Identity and Access Management (IAM) has become increasingly critical and complex due to the pandemic-induced transition to cloud platforms. To understand how IAM policies affect cloud security posture, Unit 42 researchers analyzed 680,000 identities in 18,000 cloud accounts over 200 organizations.
Percentage of cloud users, roles, services, and resources granted permissions not being used
Percentage of organizations that have publicly exposed resources
Percentage of cloud accounts using weak IAM passwords
Our findings came to the conclusion that most organizations have misconfigured or overly permissive identity access controls. Adversaries know this and are leveraging new tactics, techniques, and procedures (TTPs) to take advantage of the situation.
Unit 42 researchers have defined a malicious attacker employing these new TTPs as a Cloud Threat Actor (CTA) — an individual or group posing a threat to organizations through directed and sustained access to cloud platform resources, services, or embedded metadata.
Team TNT is the most well-known and sophisticated credential targeting group.
WatchDog is considered to be an opportunistic threat group that targets exposed cloud instances and applications.
Kinsing is a financially motivated and opportunistic cloud threat actor with heavy potential for cloud credential collection.
Rocke specializes in ransomware and cryptojacking operations within cloud environments.
8220, a Monero mining group, purportedly elevated their mining operations by exploiting Log4j in December 2021.
Our team has created an industry-first Cloud Threat Actor Index, charting the operations performed by actor groups that target cloud infrastructure.
These charts (included in the report) detail the TTPs of each cloud threat actor, allowing your security team and wider organization to evaluate your strategic defenses and build the proper monitoring, detection, alerting, and prevention mechanisms.
We recommend the following ways to defend your organization against threats that target the cloud: