Overprivileged plaintext credentials left on display in 33% of X-Force adversary simulations

Adversaries are constantly seeking to improve their productivity margins, but new data from IBM X-Force suggests they aren’t exclusively leaning on sophistication to do so. Simple yet reliable tactics that offer ease of use and often direct access to privileged environments are still heavily relied upon. Today X-Force released the 2023 Cloud Threat Landscape Report, detailing common trends and top threats observed against cloud environments over the past year. Improper use of credentials made up the top cause of cloud compromises that X-Force responded to in the past year, reaffirming the need for businesses to double down on hardening their credential management practices.

Based on insights from X-Force threat intelligence, penetration tests, incident response engagements, Red Hat Insights and data provided by report contributor Cybersixgill, between June 2022 and June 2023, some of the key highlights stemming from the report include:

  • Credentials worth a dozen doughnuts — Over 35% of cloud security incidents occurred from attackers’ use of valid, compromised credentials. Making up nearly 90% of assets for sale on dark web marketplaces, credentials’ popularity among cybercriminals is apparent, averaging $10 per listing — or the equivalent of a dozen doughnuts. Microsoft Outlook Cloud credentials accounted for over 5 million mentions on illicit marketplaces — by far the most popular access for sale.
  • “Unkempt” clouds — X-Force observed a nearly 200% increase in new cloud related CVEs from the prior year, now tracking close to 3,900 cloud-related vulnerabilities, a number that has doubled since 2019. Adversaries can advance their objectives significantly by exploiting many of these vulnerabilities with over 40% of new cloud CVEs allowing them to either obtain information or gain access, indicating the strong foothold attackers can establish through these entry points.
  • Europe’s cloudy forecast Sixty-four percent of cloud-related incidents that X-Force responded to during the reporting period involved European organizations. In fact, across all malware that Red Hat Insights observed, 87% was identified in European organizations, highlighting their attractiveness to attackers. It’s possible that the increasing tensions in the region and uptick in deployment of back doors — which was reported in the 2023 X-Force Threat Intelligence Index — could be related to the placing of European cloud environments at the top of the targets observed.
Download the 2023 Cloud Threat Landscape Report

Credentials are no longer credible authenticators

Adversaries continue to wager on improper credential hygiene across enterprises to carry out their attacks. X-Force engagements reveal that, often, credentials with overprivileged access are left exposed on user endpoints in plaintext, creating an opportunity for attackers to establish a pivot point to move deeper into the environment or access highly sensitive information. Specifically, plaintext credentials were located on user endpoints in 33% of X-Force Red’s adversary simulation engagements that involved cloud environments during the reporting period. This upward trend of credential use as an initial access vector — representing 36% of cloud incidents in 2023 compared to 9% in 2022 — highlights the need for organizations to move beyond human-reliant authentications and prioritize technological guardrails capable of securing user identity and access management.

As access to more data across more environments becomes a recurring need, human error continues to present a security challenge. The growing need for more dynamic and adaptive identity and access management can be met with advanced AI capabilities in the market today. For example, IBM Security Verify customers see substantial improvement by leaning on more intuitive authentication processes to calculate risk score based on login patterns, device location, behavior analytics, and other context, and then automatically adapt the login process and verification accordingly.

Organizations lowball their attack surface — stress testing their security is key

The ability to manage the full scope of organizations’ attack surface is key to establishing cyber resilience. However, organizations tend to be more exposed than they realize, often underestimating the potential targets within their environment that can serve attackers’ objectives. Shadow IT and an unmanageable vulnerability debt makes it increasingly challenging for organizations to know where they are most exposed.

According to the X-Force report, nearly 60% of newly disclosed vulnerabilities, if exploited, could allow attackers to obtain information or either gain access or privileges that enable lateral movement through the network. From providing attackers information on how environments are set up to unauthorized authentication that can grant them additional permissions, it’s critical for organizations to know which risks to prioritize — especially when operating with limited resources. To help organizations with this challenge, X-Force Red uses AI for weaponized exploit risk assessment — leveraging the team’s hacker-built automated ranking engine to enrich and prioritize findings based on weaponized exploits and key risk factors such as asset value and exposure.

As organizations focus on better understanding their cloud risk posture, it’s important they combine that knowledge with response readiness by engaging in adversary simulation exercises using cloud-based scenarios to train and practice effective cloud-based incident response. This way, not only can they gain insight into attack paths and objectives an attacker could pursue, but they can also better measure their ability to respond to such attack and contain any potential impact.

If you’re interested in reading the full 2023 X-Force Cloud Threat Report, you can access it here.

You can register for the webinar, “Cloud Threat Landscape Report: Explore Trends to Stay Ahead of Threats,” taking place on Wednesday, September 20 at 11:00 a.m. EDT here.

For more information on X-Force’s security research, threat intelligence and hacker-led insights, visit the X-Force Research Hub.

If you’d like to set up a consult with IBM X-Force, schedule a discovery briefing here.

More from Cloud Security

How I got started: Cloud security engineer

3 min read - In today’s increasingly cloud-focused business environment, cloud security engineers are pivotal in protecting an organization’s critical data and infrastructure. As experts in cloud security, they leverage their expertise to ensure that the ever-expanding amount of cloud data is safe from emerging threats and vulnerabilities. Cloud security professionals combine their passion for technology with a deep understanding of security principles to design and implement robust cloud security strategies. What experience do these security experts have, and what led them to the…

Lessons learned from the Microsoft Cloud breach

3 min read - In early July, the news broke that threat actors in China used a Microsoft security flaw to execute highly targeted and sophisticated espionage against dozens of entities. Victims included the U.S. Commerce Secretary, several U.S. State Department officials and other organizations not yet publicly named. Officials and researchers alike are concerned that Microsoft products were again used to pull off an intelligence coup, such as during the SolarWinds incident. In the wake of the breach, the Department of Homeland Security…

What you need to know about protecting your data across the hybrid cloud

6 min read - The adoption of hybrid cloud environments driving business operations has become an ever-increasing trend for organizations. The hybrid cloud combines the best of both worlds, offering the flexibility of public cloud services and the security of private on-premises infrastructure. We also see an explosion of SaaS platforms and applications, such as Salesforce or Slack, where users input data, send and download files and access data stored with cloud providers. However, with this fusion of cloud resources, the risk of data…

Cloud security in the era of artificial intelligence

3 min read - AI and machine learning (ML) have revolutionized cloud computing, enhancing efficiency, scalability and performance. They contribute to improved operations through predictive analytics, anomaly detection and automation. However, the growing ubiquity and accessibility of AI also expose cloud computing to a broader range of security risks. Broader access to AI tools has increased the threat of adversarial attacks leveraging AI. Knowledgeable adversaries can exploit ML models through evasion, poisoning or model inversion attacks to generate misleading or incorrect information. With AI…