Digital Risk: Enterprises Need More Than Cyber Insurance
Threatonomics

Cloud Security – August 2024

Threat Intelligence Briefing

by Resilience Threat Intelligence
Published

Key Takeaways

August 2024 featured several notable cyber incidents, including a cloud-based extortion campaign that exploited exposed environment variables and a misconfigured Google Cloud bucket that leaked the personal data of 83,000 customers. Threat actor activity included “IntelBroker” advertising access to AWS services, such as Simple Storage Service (S3) and Simple Email Service (SES), highlighting ongoing risks related to cloud security.

Notable Cyber Incidents

Several key incidents were reported in August 2024:

  • August 7: Researchers identified six vulnerabilities in AWS and a privilege escalation vulnerability in Microsoft Azure Entra ID.
  • August 8: A phishing campaign targeted AWS accounts, falsely stating that services were suspended due to pending charges.
  • August 13: Vulnerabilities in Azure Health Bot Service were discovered, allowing for privilege escalation via server-side request forgery (SSRF).
  • August 14: The “Gafgyt” malware variant was used in a cryptojacking campaign targeting cloud instances with weak SSH passwords.
  • August 22: A misconfigured Google Cloud bucket exposed the personal data of 83,000 customers of Alice’s Table.
  • August 30: Atlassian Confluence servers were compromised using a vulnerability (CVE-2023-22527), resulting in the deployment of the “Godzilla” web shell.

Tactics, Techniques, and Procedures (TTPs)

Details of cyber incidents were generally limited to protect organizations’ reputations and avoid further exploitation. Observed TTPs from August include remote service exploitation, cloud storage discovery, credential access exploitation, and resource hijacking. Other techniques included phishing, file and directory discovery, and exfiltration of data using cloud services.

Criminal Discussions and Market Activity

Criminal forums remained active in August:

  • Cloud Access Sales: Threat actors on BreachForums offered various cloud services, including AWS, Cloudflare, and “Digital Billboard Network” access.
  • Credential Listings: Analysts detected 1,127 instances of AWS credentials, 329 Azure credentials, and 40 Google Cloud Platform credentials being sold in illicit markets, primarily harvested through stealer malware.

Volume of Discussion

Tracking mentions of cloud service providers across criminal forums in 2024 showed continued interest, with AWS generating the most discussions, followed by Azure and Google Cloud. Changes in the administration of Russian Market and BreachForums impacted the visibility of logs but did not significantly alter the underlying market activity.

Recommendations

  • Vulnerability Management: Regularly scan for and address vulnerabilities in cloud services and applications.
  • Phishing Prevention: Implement robust anti-phishing measures and train employees to recognize phishing attempts.
  • Credential Monitoring: Continuously monitor for compromised credentials and unauthorized access attempts, particularly for cloud environments.
  • Data Protection: Secure sensitive data in cloud storage with encryption and proper access controls.
  • Incident Preparedness: Maintain and update incident response plans to swiftly address cloud-based threats and breaches.


Disclaimer
This material is provided for informational purposes only. Accordingly, this material should not be viewed as a substitute for the guidance and recommendations of a trained professional. Additionally, Arceo Labs, Inc. d/b/a Resilience does not endorse any coverage, systems, processes, or protocols addressed herein. Any references to non-Resilience Websites are provided solely for convenience, and Resilience disclaims any responsibility with respect to such Websites. To the extent that this material contains any examples, please note that they are for illustrative purposes only. Additionally, examples are not intended to establish any standard of care, to serve as legal advice appropriate for any factual situation, or to provide an acknowledgment that any factual situation is covered by Resilience products. This material is not intended as a solicitation of insurance coverage.

Arceo Labs, Inc. d/b/a Resilience, 55 2nd St Suite 1950, San Francisco, CA 94105. All Rights Reserved.

Please contact us if you have any questions about this notification or if you would like to discuss it in further detail. Contact support@cyberresilience.com with any questions or to schedule a call with a member of our security team. If you are experiencing a security incident or need to report a new claim, please contact +1 (302) 722-7236 or call our emergency hotline claims_intl@cyberresilience.com.

You might also like

Breaking Lemonade: Understanding Value at Risk

I talk a lot about value-at-risk among my colleagues, with our customers, and the broader market. Value-at-risk may be the single most important measure to grasp, without which one cannot accurately measure risk transfer, excess risk, risk acceptance, and return on controls. Yet, these are all important concepts that leadership in modern organizations need to […]

Would you fall for a live deepfake?

The Office of Senate Security revealed last week that the head of the Senate Foreign Relations Committee was targeted in a deep fake video call. An unknown person, claiming to be the former Ukrainian Minister of Foreign Affairs, Dmytro Kuleba, lured the Senator onto a Zoom call. The attack was thwarted when the Senator and […]

Artificial Intelligence for Cyber Resilience

AI tools are shifting the calculus for cyber defense by enhancing key areas such as vulnerability mapping, breach detection, incident response, and penetration testing. This integration could help an organization bolster its cyber resilience against an ever-evolving threat landscape. AI tools could automate the discovery and monitoring of vulnerabilities, providing real-time updates of an organization’s […]

cyber resilience framework

AI and Misuse

Welcome to part two in our series on AI and cyber risk. Be sure to read the first installment “What you need to know: Artificial Intelligence at the Heart of Cyber,” here. Key takeaways Background In February 2024, OpenAI – in collaboration with Microsoft— tracked adversaries from Russia, North Korea, Iran, and China, leveraging their […]

cyber resilience framework

Cybersecurity Incidents & Trends in Canada

Executive Summary Emerging cyber threats increasingly target Canadian organizations, government agencies, and individuals, with recent attacks revealing sophisticated tactics by threat actors. Threat actors delivered the Formbook infostealer to companies via emails that posed as job candidates. Meanwhile, the Chameleon Trojan attacked Canadian financial institutions and a restaurant chain by masquerading as legitimate apps. Cybercriminals […]

Digital Risk: Enterprises Need More Than Cyber Insurance

What you need to know: Artificial Intelligence at the Heart of Cyber

As AI technologies become more embedded in cyber strategies, they enhance the capabilities of threat actors while also offering innovative defenses to organizations [1]. AI tools can amplify adversaries’ traditional Techniques, Tools, and Procedures (TTPs) by automating the generation of sophisticated threats such as polymorphic malware — which can dynamically alter its code to evade […]