Digital Risk: Enterprises Need More Than Cyber Insurance
Threatonomics

Cloud Security – August 2024

Threat Intelligence Briefing

by Resilience Threat Intelligence
Published

Key Takeaways

August 2024 featured several notable cyber incidents, including a cloud-based extortion campaign that exploited exposed environment variables and a misconfigured Google Cloud bucket that leaked the personal data of 83,000 customers. Threat actor activity included “IntelBroker” advertising access to AWS services, such as Simple Storage Service (S3) and Simple Email Service (SES), highlighting ongoing risks related to cloud security.

Notable Cyber Incidents

Several key incidents were reported in August 2024:

  • August 7: Researchers identified six vulnerabilities in AWS and a privilege escalation vulnerability in Microsoft Azure Entra ID.
  • August 8: A phishing campaign targeted AWS accounts, falsely stating that services were suspended due to pending charges.
  • August 13: Vulnerabilities in Azure Health Bot Service were discovered, allowing for privilege escalation via server-side request forgery (SSRF).
  • August 14: The “Gafgyt” malware variant was used in a cryptojacking campaign targeting cloud instances with weak SSH passwords.
  • August 22: A misconfigured Google Cloud bucket exposed the personal data of 83,000 customers of Alice’s Table.
  • August 30: Atlassian Confluence servers were compromised using a vulnerability (CVE-2023-22527), resulting in the deployment of the “Godzilla” web shell.

Tactics, Techniques, and Procedures (TTPs)

Details of cyber incidents were generally limited to protect organizations’ reputations and avoid further exploitation. Observed TTPs from August include remote service exploitation, cloud storage discovery, credential access exploitation, and resource hijacking. Other techniques included phishing, file and directory discovery, and exfiltration of data using cloud services.

Criminal Discussions and Market Activity

Criminal forums remained active in August:

  • Cloud Access Sales: Threat actors on BreachForums offered various cloud services, including AWS, Cloudflare, and “Digital Billboard Network” access.
  • Credential Listings: Analysts detected 1,127 instances of AWS credentials, 329 Azure credentials, and 40 Google Cloud Platform credentials being sold in illicit markets, primarily harvested through stealer malware.

Volume of Discussion

Tracking mentions of cloud service providers across criminal forums in 2024 showed continued interest, with AWS generating the most discussions, followed by Azure and Google Cloud. Changes in the administration of Russian Market and BreachForums impacted the visibility of logs but did not significantly alter the underlying market activity.

Recommendations

  • Vulnerability Management: Regularly scan for and address vulnerabilities in cloud services and applications.
  • Phishing Prevention: Implement robust anti-phishing measures and train employees to recognize phishing attempts.
  • Credential Monitoring: Continuously monitor for compromised credentials and unauthorized access attempts, particularly for cloud environments.
  • Data Protection: Secure sensitive data in cloud storage with encryption and proper access controls.
  • Incident Preparedness: Maintain and update incident response plans to swiftly address cloud-based threats and breaches.


Disclaimer
This material is provided for informational purposes only. Accordingly, this material should not be viewed as a substitute for the guidance and recommendations of a trained professional. Additionally, Arceo Labs, Inc. d/b/a Resilience does not endorse any coverage, systems, processes, or protocols addressed herein. Any references to non-Resilience Websites are provided solely for convenience, and Resilience disclaims any responsibility with respect to such Websites. To the extent that this material contains any examples, please note that they are for illustrative purposes only. Additionally, examples are not intended to establish any standard of care, to serve as legal advice appropriate for any factual situation, or to provide an acknowledgment that any factual situation is covered by Resilience products. This material is not intended as a solicitation of insurance coverage.

Arceo Labs, Inc. d/b/a Resilience, 55 2nd St Suite 1950, San Francisco, CA 94105. All Rights Reserved.

Please contact us if you have any questions about this notification or if you would like to discuss it in further detail. Contact support@cyberresilience.com with any questions or to schedule a call with a member of our security team. If you are experiencing a security incident or need to report a new claim, please contact +1 (302) 722-7236 or call our emergency hotline claims_intl@cyberresilience.com.

You might also like

What business leaders need to know about post-quantum cyber risk

Quantum computing is on the horizon and with it comes a seismic shift in how organizations must think about cybersecurity risk. The ability of future quantum machines to break today’s cryptographic protections–what we call quantum decryption–could undermine the trust, confidentiality, and resilience of digital business.                                                                                          As part of Cybersecurity Awareness Month, throughout October we are […]

The false promise of paying criminals to delete your data

On October 6, 2025, hackers demanded ransom from Salesforce for nearly one billion stolen customer records. The company’s response was unequivocal: no payment, no negotiation. While the refusal made headlines, the more important question is why Salesforce—and increasingly, other mature organizations—are walking away from the table when criminals offer to “suppress” stolen data. The answer […]

A CISO’s guide to winning the annual budgeting battle

It’s that time of year again. Finance has sent the email with the budget template attached. Your CFO wants preliminary numbers by next week. And you’re staring at a spreadsheet wondering how to justify the security investments your organization desperately needs when last quarter’s board meeting included the phrase “do more with less.” Welcome to […]

How brokers and CISOs can lead the charge for Cybersecurity Awareness Month 2025

October is Cybersecurity Awareness Month, and this year’s theme—”Building a Cyber Strong America“—has never been more relevant. For over two decades, this initiative led by CISA and the National Cybersecurity Alliance has spotlighted the importance of taking daily action to reduce online risks. In 2025, the focus shifts to the government entities and small-to-medium businesses […]

What the Collins Aerospace outage reveals about vendor risk

On September 19, 2025, chaos erupted at airports across Europe—but not because of weather, strikes, or mechanical failures. Collins Aerospace’s MUSE platform, the digital backbone handling passenger check-in and baggage processing from Heathrow to Dublin, went dark after a ransomware attack. Within hours, major airports including Brussels, Berlin, and Dublin were forced to revert to […]

Does Resilience use your company data to train AI?

In an era where “AI training” has become synonymous with data collection, we get this question a lot: “Does Resilience use our company data to train AI models like ChatGPT?” The short answer? No. But the full answer reveals something more interesting about how we approach cyber risk modeling and why we chose a different […]