Hacks Targeting Cloud Single Sign-On Rose in 2024
Cloud Security, Cybercrime, Fraud Management & Cybercrime
Hackers Deploying Infostealers for Data and Credential Theft
According to a report by Bank Info Security, hacks targeting cloud infrastructure rose significantly last year, with attackers exploiting misconfiguration and single sign-on features to deploy info stealers for data and credential theft.
In an annual security report, Mandiant said the company "responded to more breaches that involved a cloud component than ever before" during 2024. Mandiant attributed the rising number of attacks to companies migrating from on-premises infrastructure to hybrid cloud environments without ensuring adequate security measures were in place.
Mandiant’s research revealed that hackers target centralized cloud assets secured with single sign-ons, which, when compromised, provide the attackers with "broadscale access to an environment," and permit privilege escalation. As Mandiant noted, "The centralized nature of cloud identity and access management technologies can provide a shortcut with fewer opportunities for exposure. Attackers are targeting user credentials for cloud services and subsequently social engineering corporate help desk teams to reset passwords and enroll new multifactor authentication."
Data theft was the primary objective in two-thirds of the cloud incidents Mandiant responded to in 2024, while financial theft was the motive in 38% of attacks. Among groups targeting cloud infrastructure is a financially motivated threat group that Mandiant tracks as UNC3944. The group, also known as 0ktapus and Scattered Spider, relies on social engineering tactics to target its victims. These included calling service desks to reset passwords and multifactor authentication, including for privileged accounts.
After gaining access, hackers exploited single sign-on solutions by assigning a compromised account to every application linked to an SSO instance, which allowed the threat actor to widen the scale of the attack from on-premises infrastructure to cloud and SaaS applications, Mandiant said. In at least one case, UNC3944 used Ranshomhub ransomware to encrypt an organization’s virtualized environment. UNC3944 also abused cloud synchronization utilities to move data from cloud-hosted data sources in the targeted environment to external attacker-owned cloud storage resources.
While ransomware continued to be the most common cybercrime globally, hackers frequently deployed info stealers for cloud and other credential theft last year, Mandiant said. A group Mandiant tracks as UNC5537 used stolen credentials likely obtained through info stealers to access data belonging to a Snowflake client. The hackers pivoted to exfiltrate data and attempted to extort targeted organizations or sell the data on cybercrime forums.
In another case recorded by Mandiant, a threat group called Triplestrength was observed routinely selling compromised Google Cloud, Amazon Web Services, Microsoft Azure, Linode, OVHCloud, and Digital Ocean access. APT42, an Iranian threat group, is among other threat actors using cloud-based platforms and services such as Google Sites and Dropbox as part of a fake login campaign intended at credential theft.
To secure cloud environments, Mandiant recommends that companies use multifactor authentication such as hardware security keys or mobile authenticator apps and implement cookie expiration and password rotation policies. The company also recommends limiting accounts that are allowed to authenticate and implementing network restrictions. As Mandiant noted, securing cloud environments requires a comprehensive approach that addresses the unique challenges of cloud security.
The findings of Mandiant’s report highlight the growing concern of cloud security and the need for organizations to prioritize securing their cloud infrastructure. As the threat landscape continues to evolve, it is essential for companies to stay informed about the latest threats and best practices for cloud security.
Source: Bank Info Security
