As organizations increasingly adopt cloud technologies, cybercriminals have adapted their tactics to target these environments, but their primary method remains the same: exploiting credentials.

Cloud adoption continues to rise, with the market expected to reach $600 billion during 2024. It increasingly attracts cybercriminals. IBM’s Cost of a Data Breach Report found that 40% of all breaches involved data distributed across multiple environments.

IBM X-Force, partnering with Cybersixgill and Red Hat Insights, analyzed the methods by which cybercriminals targeted this market during the period June 2023 to June 2024. It’s the credentials; but complicated by the defenders’ growing use of MFA.

The average cost of compromised cloud access credentials continues to decrease, down by 12.8% over the last three years (from $11.74 in 2022 to $10.23 in 2024). IBM describes this as ‘market saturation’; but it could equally be described as ‘supply and demand’; that is, the result of criminal success in credential theft.

Infostealers are an important part of this credential theft. The top two infostealers in 2024 are Lumma and RisePro. They had little to zero dark web activity in 2023. Conversely, the most popular infostealer in 2023 was Raccoon Stealer, but Raccoon chatter on the dark web in 2024 reduced from 3.1 million mentions to 3.3 thousand in 2024. The increase in the former is very close to the decrease in the latter, and it is unclear from the statistics whether law enforcement activity against Raccoon distributors diverted the criminals to different infostealers, or whether it is a clear preference.

IBM notes that BEC attacks, heavily reliant on credentials, accounted for 39% of its incident response engagements over the last two years. “More specifically,” notes the report, “threat actors are frequently leveraging AITM phishing tactics to bypass user MFA.”

In this scenario, a phishing email persuades the user to log into the ultimate target but directs the user to a false proxy page mimicking the target login portal. This proxy page allows the attacker to steal the user’s login credential outbound, the MFA token from the target inbound (for current use), and session tokens for ongoing use.

The report also discusses the growing tendency for criminals to use the cloud for its attacks against the cloud. “Analysis… revealed an increasing use of cloud-based services for command-and-control communications,” notes the report, “since these services are trusted by organizations and blend seamlessly with regular enterprise traffic.” Dropbox, OneDrive and Google Drive are called out by name. APT43 (sometimes aka Kimsuky) used Dropbox and TutorialRAT; an APT37 (also sometimes aka Kimsuky) phishing campaign used OneDrive to distribute RokRAT (aka Dogcall); and a separate campaign used OneDrive to host and distribute Bumblebee malware.

Staying with the general theme that credentials are the weakest link and the biggest single cause of breaches, the report also notes that 27% of CVEs discovered during the reporting period comprised XSS vulnerabilities, “which could allow threat actors to steal session tokens or redirect users to malicious web pages.”

If some form of phishing is the ultimate source of most breaches, many commentators believe the situation will worsen as criminals become more practiced and adept at harnessing the potential of large language models (gen-AI) to help generate better and more sophisticated social engineering lures at a far greater scale than we have today.

X-Force comments, “The near-term threat from AI-generated attacks targeting cloud environments remains moderately low.” Nevertheless, it also notes that it has observed Hive0137 using gen-AI. On July 26, 2024, X-Force researchers published these findings: “X -Force believes Hive0137 likely leverages LLMs to assist in script development, as well as create authentic and unique phishing emails.”

If credentials already pose a significant security concern, the question then becomes, what to do? One X-Force recommendation is fairly obvious: use AI to defend against AI. Other recommendations are equally obvious: strengthen incident response capabilities; and use encryption to protect data at rest, in use, and in transit. 

But these alone do not prevent bad actors getting into the system through credential keys to the front door. “Build a stronger identity security posture,” says X-Force. “Embrace modern authentication methods, such as MFA, and explore passwordless options, such as a QR code or FIDO2 authentication, to fortify defenses against unauthorized access.”

It’s not going to be easy. “QR codes are not considered phish resistant,” Chris Caridi, strategic cyber threat analyst at IBM Security X-Force, told SecurityWeek. “If a user were to scan a QR code in a malicious email and then proceed to enter credentials, all bets are off.”

But it’s not entirely hopeless. “FIDO2 security keys would provide protection against the theft of session cookies; and the public/private keys factor in the domains associated with the communication (a spoofed domain would cause authentication to fail),” he continued. “This is a great option to protect against AITM.”

Close that front door as firmly as possible, and secure the innards is the order of the day.

Related: Phishing Attack Bypasses Security on iOS and Android to Steal Bank Credentials

Related: Stolen Credentials Have Turned SaaS Apps Into Attackers’ Playgrounds

Related: Adobe Adds Content Credentials and Firefly to Bug Bounty Program

Related: Ex-Employee’s Admin Credentials Used in US Gov Agency Hack