Google: Cloud Breaches Driven More by Flaws Than Weak Passwords
▼ Summary
– Hackers are now primarily exploiting newly disclosed software vulnerabilities within days, not weeks, to gain initial access to cloud environments, with bug exploits accounting for 44.5% of intrusions.
– The use of weak credentials has declined, a shift Google attributes to its enhanced security measures raising the barrier for threat actors.
– State-sponsored and financially-motivated attackers often use compromised identities for long-term data exfiltration and persistence, with some campaigns lasting over 18 months.
– North Korean threat actors are targeting cloud environments to steal millions in cryptocurrency, using sophisticated social engineering and malware to infiltrate corporate networks.
– Attack speeds necessitate automated response, as insiders increasingly use cloud services for data theft and attackers rapidly destroy evidence, complicating recovery.
A significant shift is occurring in how attackers breach cloud environments, with a new report revealing that exploiting software vulnerabilities has now overtaken weak passwords as the primary method of initial access. This change underscores a rapidly evolving threat landscape where hackers are weaponizing new flaws with unprecedented speed. The data indicates that nearly 45% of investigated cloud intrusions stemmed from bug exploits, while compromised credentials accounted for just over a quarter of breaches. This pivot in tactics is largely attributed to stronger default security settings and enhanced credential protections from major providers, which have forced threat actors to seek alternative entry points.
The window for exploitation has collapsed dramatically. Where attackers once had weeks to leverage a disclosed vulnerability, they now often act within mere days. In some observed cases, cryptominers were deployed into cloud systems within 48 hours of a flaw being made public. This demonstrates a high level of readiness among hacking groups to integrate new vulnerabilities into their attack toolkits almost immediately. Remote code execution (RCE) flaws are particularly prized, with specific vulnerabilities like React2Shell and a critical XWiki flaw being actively leveraged in widespread botnet campaigns.
While vulnerabilities are the new front door, stolen identities remain a key tool. Both state-sponsored groups and financially motivated criminals frequently use phishing and vishing scams, often impersonating IT help desks, to compromise user identities and gain a foothold in target cloud platforms. The ultimate goals of these intrusions are increasingly focused on stealth and persistence. Attackers aim for the silent exfiltration of massive volumes of data, avoiding immediate ransom demands to maintain long-term access. Espionage-linked groups from nations like Iran and China have been found maintaining covert access to victim environments for well over a year, systematically siphoning off terabytes of proprietary information and source code.
Financially driven attacks are also adapting. One notable campaign involved North Korean operatives who fraudulently obtained IT jobs to generate revenue. In a separate, sophisticated cloud attack, another North Korean group tricked a developer into downloading a malicious archive. This file, once opened, deployed a backdoor disguised as a Kubernetes tool. The attackers then pivoted through the cloud environment, compromised high-privileged service accounts, and ultimately stole millions of dollars in cryptocurrency by accessing insecurely stored database credentials.
The abuse of trust relationships in development pipelines presents another serious risk. In one incident, an attacker compromised a developer’s GitHub token and abused the OpenID Connect (OIDC) trust between GitHub and AWS to create a new admin account in the cloud. From there, they swiftly stole data and destroyed resources in both production and cloud environments. This was part of a broader supply-chain attack that exposed sensitive keys and tokens from thousands of developer accounts and repositories.
Internally, the data exfiltration landscape is changing. Cloud storage services are rapidly becoming the preferred tool for malicious insiders looking to steal corporate data, poised to surpass traditional email-based methods. Analysis shows that a majority of insider theft incidents occur while the individual is still employed, highlighting the need for robust internal data protection measures that monitor for unusual data transfers to services like Google Drive, Dropbox, or AWS S3 buckets.
To combat these accelerated threats, manual response processes are no longer sufficient. Attackers can deploy payloads within an hour of a new cloud instance being created and often take steps to delete backups and logs to obscure their actions. This makes the implementation of automated security response and remediation not just advisable but urgent. Looking ahead, global events such as major elections and geopolitical tensions are expected to further drive threat activity, making continuous vigilance and adaptive cloud security strategies more critical than ever.
(Source: Bleeping Computer)