IBM X-Force: Use of compromised credentials darkens cloud security picture

The top cause of cloud compromises is improper use of credentials, and enterprise IT teams need to harden their credential management practices, says IBM X-Force.

corporate security insider threat hacker spy cybersecurity human resources
Leo Wolfert/Shutterstock

As connectivity to cloud-based resources grows, cybercriminals are using valid, compromised credentials to access enterprise resources at an alarming rate.

That's one of the chief findings of the IBM X-Force Cloud Threat Landscape Report, which also found a 200% increase (about 3,900 vulnerabilities) in cloud-oriented Common Vulnerabilities and Exposures (CVE) in the last year.

“Over 35% of cloud security incidents occurred from attackers’ use of valid, compromised credentials,” wrote Chris Caridi, strategic cyber threat analyst with IBM X-Force, in a blog about the report. “Making up nearly 90% of assets for sale on dark web marketplaces, credentials’ popularity among cybercriminals is apparent, averaging $10 per listing – or the equivalent of a dozen doughnuts.”

With the increased use of edge, branch and remote networked users accessing multicloud environments, it is clear organizations need to tighten the access privileges IT gives those users.

In fact, X-Force found plain text credentials located on user endpoints in 33% of engagements involving cloud environments.

“In particular, there was a high frequency of service account credentials stored on endpoints, and many were over-privileged. Excessively privileged users can be defined as those who have more permissions than they need to do their job or task,” the report stated.

“Compromised credentials caused over one-third of cloud-related incidents that the X-Force team observed, suggesting that businesses are challenged to balance user access needs and security risks," the report stated.

Once successful, cybercriminals can take advantage of this access to facilitate their ultimate objective, which can involve deploying cryptominers, ransomware and other types of malware, X-Force stated.

“Organizations can benefit from AI-powered identity protections that help identify behavioral anomalies in depth and verify users’ identity,” the report stated.

Other common attack vectors include the exploitation of public-facing applications and phishing/spear phishing links, each of which represented approximately 14% of incidents the X-Force team responded to.

Microsoft Outlook Cloud credentials accounted for over 5 million mentions on illicit marketplaces – by far the most popular access for sale, Caridi stated.

The exploitation of vulnerabilities in public-facing applications is a tried-and-true access vector for threat actors in cloud and local environments alike, the report stated.

“Cloud applications are typically more challenging for organizations to manage due to the increasing number of applications and services used in a modern cloud or hybrid cloud environment,” the report stated. “If implemented improperly, it’s possible to overlook an outdated application running in the cloud, or worse, be unaware that the application is even in use.”

A few of the other key report findings include:  

  • The X-Force team has observed adversaries installing proxyware – a legitimate network segmentation tool – on unsuspecting victims’ systems to resell the victims’ computer bandwidth. Research suggests that a proxyjacking campaign could net threat actors roughly $9.60 within 24 hours for one IP address, and deploying it by Log4j could provide $220,000 in profit per month. Additionally, proxyjacking can result in victims being hit with large cloud provider charges due to the increase in unexpected web traffic.
  • Nearly 60% of newly disclosed vulnerabilities, if exploited, could allow attackers to obtain information or either gain access or privileges that enable lateral movement through the network. From providing attackers information on how environments are set up to unauthorized authentication that can grant them additional permissions, it’s critical for organizations to know which risks to prioritize – especially when operating with limited resources.
  • The Chaos Remote Administrative Tool (Trojan.Linux.CHAOSRAT) is being deployed as a remote access tool (RAT). Chaos RAT functions include reverse shell file download, upload and delete; screenshots; operating system information gathering; shutting down and restarting the host; and opening URLs. This RAT shows the sophistication and evolution of cloud-based threat actors.

The X-Force researchers made a number of suggestions in response to their findings.  For example, they said customers should utilize zero trust security technologies to include implementation of multifactor authentication (MFA) and the principle of least privilege.

“This strategy is especially important for private clouds that may interact with other on-premises assets on a regular basis,” the report stated. “Modernize identity and access management (IAM) to reduce reliance on username and password combinations and combat threat actor credential theft.”

They also recommended using AI-based capabilities to help scrutinize digital identities and behaviors, verify their legitimacy, and deliver smarter authentication.

The threat landscape report is based on data gathered from X-Force threat intelligence, penetration tests, incident response engagements, Red Hat Insights and data provided by report contributor Cybersixgill between June 2022 and June 2023. 

Copyright © 2023 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022