Here's why cloud credentials are the hottest item on criminal marketplaces

Stolen cloud credentials cost about the same as a dozen donuts, according to IBM X-Force, whose threat intel team says logins make up almost 90 percent of goods and services for sale on dark web marketplaces.

However, in many instances criminals don't even need to shell out the 10 bucks. X-Force also discovered plaintext credentials on user endpoints in a third (33 percent) of all the cloud-related incidents it responded to.

"And that's a terribly high number relative to what the industry should know at this point about safekeeping of secrets and passwords in particular," said Chris Caridi, a cyber threat analyst at IBM X-Force, who authored the 2023 Cloud Threat Landscape Report.

In light of these other statistics, perhaps it shouldn't be too surprising that valid credentials are the most common initial access vector in cloud security breaches, occurring in 36 percent of all cases that the X-Force IR team responded over a 13-month period.

The annual report is based on X-Force threat intelligence, penetration tests, incident response engagements, and dark web analysis (some provided by Cybersixgill), all collected and compiled between June 2022 and June 2023.

It illustrates how organizations have become better at some things like endpoint security. And in response, criminals found a different, more efficient entry point to break into corporate IT environments: the cloud.

Back in 2020, initial access brokers were primarily selling access via infected endpoints, according to X-Force Head of Research John Dwyer.

"We've seen over the last three years additional investment into endpoint security," Dwyer told The Register. "Our clients got better at detecting back doors, which are directly related to extortion-based attacks. So what has been interesting to see is the criminal ecosystem move to credentials as an access vector to continue these criminal operations."

Also at play is the rapid migration to cloud in 2020 as organizations scrambled to accommodate the pandemic-induced work from home shift.

While companies were quick to adopt cloud infrastructure, "we haven't seen the same sort of adoption with a cloud-specific security posture," Dwyer said. "Criminals are very observant as to where they are able to gain access, and that is often through cloud because of rapid expansion and complexity."

This also points to the need for better identity and access management in the cloud, which is something other analysts and security researchers have noted, highlighting the proliferation of cloud services and the permissions attached to them.

Plus, most organizations use more than one cloud. "So if I can get the same level of access to the same number of organizations by purchasing credentials for the same cost as some donuts, why wouldn't I take advantage of that?" Dwyer added.

Cloud CVEs jump 194 percent

X-Force tracked 632 new cloud-related CVEs during the 13-month period – a 194 percent increase from last year. To be fair, the number of security vulnerabilities in 2022 dipped dramatically, falling to just about 200, so the 2023 number is essentially back on par with 2021's count, which was slightly higher.

However, this year's bugs were unique in that "about 60 percent of those vulnerabilities were more severe in their ability to allow an attacker or either gain some type of information or gain access or privileges," Caridi said.

Specifically, 21 percent allowed criminals to obtain information, 20 percent allowed them to gain access, and 16 percent allowed them to gain privileges.

And once they've gained access to users' cloud infrastructure, they can abuse this to deploy illicit cryptominers, ransomware, and other types of malware.

Don't discount cryptominers

Cryptominers, while not a new cloud threat, are something that organizations should be paying more attention to, according to X-Force.

Miners aren't as attention-grabbing as things like ransomware, which is the point. They want to remain quiet and go unnoticed for as long as possible. Once they've broken into a victim's environment, which is usually due to compromised credentials, they stealthily deploy mining malware and gobble up coins – and stolen compute resources – until they get caught.

In this year's report, X-Force highlighted the trend of using compromised credentials for illicit mining using cloud resources, and the threats associated with excessively privileged cloud users. These are the human and machine identities that have been granted more permissions than they need.

"Cryptominers are able to get into cloud accounts over and over again," Dwyer said, adding that companies should look back to the advent of banking trojans because they tell a cautionary tale of how malware such as cryptominers can evolve over time.

• Cloud infrastructure security is having an identity crisis. Can CIEM help?
• FBI-led Operation Duck Hunt shoots down Qakbot
• Cloud is here to stay, but customers are starting to question the cost
• Despite the hype, generative AI is not a significant chunk of enterprise cloud spend

Remember banking trojans?

"The only thing it took was the change in the goal of banking trojans to become an access broker, and the entire world burned to the ground for two, three years," he said.

QBot, for example, is a 16-year-old banking trojan that has since evolved to deliver ransomware, steal sensitive data, enable lateral movement through organizations' environments, and deploy remote code execution software.

When the Feds dismantled QBot, aka Qakbot, in late August, they said the banking trojan turned malware loader was responsible for 40 ransom infections in the last 18 months costing organizations $58 million in losses.

"We had this piece of malware that was really good at getting into places, persisting in the environment, we had an overextension of privileges on it, and because of that criminals set up this attack path that could be used for extortion-based attacks against the globe," Dwyer said, talking about the evolution of trojans in general, although it could also be used to describe QBot more specifically.

"What I'm worried about is that we find out, five years down the road, cryptominers are now the new access broker into cloud," he continued. "And we are now opening up for a new extortion-based attack where people are taking over cloud accounts and locking clients out of them."

Silver linings

It's not too late, however, and there are things that organizations can do to improve their cloud security posture. X-Force has a whole section in the report dedicated to recommendations and best practices.

This includes monitoring your cloud environment and being able to detect anomalies and other odd behavior that might indicate compromise. Companies need to understand the full scope of their attack surface, which includes hunting for shadow IT infrastructure, and shutting down any inactive entitlements.

"We saw in the report, one of the main points of access is exposed RDP," Dwyer said. "Everyone in security knows that that shouldn't be the case. So we need to proactively do these discoveries of access into our cloud accounts, things like attack surface discovery, monitoring for new services are accounts, and then understanding those pathways are associated with exposures."

The report also suggests implementing network segmentation to restrict access to sensitive resources and also prevent lateral movement should a break-in occur.

Additionally, security best practices still apply in the cloud: use a zero-trust approach to security that includes multi-factor authentication (MFA) and least-privilege access.

Plus, modern identity and access management that use MFA, and removing the threat of easily-guessed passwords and reused username and password combos, "can be game changers," Caridi said. ®