Overprivileged plaintext credentials left on display in 33% of X-Force adversary simulations

Adversaries are constantly seeking to improve their productivity margins, but new data from IBM X-Force suggests they aren’t exclusively leaning on sophistication to do so. Simple yet reliable tactics that offer ease of use and often direct access to privileged environments are still heavily relied upon. Today X-Force released the 2023 Cloud Threat Landscape Report, detailing common trends and top threats observed against cloud environments over the past year. Improper use of credentials made up the top cause of cloud compromises that X-Force responded to in the past year, reaffirming the need for businesses to double down on hardening their credential management practices.

Based on insights from X-Force threat intelligence, penetration tests, incident response engagements, Red Hat Insights and data provided by report contributor Cybersixgill, between June 2022 and June 2023, some of the key highlights stemming from the report include:

  • Credentials worth a dozen doughnuts — Over 35% of cloud security incidents occurred from attackers’ use of valid, compromised credentials. Making up nearly 90% of assets for sale on dark web marketplaces, credentials’ popularity among cybercriminals is apparent, averaging $10 per listing — or the equivalent of a dozen doughnuts. Microsoft Outlook Cloud credentials accounted for over 5 million mentions on illicit marketplaces — by far the most popular access for sale.
  • “Unkempt” clouds — X-Force observed a nearly 200% increase in new cloud related CVEs from the prior year, now tracking close to 3,900 cloud-related vulnerabilities, a number that has doubled since 2019. Adversaries can advance their objectives significantly by exploiting many of these vulnerabilities with over 40% of new cloud CVEs allowing them to either obtain information or gain access, indicating the strong foothold attackers can establish through these entry points.
  • Europe’s cloudy forecast Sixty-four percent of cloud-related incidents that X-Force responded to during the reporting period involved European organizations. In fact, across all malware that Red Hat Insights observed, 87% was identified in European organizations, highlighting their attractiveness to attackers. It’s possible that the increasing tensions in the region and uptick in deployment of back doors — which was reported in the 2023 X-Force Threat Intelligence Index — could be related to the placing of European cloud environments at the top of the targets observed.
Download the 2023 Cloud Threat Landscape Report

Credentials are no longer credible authenticators

Adversaries continue to wager on improper credential hygiene across enterprises to carry out their attacks. X-Force engagements reveal that, often, credentials with overprivileged access are left exposed on user endpoints in plaintext, creating an opportunity for attackers to establish a pivot point to move deeper into the environment or access highly sensitive information. Specifically, plaintext credentials were located on user endpoints in 33% of X-Force Red’s adversary simulation engagements that involved cloud environments during the reporting period. This upward trend of credential use as an initial access vector — representing 36% of cloud incidents in 2023 compared to 9% in 2022 — highlights the need for organizations to move beyond human-reliant authentications and prioritize technological guardrails capable of securing user identity and access management.

As access to more data across more environments becomes a recurring need, human error continues to present a security challenge. The growing need for more dynamic and adaptive identity and access management can be met with advanced AI capabilities in the market today. For example, IBM Security Verify customers see substantial improvement by leaning on more intuitive authentication processes to calculate risk score based on login patterns, device location, behavior analytics, and other context, and then automatically adapt the login process and verification accordingly.

Organizations lowball their attack surface — stress testing their security is key

The ability to manage the full scope of organizations’ attack surface is key to establishing cyber resilience. However, organizations tend to be more exposed than they realize, often underestimating the potential targets within their environment that can serve attackers’ objectives. Shadow IT and an unmanageable vulnerability debt makes it increasingly challenging for organizations to know where they are most exposed.

According to the X-Force report, nearly 60% of newly disclosed vulnerabilities, if exploited, could allow attackers to obtain information or either gain access or privileges that enable lateral movement through the network. From providing attackers information on how environments are set up to unauthorized authentication that can grant them additional permissions, it’s critical for organizations to know which risks to prioritize — especially when operating with limited resources. To help organizations with this challenge, X-Force Red uses AI for weaponized exploit risk assessment — leveraging the team’s hacker-built automated ranking engine to enrich and prioritize findings based on weaponized exploits and key risk factors such as asset value and exposure.

As organizations focus on better understanding their cloud risk posture, it’s important they combine that knowledge with response readiness by engaging in adversary simulation exercises using cloud-based scenarios to train and practice effective cloud-based incident response. This way, not only can they gain insight into attack paths and objectives an attacker could pursue, but they can also better measure their ability to respond to such attack and contain any potential impact.

If you’re interested in reading the full 2023 X-Force Cloud Threat Report, you can access it here.

You can register for the webinar, “Cloud Threat Landscape Report: Explore Trends to Stay Ahead of Threats,” taking place on Wednesday, September 20 at 11:00 a.m. EDT here.

For more information on X-Force’s security research, threat intelligence and hacker-led insights, visit the X-Force Research Hub.

If you’d like to set up a consult with IBM X-Force, schedule a discovery briefing here.

More from Cloud Security

The compelling need for cloud-native data protection

4 min read - Cloud environments were frequent targets for cyber attackers in 2023. Eighty-two percent of breaches that involved data stored in the cloud were in public, private or multi-cloud environments. Attackers gained the most access to multi-cloud environments, with 39% of breaches spanning multi-cloud environments because of the more complicated security issues. The cost of these cloud breaches totaled $4.75 million, higher than the average cost of $4.45 million for all data breaches.The reason for this high cost is not only the…

Accelerating security outcomes with a cloud-native SIEM

5 min read - As organizations modernize their IT infrastructure and increase adoption of cloud services, security teams face new challenges in terms of staffing, budgets and technologies. To keep pace, security programs must evolve to secure modern IT environments against fast-evolving threats with constrained resources. This will require rethinking traditional security strategies and focusing investments on capabilities like cloud security, AI-powered defense and skills development. The path forward calls on security teams to be agile, innovative and strategic amidst the changes in technology…

Best practices for cloud configuration security

5 min read - Cloud computing has become an integral part of IT infrastructure for businesses of all sizes, providing on-demand access to a wide range of services and resources. The evolution of cloud computing has been driven by the need for more efficient, scalable and cost-effective ways to deliver computing resources.Cloud computing enables on-demand access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications and services) over the internet. Instead of owning and maintaining physical hardware and infrastructure, users…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today