Organizations with weak cloud security controls and gaps in cross-domain visibility are getting outmaneuvered by threat actors and struck by intrusions, CrowdStrike said in its annual Global Threat Report.
Cloud environment intrusions jumped 75% from 2022 to 2023, as threat actors abused unique cloud features to initiate attacks, the report found.
“This is not surprising,” Adam Meyers, head of counter adversary operations at CrowdStrike, said in the report. “We’ve seen more and more organizations deploying more and more cloud resources without necessarily having a cohesive or equivalent security posture for their cloud deployments as they do in their traditional enterprise deployments.”
Threat actors are taking advantage of inconsistent cloud security structures and “living in that uncertainty between the enterprise and the cloud,” Meyers said.
Cybercriminals are using the cloud to deploy tooling, such as Microsoft Azure run commands, inside enterprise targets, according to Meyers.
More than four in five cloud intrusions directly attributed to a threat actor last year were financially motivated, the report said.
Earlier this month, Proofpoint researchers warned about an ongoing Microsoft Azure account takeover campaign that has impacted more than 100 organizations. The financially-motivated threat actors behind these attacks are targeting individual employees, including executives.
Cyberattacks conducted by cloud-savvy threat actors, or groups that are aware they gained access to a victim-owned cloud environment and use that access to abuse the cloud service, increased 110% last year, according to CrowdStrike.
“These adversaries continue to develop new and innovative ways to operate within the cloud,” Meyers said.
“We also see them using clouds for persistence where they can maintain their persistence into a target if they are detected and a system gets remediated,” Meyers said. “Oftentimes, they’re able to create another account inside the cloud to come back through.”