Digital Risk: Enterprises Need More Than Cyber Insurance
Threatonomics

Cloud Security – August 2024

Threat Intelligence Briefing

by Resilience Threat Intelligence
Published

Key Takeaways

August 2024 featured several notable cyber incidents, including a cloud-based extortion campaign that exploited exposed environment variables and a misconfigured Google Cloud bucket that leaked the personal data of 83,000 customers. Threat actor activity included “IntelBroker” advertising access to AWS services, such as Simple Storage Service (S3) and Simple Email Service (SES), highlighting ongoing risks related to cloud security.

Notable Cyber Incidents

Several key incidents were reported in August 2024:

  • August 7: Researchers identified six vulnerabilities in AWS and a privilege escalation vulnerability in Microsoft Azure Entra ID.
  • August 8: A phishing campaign targeted AWS accounts, falsely stating that services were suspended due to pending charges.
  • August 13: Vulnerabilities in Azure Health Bot Service were discovered, allowing for privilege escalation via server-side request forgery (SSRF).
  • August 14: The “Gafgyt” malware variant was used in a cryptojacking campaign targeting cloud instances with weak SSH passwords.
  • August 22: A misconfigured Google Cloud bucket exposed the personal data of 83,000 customers of Alice’s Table.
  • August 30: Atlassian Confluence servers were compromised using a vulnerability (CVE-2023-22527), resulting in the deployment of the “Godzilla” web shell.

Tactics, Techniques, and Procedures (TTPs)

Details of cyber incidents were generally limited to protect organizations’ reputations and avoid further exploitation. Observed TTPs from August include remote service exploitation, cloud storage discovery, credential access exploitation, and resource hijacking. Other techniques included phishing, file and directory discovery, and exfiltration of data using cloud services.

Criminal Discussions and Market Activity

Criminal forums remained active in August:

  • Cloud Access Sales: Threat actors on BreachForums offered various cloud services, including AWS, Cloudflare, and “Digital Billboard Network” access.
  • Credential Listings: Analysts detected 1,127 instances of AWS credentials, 329 Azure credentials, and 40 Google Cloud Platform credentials being sold in illicit markets, primarily harvested through stealer malware.

Volume of Discussion

Tracking mentions of cloud service providers across criminal forums in 2024 showed continued interest, with AWS generating the most discussions, followed by Azure and Google Cloud. Changes in the administration of Russian Market and BreachForums impacted the visibility of logs but did not significantly alter the underlying market activity.

Recommendations

  • Vulnerability Management: Regularly scan for and address vulnerabilities in cloud services and applications.
  • Phishing Prevention: Implement robust anti-phishing measures and train employees to recognize phishing attempts.
  • Credential Monitoring: Continuously monitor for compromised credentials and unauthorized access attempts, particularly for cloud environments.
  • Data Protection: Secure sensitive data in cloud storage with encryption and proper access controls.
  • Incident Preparedness: Maintain and update incident response plans to swiftly address cloud-based threats and breaches.

Disclaimer
This material is provided for informational purposes only. Accordingly, this material should not be viewed as a substitute for the guidance and recommendations of a trained professional. Additionally, Arceo Labs, Inc. d/b/a Resilience does not endorse any coverage, systems, processes, or protocols addressed herein. Any references to non-Resilience Websites are provided solely for convenience, and Resilience disclaims any responsibility with respect to such Websites. To the extent that this material contains any examples, please note that they are for illustrative purposes only. Additionally, examples are not intended to establish any standard of care, to serve as legal advice appropriate for any factual situation, or to provide an acknowledgment that any factual situation is covered by Resilience products. This material is not intended as a solicitation of insurance coverage.

Arceo Labs, Inc. d/b/a Resilience, 55 2nd St Suite 1950, San Francisco, CA 94105. All Rights Reserved.

Please contact us if you have any questions about this notification or if you would like to discuss it in further detail. Contact support@cyberresilience.com with any questions or to schedule a call with a member of our security team. If you are experiencing a security incident or need to report a new claim, please contact +1 (302) 722-7236 or call our emergency hotline claims_intl@cyberresilience.com.

About the Author
Resilience Threat Intelligence

You might also like

Contrasting and comparing FAIR with the Resilience solution

As market awareness of cyber risk quantification grows, we frequently receive questions from clients and curious risk managers about FAIR (Factor Analysis of Information Risk)—what it is, whether it truly provides accurate cyber risk quantification, the effort needed to set it up and maintain, and more. Clients often ask us to compare the FAIR methodology […]

How does Resilience establish the probabilities presented in my LEC?

Managing risk successfully at any level requires an understanding of a concept called “probability.” As both an insurance company (risk transfer) and a cyber risk management company, Resilience relies on understanding probabilities to price our services and to guide our clients to greater levels of cyber resilience. As we often receive questions from our clients […]

Moving beyond heat maps for better risk management

Heat maps are among the most widely used—and debated—tools for risk managers worldwide to communicate risks in their registries or project portfolios. Despite their popularity, we advise leaders seeking transparency in discussing risk and value to avoid relying on them. What are heat maps? Risk managers often use heat maps (or risk matrices) to represent […]

Breaking Lemonade: Understanding Value at Risk

I talk a lot about value-at-risk among my colleagues, with our customers, and the broader market. Value-at-risk may be the single most important measure to grasp, without which one cannot accurately measure risk transfer, excess risk, risk acceptance, and return on controls. Yet, these are all important concepts that leadership in modern organizations need to […]

Would you fall for a live deepfake?

The Office of Senate Security revealed last week that the head of the Senate Foreign Relations Committee was targeted in a deep fake video call. An unknown person, claiming to be the former Ukrainian Minister of Foreign Affairs, Dmytro Kuleba, lured the Senator onto a Zoom call. The attack was thwarted when the Senator and […]

Artificial Intelligence for Cyber Resilience

AI tools are shifting the calculus for cyber defense by enhancing key areas such as vulnerability mapping, breach detection, incident response, and penetration testing. This integration could help an organization bolster its cyber resilience against an ever-evolving threat landscape. AI tools could automate the discovery and monitoring of vulnerabilities, providing real-time updates of an organization’s […]