Digital Risk: Enterprises Need More Than Cyber Insurance
Threatonomics

Cloud Security – August 2024

Threat Intelligence Briefing

by Resilience Threat Intelligence
Published

Key Takeaways

August 2024 featured several notable cyber incidents, including a cloud-based extortion campaign that exploited exposed environment variables and a misconfigured Google Cloud bucket that leaked the personal data of 83,000 customers. Threat actor activity included “IntelBroker” advertising access to AWS services, such as Simple Storage Service (S3) and Simple Email Service (SES), highlighting ongoing risks related to cloud security.

Notable Cyber Incidents

Several key incidents were reported in August 2024:

  • August 7: Researchers identified six vulnerabilities in AWS and a privilege escalation vulnerability in Microsoft Azure Entra ID.
  • August 8: A phishing campaign targeted AWS accounts, falsely stating that services were suspended due to pending charges.
  • August 13: Vulnerabilities in Azure Health Bot Service were discovered, allowing for privilege escalation via server-side request forgery (SSRF).
  • August 14: The “Gafgyt” malware variant was used in a cryptojacking campaign targeting cloud instances with weak SSH passwords.
  • August 22: A misconfigured Google Cloud bucket exposed the personal data of 83,000 customers of Alice’s Table.
  • August 30: Atlassian Confluence servers were compromised using a vulnerability (CVE-2023-22527), resulting in the deployment of the “Godzilla” web shell.

Tactics, Techniques, and Procedures (TTPs)

Details of cyber incidents were generally limited to protect organizations’ reputations and avoid further exploitation. Observed TTPs from August include remote service exploitation, cloud storage discovery, credential access exploitation, and resource hijacking. Other techniques included phishing, file and directory discovery, and exfiltration of data using cloud services.

Criminal Discussions and Market Activity

Criminal forums remained active in August:

  • Cloud Access Sales: Threat actors on BreachForums offered various cloud services, including AWS, Cloudflare, and “Digital Billboard Network” access.
  • Credential Listings: Analysts detected 1,127 instances of AWS credentials, 329 Azure credentials, and 40 Google Cloud Platform credentials being sold in illicit markets, primarily harvested through stealer malware.

Volume of Discussion

Tracking mentions of cloud service providers across criminal forums in 2024 showed continued interest, with AWS generating the most discussions, followed by Azure and Google Cloud. Changes in the administration of Russian Market and BreachForums impacted the visibility of logs but did not significantly alter the underlying market activity.

Recommendations

  • Vulnerability Management: Regularly scan for and address vulnerabilities in cloud services and applications.
  • Phishing Prevention: Implement robust anti-phishing measures and train employees to recognize phishing attempts.
  • Credential Monitoring: Continuously monitor for compromised credentials and unauthorized access attempts, particularly for cloud environments.
  • Data Protection: Secure sensitive data in cloud storage with encryption and proper access controls.
  • Incident Preparedness: Maintain and update incident response plans to swiftly address cloud-based threats and breaches.

Disclaimer
This material is provided for informational purposes only. Accordingly, this material should not be viewed as a substitute for the guidance and recommendations of a trained professional. Additionally, Arceo Labs, Inc. d/b/a Resilience does not endorse any coverage, systems, processes, or protocols addressed herein. Any references to non-Resilience Websites are provided solely for convenience, and Resilience disclaims any responsibility with respect to such Websites. To the extent that this material contains any examples, please note that they are for illustrative purposes only. Additionally, examples are not intended to establish any standard of care, to serve as legal advice appropriate for any factual situation, or to provide an acknowledgment that any factual situation is covered by Resilience products. This material is not intended as a solicitation of insurance coverage.

Arceo Labs, Inc. d/b/a Resilience, 55 2nd St Suite 1950, San Francisco, CA 94105. All Rights Reserved.

Please contact us if you have any questions about this notification or if you would like to discuss it in further detail. Contact support@cyberresilience.com with any questions or to schedule a call with a member of our security team. If you are experiencing a security incident or need to report a new claim, please contact +1 (302) 722-7236 or call our emergency hotline claims_intl@cyberresilience.com.

About the Author
Resilience Threat Intelligence

You might also like

Scattered Spider strikes again in recent UK retail attacks

In the past two weeks, the UK retail industry has faced an unprecedented wave of sophisticated cyberattacks, exposing critical vulnerabilities across the sector. The high-profile breaches at Marks & Spencer, Harrods, and others have sent shockwaves through the industry, with M&S alone suffering an estimated £3.8 million in lost online sales per day and seeing […]

See what a cyber attack could really cost your enterprise

Data breaches cost U.S. businesses an average of $9.36 million per breach in 2024, yet many enterprises still struggle to quantify their specific cyber risk exposure in financial terms. How do you translate complex technical vulnerabilities into language that your CFO, board members, and other stakeholders can understand and act upon? We’re excited to announce […]

A decision scientist’s perspective on AI

As the Senior Director of Cyber Resilience at Resilience, I bring a somewhat unconventional perspective to the table. Unlike many in our industry who come from traditional cybersecurity or insurance backgrounds, my expertise lies in decision science. Throughout my career, I’ve been fascinated by one central question: How can we help people make good decisions […]

What enterprises over $10 billion need to know about managing cyber risk

The role of the Chief Information Security Officer has undergone a profound transformation from a purely technical role to a strategic business one in recent years. For CISOs operating in organizations with over $10 billion in revenue—a segment that Resilience has recently expanded its cyber risk solutions to serve—the shift comes with unique pressures and […]

How to create an effective Incident Response Plan

Cyberattacks are no longer a distant threat—they are a certainty. Whether it’s a ransomware attack, data breach, or insider threat, organizations must be prepared to respond quickly and effectively. Without a solid plan in place, even a minor security incident can spiral into a major crisis, leading to financial losses, reputational damage, and regulatory penalties. […]

Understanding the ClickFix attack

Imagine a cyberattack so simple yet so deceptive that all it takes is three keystrokes to compromise your system. This is the reality of the ClickFix attack, a threat that Resilience threat researchers have observed in the wild since 2024 and that seems to be ramping up in recent weeks. ClickFix cleverly manipulates users into […]