Cloud Attacks Raises by Five Times Attacking Sensitive IAM Service Accounts

Organizations are facing an unbelievable surge in cloud-based security threats, with attacks nearly five times more frequent at the end of 2024 compared to the beginning of the year.

Most concerning is the targeted attack on Identity and Access Management (IAM) tokens, which security researchers describe as “holding the keys to the cloud kingdom.”

The comprehensive analysis by Unit 42 highlights a 388% overall increase in cloud security alerts throughout 2024, with high-severity alerts climbing by an alarming 235%. 

These figures represent a significant escalation in both the volume and sophistication of attacks against cloud environments. “Identity is the defense perimeter of cloud infrastructure,” states the Unit 42 report. 

“Attackers target IAM tokens and credentials as they hold the keys to the cloud kingdom, allowing attackers to move laterally, escalate their permissions and perform additional malicious operations.”

Stop attacks before they start, powered by a 97% precise neural Network to Detect Cyber Attacks

High-Severity Cloud Alerts

Among the most troubling trends identified was the surge in remote command-line access events utilizing IAM tokens and credentials, which increased threefold in 2024. 

By December, the average cloud environment experienced over 200 alerts for remote command-line usage of serverless function IAM tokens, compared to just two such alerts in January.

The research documented several other concerning patterns:

• 116% rise in IAM-based “impossible travel” alerts
• 60% increase in IAM API requests from outside authorized regions
• 45% increase in cloud snapshot exports
• 305% jump in suspicious downloads of multiple cloud storage objects

Security researchers noted these attacks align with findings from their 2024 State of Cloud-Native Security Report, which found 71% of organizations attributing increased vulnerability exposures to accelerated deployments, while 45% reported a rise in advanced persistent threat (APT) attacks.

A particularly alarming example involves a ransomware campaign that harvested over 90,000 credentials from 110,000 targeted domains, including nearly 1,200 cloud IAM credentials. 

These stolen credentials enabled successful extortion attacks against multiple organizations.

The concentration of attacks on serverless functions has drawn particular concern. According to the research, serverless functions are designed to operate autonomously, and remote usage of a serverless function’s IAM token indicates compromise and potential lateral movement within cloud environments.

Experts recommend implementing Cloud Detection and Response (CDR) tools alongside traditional Cloud Security Posture Management (CSPM) solutions. 

While CSPM tools focus on configuration vulnerabilities, CDR provides runtime monitoring to detect malicious activities as they occur.

Recommendations for Enhanced Cloud Security

Key recommendations include:

• Deploying CDR security for all cloud environments.
• Ensuring runtime-enabled agents on mission-critical cloud endpoints.
• Implementing cloud audit log monitoring from CSP providers.
• Restricting CSP regions where compute and serverless functions can operate.
• Enforcing least-privilege architecture for IAM credentials.
• Enabling cloud storage versioning and encryption.

“Given the increasing threats targeting cloud environments, the only real defense is to require cloud-based agents for publicly exposed and critical cloud endpoints,” the report concludes, emphasizing that runtime monitoring and response capabilities are essential to prevent malicious operations within cloud infrastructures.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

The post Cloud Attacks Raises by Five Times Attacking Sensitive IAM Service Accounts appeared first on Cyber Security News.