microsoft, AWS hit out at CMA cloud competition reportNews The CMA claims Microsoft and AWS are harming competition – the duo strongly disagree
-
US companies dominate the European cloud market – regional players are left fighting for scrapsNews Synergy data shows EU providers hold just 15% of the market despite rise in AI and drive for cloud sovereignty
-
Three of the biggest announcements from AWS Summit New York
News AWS may be known as a cloud services provider, but its pivot to AI services has taken the limelight
-
What the new Microsoft Sovereign Cloud push means for European customersNews The tech giant is bolstering protections for regional users using public and private cloud services
-
Where is the cloud headed?ITPro Podcast UK businesses are balancing cloud migration with AI adoption and demands for data sovereignty
-
AWS misses quarterly revenue expectations – but Andy Jassy is still upbeatNews Jassy highlighted a number of key areas of interest after AWS' quarterly earnings results
