“Authorized” to break in: Adversaries use valid credentials to compromise cloud environments

Overprivileged plaintext credentials left on display in 33% of X-Force adversary simulations

Adversaries are constantly seeking to improve their productivity margins, but new data from IBM X-Force suggests they aren’t exclusively leaning on sophistication to do so. Simple yet reliable tactics that offer ease of use and often direct access to privileged environments are still heavily relied upon. Today X-Force released the 2023 Cloud Threat Landscape Report, detailing common trends and top threats observed against cloud environments over the past year. Improper use of credentials made up the top cause of cloud compromises that X-Force responded to in the past year, reaffirming the need for businesses to double down on hardening their credential management practices.

Based on insights from X-Force threat intelligence, penetration tests, incident response engagements, Red Hat Insights and data provided by report contributor Cybersixgill, between June 2022 and June 2023, some of the key highlights stemming from the report include:

• Credentials worth a dozen doughnuts: Over 35% of cloud security incidents occurred from attackers’ use of valid, compromised credentials. Making up nearly 90% of assets for sale on dark web marketplaces, credentials’ popularity among cybercriminals is apparent, averaging USD 10 per listing or the equivalent of a dozen doughnuts. Microsoft Outlook Cloud credentials accounted for over 5 million mentions on illicit marketplaces, by far the most popular access for sale.
• “Unkempt” clouds: X-Force observed a nearly 200% increase in new cloud related CVEs from the prior year, now tracking close to 3,900 cloud-related vulnerabilities, a number that has doubled since 2019. Adversaries can advance their objectives significantly by exploiting many of these vulnerabilities with over 40% of new cloud CVEs allowing them to either obtain information or gain access, indicating the strong foothold attackers can establish through these entry points.
• Europe’s cloudy forecast: Sixty-four percent of cloud-related incidents that X-Force responded to during the reporting period involved European organizations. In fact, across all malware that Red Hat Insights observed, 87% was identified in European organizations, highlighting their attractiveness to attackers. It’s possible that the increasing tensions in the region and uptick in deployment of back doors, which was reported in the 2023 X-Force Threat Intelligence Index, could be related to the placing of European cloud environments at the top of the targets observed.

Adversaries continue to wager on improper credential hygiene across enterprises to carry out their attacks. X-Force engagements reveal that, often, credentials with overprivileged access are left exposed on user endpoints in plaintext, creating an opportunity for attackers to establish a pivot point to move deeper into the environment or access highly sensitive information. Specifically, plaintext credentials were located on user endpoints in 33% of X-Force Red’s adversary simulation engagements that involved cloud environments during the reporting period. This upward trend of credential use as an initial access vector representing 36% of cloud incidents in 2023 compared to 9% in 2022, highlights the need for organizations to move beyond human-reliant authentications and prioritize technological guardrails capable of securing user identity and access management.

As access to more data across more environments becomes a recurring need, human error continues to present a security challenge. The growing need for more dynamic and adaptive identity and access management can be met with advanced AI capabilities in the market today. For example, IBM Security Verify customers see substantial improvement by leaning on more intuitive authentication processes to calculate risk score based on login patterns, device location, behavior analytics, and other context, and then automatically adapt the login process and verification accordingly.

The ability to manage the full scope of organizations’ attack surface is key to establishing cyber resilience. However, organizations tend to be more exposed than they realize, often underestimating the potential targets within their environment that can serve attackers’ objectives. Shadow IT and an unmanageable vulnerability debt makes it increasingly challenging for organizations to know where they are most exposed.

According to the X-Force report, nearly 60% of newly disclosed vulnerabilities, if exploited, could allow attackers to obtain information or either gain access or privileges that enable lateral movement through the network. From providing attackers information on how environments are set up to unauthorized authentication that can grant them additional permissions, it’s critical for organizations to know which risks to prioritize, especially when operating with limited resources. To help organizations with this challenge, X-Force Red uses AI for weaponized exploit risk assessment, leveraging the team’s hacker-built automated ranking engine to enrich and prioritize findings based on weaponized exploits and key risk factors such as asset value and exposure.

As organizations focus on better understanding their cloud risk posture, it’s important they combine that knowledge with response readiness by engaging in adversary simulation exercises using cloud-based scenarios to train and practice effective cloud-based incident response. This way, not only can they gain insight into attack paths and objectives an attacker could pursue, but they can also better measure their ability to respond to such attack and contain any potential impact.

If you’re interested in reading the full 2023 X-Force Cloud Threat Report, you can access it here.

You can register for the webinar, “Cloud Threat Landscape Report: Explore Trends to Stay Ahead of Threats,” taking place on Wednesday, September 20 at 11:00 a.m.

For more information on X-Force’s security research, threat intelligence and hacker-led insights, visit the X-Force Research Hub.

If you’d like to set up a consult with IBM X-Force, schedule a discovery briefing here.