The Exploitation of Cloud

by Brett Lockett

The advent of cloud computing has revolutionised the way businesses and individuals store, access, and share data. The cloud offers unparalleled convenience, scalability, and cost-effectiveness. However, as with any technological advancement, it has also become a target for cybercriminals. In 2022, cloud exploitation grew by 95% and the number of cases involving cloud conscious threat actors nearly tripled each year.


What is a Cloud Attack?

A cyber attack that specifically targets cloud infrastructure service platforms, which provide off-site storage, computing, or hosting services, falls under the category of a cloud cyber attack. These attacks encompass various service delivery models, such as Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS).


As the integration of cloud technology continues to expand within business environments, attackers are incorporating cloud-based systems into their targeting strategies to extend the scope of their attacks. In the recent report of CrowdStrike Intelligence, attackers have shifted away from just deactivation of antivirus softwares and firewall technologies to seeking ways to modify authentication processes and attack identities. Despite their objectives remaining largely similar to those aimed for in non-cloud environments, such as obtaining initial access, achieving persistence, and performing lateral movement, the transient nature of certain cloud systems may necessitate a more resilient and persistent approach by attackers in order to achieve their goals.


Prominent Tactics, Techniques and Procedures (TTPs)

In 2022, several prominent tactics, techniques, and procedures (TTPs) emerged, demonstrating a heightened level of sophistication and awareness of cloud infrastructure. In their pursuit of initial access to the cloud, threat actors predominantly relied on several methods. These included leveraging pre-existing and legitimate accounts, either by resetting passwords or by implanting webshells or reverse shells for long-term presence, following successful exploitation of public-facing applications like web servers. Once inside a targeted machine, the actors primarily focused on acquiring further access through credentials discovered in files, while also exploiting the cloud provider’s instance metadata services (IMDSs) as an additional avenue.


Once inside, the initial environment discovery, threat actors target cloud accounts for the purpose of establishing persistence and potentially escalating privileges. Additionally, they explored reachable network services to identify potential entry points. The actors also conducted searches for cloud permission groups, infrastructure configurations, and storage buckets to gather valuable information about the target environment.


To facilitate lateral movement within a cloud environment, threat actors employed various protocols, including RDP, SSH, and SMB. Those with console access took advantage of services like EC2 instance connect and the Systems Manager Session Manager to further their objectives in this regard.


In an attempt to circumvent defensive measures, threat actors made efforts to disable security products operating within virtual machines. Data is collected when threat actors turn to local systems or internal information repositories, for example Sharepoint.


A successful cloud attack can disrupt an organisation’s cloud-based services, leading to service outages and downtime, however the most destructive are the: removal of access to accounts, termination of services, destroying data and deleting resources. These effects of a breach have severe legal, financial and reputational consequences for companies.


How Datasearch Consulting can help!

In the event of a cloud attack, a strong cybersecurity team can respond swiftly and effectively. They can initiate an incident response plan, contain the attack, investigate the breach, and mitigate the impact on the organisation’s systems, data, and operations. Having a group of experts is indispensable for an organisation that aims to adapt to the changing technological landscape of the fintech industry. 


At Datasearch Consulting, we understand that having the best safeguards for your business is having the best team. That’s why we offer our expertise in finding the right cyber security professionals who can help you determine the most proactive methods and mitigation plans in case of cloud attacks on your business. Contact us today to learn how we can assist you in enhancing your company’s security.

DataSearch Consulting
profile picture Brett Lockett

Brett Lockett

Brett Lockett is an Associate Director – Infrastructure, Cloud, Cyber Security & GRC at Datasearch Consulting, a leading executive recruitment firm specialising in the Cyber & Cloud Technology sectors. at DataSearch Consulting

Hey there, If you ever need my services on a similar project, I'd love to help!