Hackers are redoubling their attempt to break into business applications and cloud infrastructure, according to an analysis of incidents investigated by one security operations center (SOC).
Managed detection and response company Expel said that ‘identity threats’’ – attempts to break into email or other business applications - accounted for 64% of all incidents its SOC investigated, and that these had increased in volume by 144% over 2022.
Analysis from the firm showed a 72% increase in cloud infrastructure incidents across the last year, with stolen or leaked credentials responsible for two-in-five incidents.
The identity threat incidents were either unauthorized email logins (accounting for 60%) or authentications to identity platforms, like Microsoft Entra ID (which was formerly known as Azure Active Directory), Okta, Ping, and Duo.
Organizations saw an average of eight identity-based incidents over the year, although one nonprofit organization was targeted 255 times, Expel said in its report.
Two-thirds of these incidents involved malicious logins from suspicious infrastructure, such as unexpected hosting providers or proxies. Expel said it had seen a shift toward using more proxies and VPNs by attackers, and that this would continue until organizations consistently put “effective roadblocks” in place like multifactor authentication (MFA).
Expel said the increasing volume of these attacks was a direct result of more phishing platforms becoming available, which make it easier to create convincing login pages that can trick unsuspecting users into handing over passwords.
The firm said one particular group known as “The Com” was responsible for the largest number of targeted identity attacks its SOC investigated this year. This group primarily targeted Okta and Microsoft accounts, attempting to abuse password policies.
These attackers will call into IT help desks, pretending to be a member of staff locked out of their account and asking for passwords be reset. If requests via the helpdesk or self-service system are successful, the attacker sends MFA pushes to the real user. If the user accepts the MFA push, the attacker gains access to the account.
Expel said it classifies any evidence of a compromised user password as an identity incident, even if the login is then blocked by MFA.
“Many authentication blocking methods are but a small speed bump for attackers and require our analysts to take further action to prevent potentially successful attempts,” the firm said.
“In fact, we’ve seen many instances when an attacker tried to login, was blocked by conditional access based on geolocation or MFA, and immediately switched to a bypass method, like a VPN or legacy protocol, resulting in successful login.”.
As such, organizations should thoroughly investigate any situation where users could have unknowingly compromised their passwords, the report said.
Expel said cloud infrastructure incidents were also accelerating, with stolen or leaked cloud credentials the biggest risk. These stolen credentials allow attackers to maintain persistent access to a cloud environment with the permissions connected to that identity or role.
Expel’s definition of an incident is an attacker gaining at least control plane or data plane access in the cloud environment.
Find and fix security vulnerabilities in your team’s code before it’s too late
DOWNLOAD NOW
The company said 96% of the incidents it detected or responded to occurred in AWS, while the other 4% were split evenly between GCP and Azure. That’s even though about half of its cloud customers use AWS, around 33% use Azure, and roughly 17% use GCP.
It said this heavy skew towards AWS is likely the result of more AWS security research and auditing tools available for attackers to abuse.
Exposed credentials were the top cause of cloud infrastructure incidents seen by Expel: these can give attackers access to the cloud control plane either through a framework or command-line utility. These secrets can be exposed through accidental upload to repositories, vulnerability exploitation, or information stealing malware.
The secrets users accidentally uploaded to digital repositories were the ones most exposed. All in all, stolen or leaked credentials accounted for over 40% of the cloud incidents it investigated.
Server-side request forgery attacks, which trick a public-facing web application into exposing sensitive information, was the second most common incident type used to trick AWS EC2 instances into exposing secrets. The third most frequent incident type resulted from use of default credentials (19%), which were most often abused by attackers scanning the Internet to deploy crypto miners.
Expel said that to keep cloud infrastructure safe companies should ensure they are following strong identity management practices, regularly removing unnecessary keys and rotating access keys – and insisting on MFA for access to cloud consoles.
However, it acknowledged that “sometimes people forget to change passwords, no matter how often they’re told.” In this case, it said, companies should maintain an inventory of Internet-facing assets and ensure the availability of web-access logging. This data aids in investigating and identifying the root cause of an incident, it said.
Whether it’s attempts to compromise email accounts or business applications, or gain access to cloud infrastructure, there are key lessons to learn, Expel said.
Be careful with passwords and other credentials, watch out for odd log-in behavior, and use MFA where you can.
