Over half of the public cloud compromises in the first quarter of 2023 have involved credential issues such as missing or weak passwords, according to a study compiled from incident response (IR) engagements globally.
The second most common compromise factor - misconfiguration was attributed to various other factors like the exposure of sensitive UIs or APIs.
“An example of how these two factors are associated could include a misconfigured firewall that unintentionally provided public access to a UI,” said the Google Threat Horizons Report 2023.
The report details various security incidents and risk findings to provide security decision-makers with recommendations about threats and protect cloud enterprises against, detect, and respond to threats.
Based on its observations, the Google Cloud IR team revealed that 54.8 percent of public cloud compromises involved credential issues, 19 percent involved misconfigurations, and only 2.4 percent involved vulnerable software.
Additionally, it found compromised authentication tokens and misuse of credentials as predominant vectors for unauthorised access that can lead to severe security breaches.
Google recommends “strong identity management guardrails” to tackle such risks in public cloud environments, the report said.
One of the top risk actions leading to compromise in cloud environments was cross-project abuse of access token generation permission (75 percent) associated with the MITRE ATT&CK tactic of privilege escalation and the technique of “valid accounts: cloud accounts,” the report said.
The next common high-risk action - replacement of existing compute disks or snapshots accounted for 12 percent of alerts detected.
These alerts may be triggered when a compute disk or snapshot is deleted and replaced by one with the same name, commonly associated with cryptocurrency mining.
Mobile Apps
The Threat Horizons report has identified instances of Android applications downloading malicious updates after installation - also called “versioning”, attempting to evade Google Play Store’s malware detections.
"Campaigns using versioning commonly target users' credentials, data, and finances," the report said.
It suggests organisations make regular device updates, mobile device management like continuous assessments of mobile app behaviour and application allowlists or create alerts to receive notifications when a potentially harmful app (PHA) is found.
Customer domains
Further, the report revealed the growing issue of identifying compromised customer domains and IPs on Google Cloud.
"Using 2022-23 VirusTotal and Mandiant data, we discovered 13 customer domains and one IP hosted on Google Cloud that were compromised in Q1 2023," the report said.
"We encourage and provide guidance to all Google Cloud customers to periodically examine their domains and IPs for malicious activity," it added.
The tech giant has also highlighted issues in the telecommunication industry with wireless telecommunications, IT and telecom services, and data services being the most targeted sub-sectors.
“As the telecommunications industry adopts cloud services, threats from nation states and cybercriminals will likely persist—along with pre-existing systemic cyber risk,” the report warns.
It suggests organisations mitigate risks through the adoption of cloud services and cloud-native security paradigms, including Zero Trust, to “improve cybersecurity, maintain the resiliency of operations, and enhance security operations”.
Researchers have also touched upon how source code compromises or leaks can help cyber threat actors facilitate various exploitation activities to "raise awareness".
The most common cause of source code leaks identified in the report are credentials or token compromise, third-party compromise, misconfiguration, and insider threat.
Additionally, the report identified "unsecured third-party resources as one of the top threats to cloud computing".
There are various third-party services and distribution channels for customers that can be leveraged by attackers such as cloud marketplaces, browser extensions, OAuth applications, and IDE extensions.
"Though each offers different levels of security to help secure their users and reduce risk, they are essentially black boxes for organisations," the report alerted.
