With public cloud services spending projected to hit $805 billion in 2024 and double by 2028, understanding the threats facing cloud environments is critical. Cloud-based attacks are diverse and constantly changing, with threat actors directly targeting cloud environments or using cloud services to carry out malicious activities like phishing.  

Our new report, “Five Ways Cyber Attackers Exploit Cloud Environments,” outlines the most pressing threats to the cloud. In this blog, we focus on three of the five threats from the report: API compromise, SaaS-based phishing, and cloud environment hijacking. 

The full report contains more context on the attack types below, as well as a comprehensive analysis of two other threat types—exploitation of unsecured SSH keys, and server-side request forgery (SSRF) attacks. 

Click here to access the full report. 

Bad Connection: Cloud-Based API Compromise Attacks 

Cloud APIs are integral to modern cloud ecosystems, allowing communication between applications and systems. However, they also present significant security risks. If API keys are compromised, attackers can gain unauthorized access to cloud resources and manipulate them as legitimate users. 

Common vulnerabilities in cloud APIs include weak authentication, lack of encryption, insecure endpoints, poor key management, and flawed API logic. These flaws open doors for cybercriminals, allowing them to steal access keys, maintain persistence, and access sensitive data or manipulate resources. 

Between December 2023 and September 2024, ReliaQuest analyzed true-positive alerts from customer environments, focusing on initial access and discovery commands against public-facing cloud APIs. Our findings included the following: 

  • Self-Service Password Reset Requests accounted for 28% of all alerts, suggesting attempts by threat actors to gain access to cloud environments and potentially gain administrator privileges. 
  • The GetVersion command appeared in 31% of alerts in Kubernetes environments, indicating that attackers were looking for software vulnerabilities. 
  • Over 50% of the source IP addresses of attacks showed extensive malicious activity, indicating consistent use by threat actors for scanning organizations and probing for weak spots. 

To best protect cloud environments from API compromise attacks, deny direct remote access by using network proxies, gateways, and firewalls. In addition, strictly monitor public-facing assets for abnormal traffic and commands. 

SaaS-Based Phishing Attacks: Exploiting User Trust 

Phishing represented a staggering 71.1% of all TTPs we saw in 2023 customer true-positive incidents.  

An emerging phishing tactic involves hosting malicious links within cloud-storage SaaS solutions, such as OneNote files shared via SharePoint or Google documents shared via Google Drive. Instead of including the malicious link directly in the email, attackers use phishing emails to direct recipients to the cloud-stored document containing the link. This method leverages the trust users have in well-known cloud platforms, making the phishing attempt harder to detect. 

  • This phishing method is dangerous to end users because it exploits the inherent trust they place in well-known cloud storage platforms like Google Drive or Dropbox. 
  • The method also complicates detection and response efforts. Since the initial document link points to a legitimate platform, email filtering systems may not recognize it as malicious, allowing the phishing email to bypass initial security measures. 

ReliaQuest helps our customers defend against these attacks with our extensive detection rule library, which identifies attacks at different stages of the attack lifecycle. GreyMatter containment and response playbooks work independently of email security tools, providing much more comprehensive security. 

Hostile Takeover: Protecting Against Cloud Environment Hijacking 

Gaining initial access to a cloud environment allows attackers to cause substantial harm to an organization. They can hijack services for expensive cryptocurrency mining operations or target resources that store sensitive data, leading to brand or operational damage. 

Attackers can also hijack cloud resources to launch outbound phishing campaigns against other organizations. Services like AWS Simple Email Service (SES), which were designed to help companies manage employees’ email addresses, can be abused to make phishing emails look as if they came from the compromised organization itself. 

  • Emails sent from a compromised organization can damage the organization’s brand image and hurt relationships with third parties and customers, which could have a significant and lasting impact on the organization’s business operations. 
  • As well as carrying out phishing campaigns, threat actors can also take advantage of initial access to escalate privileges, install backdoors, and establish persistent access, allowing them to conduct long-term espionage and data exfiltration. 

To protect against these threats, we recommend implementing strict API key monitoring and management, including using API gateways to generate an SSL certificate. This certificate can be used as a second form of identity verification in conjunction with an API key, adding an additional precaution if an API key is exposed. 

Protect Your Cloud Environment with ReliaQuest 

A comprehensive, multi-layered security approach is essential to protect cloud environments. This involves deploying flexible and modular options that seamlessly integrate across various cloud service providers and security tools to effectively manage data, costs, and risks. 

The ReliaQuest GreyMatter platform offers a superior security solution. It seamlessly integrates with both your existing and future security tools, extracting data in a scalable manner. This integration provides organizations with comprehensive visibility and operational efficiency through bi-directional APIs.  

By centralizing tools into a single platform, GreyMatter reduces alert fatigue and streamlines investigations across multiple cloud security layers. This ensures robust cloud security and effectively addresses specific threats like API compromises and phishing links hosted in cloud storage. With GreyMatter, enterprises are empowered to proactively defend against increasingly complex cyber threats, ensuring the security and integrity of their cloud assets.