In a recent report published by Google Mandiant, it was revealed that hacks targeting cloud infrastructure saw a significant increase in the past year. Attackers have been taking advantage of misconfigurations and single sign-on features to deploy info stealers, resulting in data and credential theft. The report stated that there were more breaches involving a cloud component in 2024 compared to previous years, highlighting the growing threat to cloud security.
The rise in attacks can be attributed to companies transitioning from on-premises infrastructure to hybrid cloud environments without ensuring adequate security measures are in place. Hackers are specifically targeting centralized cloud assets secured with single sign-ons, as compromising these provides them with broad access to an environment and enables privilege escalation. This centralized nature of cloud identity and access management technologies creates fewer opportunities for exposure, making it an attractive target for attackers.
Data theft emerged as the primary objective in two-thirds of the cloud incidents responded to by Mandiant in 2024, while financial theft was the motive in 38% of attacks. One of the threat groups identified as targeting cloud infrastructure is UNC3944, also known as 0ktapus and Scattered Spider. This financially motivated group relies on social engineering tactics to target victims, including calling service desks to reset passwords and multifactor authentication for privileged accounts.
After gaining initial access, hackers exploited single sign-on solutions by assigning compromised accounts to every application linked to an SSO instance. This tactic allowed them to expand the scale of the attack from on-premises infrastructure to cloud and SaaS applications. In some cases, ransomware was used to encrypt organizations’ virtualized environments, while cloud synchronization utilities were abused to move data to external attacker-owned cloud storage resources.
While ransomware remains the most common cybercrime globally, info stealers were frequently deployed for cloud and credential theft in 2024 according to Mandiant. UNC5537, another threat group tracked by the company, used stolen credentials obtained through info stealers to access data belonging to a client and attempted to extort targeted organizations or sell the data on cybercrime forums.
In a separate incident, a threat group known as Triplestrength was observed selling compromised access to various cloud platforms including Google Cloud, Amazon Web Services, Microsoft Azure, Linode, OVHCloud, and Digital Ocean. Additionally, APT42, an Iranian threat group, utilized cloud-based platforms such as Google Sites and Dropbox in a fake login campaign aimed at credential theft.
To enhance security in cloud environments, Mandiant recommends the use of multifactor authentication such as hardware security keys or mobile authenticator apps, along with implementing cookie expiration and password rotation policies. The company also advises limiting accounts allowed to authenticate and implementing network restrictions to mitigate the risk of cyber attacks.