ReliaQuest report reveals new cloud phishing tactics
ReliaQuest has published a new report detailing the methods cyber attackers use to exploit cloud environments.
Between December 2023 and September 2024, ReliaQuest analysed true-positive alerts from customer environments, focusing on initial access and discovery commands against public-facing cloud APIs. The analysis revealed that self-service password reset requests accounted for 28% of all alerts, which indicates attempts by threat actors to intrude into cloud environments and potentially gain administrator privileges.
The GetVersion command was present in 31% of alerts in Kubernetes environments, showing that attackers were probing for software vulnerabilities. Additionally, more than 50% of the source IP addresses associated with attacks demonstrated extensive malicious activity, pointing to their consistent use by threat actors for scanning organisations and searching for vulnerabilities.
An emerging phishing tactic described in the report involves hosting malicious links within cloud-storage SaaS solutions, such as OneNote files shared via SharePoint or Google documents shared via Google Drive. Attackers use phishing emails to direct recipients to the cloud-stored document containing the link, leveraging user trust in well-known cloud platforms and making the phishing attempts harder to detect.
The report notes that phishing constituted a significant 71.1% of all techniques, tactics, and procedures (TTPs) observed in 2023 customer true-positive incidents. The phishing method is dangerous as it exploits the inherent trust users place in platforms like Google Drive or Dropbox, complicating detection and response efforts. As the document link points to a legitimate platform, email filtering systems might not detect it as malicious, allowing such phishing emails to bypass initial security measures.
ReliaQuest employs an extensive detection rule library that identifies attacks at various stages of the attack lifecycle. GreyMatter containment and response playbooks operate independently of email security tools to provide more comprehensive security.
The report also highlights the threat of cloud environment hijacking. Gaining initial access allows attackers to exploit cloud resources, for example, using them for expensive cryptocurrency mining or to target resources holding sensitive data, causing brand or operational damage. Attackers can also launch phishing campaigns against other organisations from these hijacked resources, impersonating the compromised organisation using services like AWS Simple Email Service (SES). This tactic can damage the organisation's brand image and impact relationships with third parties and customers.
In response to these threats, ReliaQuest recommends strict monitoring and management of API keys. They advise using API gateways to generate an SSL certificate, which serves as a second form of identity verification alongside an API key. This additional measure can enhance security if an API key is exposed.