Digital Risk: Enterprises Need More Than Cyber Insurance
Threatonomics

Cloud Security – August 2024

Threat Intelligence Briefing

by Resilience Threat Intelligence
Published

Key Takeaways

August 2024 featured several notable cyber incidents, including a cloud-based extortion campaign that exploited exposed environment variables and a misconfigured Google Cloud bucket that leaked the personal data of 83,000 customers. Threat actor activity included “IntelBroker” advertising access to AWS services, such as Simple Storage Service (S3) and Simple Email Service (SES), highlighting ongoing risks related to cloud security.

Notable Cyber Incidents

Several key incidents were reported in August 2024:

  • August 7: Researchers identified six vulnerabilities in AWS and a privilege escalation vulnerability in Microsoft Azure Entra ID.
  • August 8: A phishing campaign targeted AWS accounts, falsely stating that services were suspended due to pending charges.
  • August 13: Vulnerabilities in Azure Health Bot Service were discovered, allowing for privilege escalation via server-side request forgery (SSRF).
  • August 14: The “Gafgyt” malware variant was used in a cryptojacking campaign targeting cloud instances with weak SSH passwords.
  • August 22: A misconfigured Google Cloud bucket exposed the personal data of 83,000 customers of Alice’s Table.
  • August 30: Atlassian Confluence servers were compromised using a vulnerability (CVE-2023-22527), resulting in the deployment of the “Godzilla” web shell.

Tactics, Techniques, and Procedures (TTPs)

Details of cyber incidents were generally limited to protect organizations’ reputations and avoid further exploitation. Observed TTPs from August include remote service exploitation, cloud storage discovery, credential access exploitation, and resource hijacking. Other techniques included phishing, file and directory discovery, and exfiltration of data using cloud services.

Criminal Discussions and Market Activity

Criminal forums remained active in August:

  • Cloud Access Sales: Threat actors on BreachForums offered various cloud services, including AWS, Cloudflare, and “Digital Billboard Network” access.
  • Credential Listings: Analysts detected 1,127 instances of AWS credentials, 329 Azure credentials, and 40 Google Cloud Platform credentials being sold in illicit markets, primarily harvested through stealer malware.

Volume of Discussion

Tracking mentions of cloud service providers across criminal forums in 2024 showed continued interest, with AWS generating the most discussions, followed by Azure and Google Cloud. Changes in the administration of Russian Market and BreachForums impacted the visibility of logs but did not significantly alter the underlying market activity.

Recommendations

  • Vulnerability Management: Regularly scan for and address vulnerabilities in cloud services and applications.
  • Phishing Prevention: Implement robust anti-phishing measures and train employees to recognize phishing attempts.
  • Credential Monitoring: Continuously monitor for compromised credentials and unauthorized access attempts, particularly for cloud environments.
  • Data Protection: Secure sensitive data in cloud storage with encryption and proper access controls.
  • Incident Preparedness: Maintain and update incident response plans to swiftly address cloud-based threats and breaches.

Disclaimer
This material is provided for informational purposes only. Accordingly, this material should not be viewed as a substitute for the guidance and recommendations of a trained professional. Additionally, Arceo Labs, Inc. d/b/a Resilience does not endorse any coverage, systems, processes, or protocols addressed herein. Any references to non-Resilience Websites are provided solely for convenience, and Resilience disclaims any responsibility with respect to such Websites. To the extent that this material contains any examples, please note that they are for illustrative purposes only. Additionally, examples are not intended to establish any standard of care, to serve as legal advice appropriate for any factual situation, or to provide an acknowledgment that any factual situation is covered by Resilience products. This material is not intended as a solicitation of insurance coverage.

Arceo Labs, Inc. d/b/a Resilience, 55 2nd St Suite 1950, San Francisco, CA 94105. All Rights Reserved.

Please contact us if you have any questions about this notification or if you would like to discuss it in further detail. Contact support@cyberresilience.com with any questions or to schedule a call with a member of our security team. If you are experiencing a security incident or need to report a new claim, please contact +1 (302) 722-7236 or call our emergency hotline claims_intl@cyberresilience.com.

About the Author
Resilience Threat Intelligence

You might also like

Why vendor discovery matters now (and how most organizations get it wrong)

The average enterprise relies on hundreds—sometimes thousands—of third-party vendors to operate. Yet when security leaders are asked for a complete inventory of these vendors, the response is often a patchwork of spreadsheets, outdated procurement lists, and educated guesses. This vendor blindness isn’t just an operational inconvenience—it’s a critical business risk that’s becoming increasingly expensive to […]

The healthcare cybersecurity crisis that’s costing organizations millions in damages

The U.S. healthcare sector faces an unprecedented cybersecurity crisis. With 168 million healthcare records breached in 2023 and ransomware attacks surging 32% in 2024, the industry confronts threats that have evolved beyond data theft to sophisticated campaigns capable of paralyzing critical patient care infrastructure. Despite these trends, cybersecurity often receives insufficient leadership attention. A 2025 […]

Your cyber insurance policy could be a target

Organizations invest heavily in cyber insurance policies to shield their businesses from evolving threats, but many overlook a critical vulnerability: the security of the insurance policy documents themselves. While these policies are designed to protect you from cyber threats, they can become powerful weapons when they fall into the wrong hands. Over the past year, […]

A complete guide to domain spoofing

Domain spoofing is a cyberattack technique most commonly used in phishing and fraud, where criminals impersonate a legitimate organization’s domain name to deceive users. Think of it as digital identity theft at scale: Attackers make fraudulent emails or websites appear as if they originate from your trusted company domain, tricking victims into revealing sensitive data, […]

The 3 types of CISOs: How to succeed in any version – and what to do when you’re misaligned

As the CISO, are you and your organization in alignment? The CISO role has evolved dramatically over the past decade, but organizational cybersecurity programs have not always kept pace.  If you think about CISOs like software versions, version 1.0 is your first generation of CISOs, focused on structure and technical architecture. Version 2.0 moves beyond […]

The Security Squeeze

One of the most important features of the Resilience SaaS platform is our Quantified Cyber Action Plan. It supports CISOs making decisions under risk and uncertainty by providing a prioritization for which cyber controls should be implemented, based on their ROI. The power of this approach lies in the fact that it guides the most […]