Full Report
Understanding trends amidst noise: tracking shifts in security alerts allows cloud defenders to parse threats from attackers targeting IAM, storage and more. The post Cloud Threats on the Rise: Alert Trends Show Intensified Attacker Focus on IAM, Exfiltration appeared first on Unit 42.
Analysis Summary
# Incident Report: Intensified Cloud Attacks Focusing on IAM and Data Exfiltration
## Executive Summary
Research indicates a significant escalation in attacks targeting cloud infrastructure, with daily security alerts increasing nearly fivefold between the start and end of 2024. Attackers primarily focused on compromising Identity and Access Management (IAM) credentials, leading to a surge in unauthorized remote command-line usage via compromised serverless function tokens. The primary impact observed was unauthorized access to sensitive cloud resources, including storage and compute instances, increasing the risk of significant data exfiltration.
## Incident Details
- Discovery Date: Analysis published March 27, 2025, detailing trends through end of 2024.
- Incident Date: Trends observed throughout 2024.
- Affected Organization: Multiple organizations utilizing cloud infrastructure (unspecified names).
- Sector: General Cloud Users (Inferred from research topic).
- Geography: Global (Attackers across the globe targeted resources).
## Timeline of Events
### Initial Access
- Date/Time: Throughout 2024 (Trend analysis period).
- Vector: Compromised IAM tokens and credentials, particularly those associated with serverless functions.
- Details: Attackers leveraged leaked credentials or exploited weaknesses to gain initial access via IAM mechanisms.
### Lateral Movement
- Vector: Exploitation of compromised Virtual Machine connections and movement utilizing elevated IAM permissions.
- Details: Attackers used access to gain command line execution, suggesting movement across connected internal services.
### Data Exfiltration/Impact
- Vector: High volume download of cloud storage objects and exploitation of cloud image snapshots.
- Details: A 45% peak increase in cloud snapshot exports and a 305% increase in suspicious bulk downloads of storage objects were noted, signaling data extraction or preparation for extortion/ransomware.
### Detection & Response
- Detection: Detection occurred via continuous monitoring, specifically via security alert trends indicating high-severity cloud events. Specific detection methods included monitoring for "impossible travel events" and suspicious API usage from external regions.
- Response: The article recommends deploying Cloud Detection and Response (CDR) tooling to detect and prevent malicious runtime operations. (Specific organizational response actions are not detailed as this is a research summary).
## Attack Methodology
- Initial Access: Leaked or compromised IAM credentials utilized via serverless functions.
- Persistence: Not explicitly detailed, but implied through continued unauthorized use of stolen IAM tokens.
- Privilege Escalation: Achieved via exploitation of sensitive IAM service accounts and use of compromised storage snapshots containing further credentials.
- Defense Evasion: Not explicitly detailed, likely relies on mimicking legitimate IAM API requests.
- Credential Access: Targeting IAM tokens and credentials for serverless functions.
- Discovery: Indicated by 60% increase in API requests for compute resources from external regions.
- Lateral Movement: Via connection of virtual machines to additional internal services and leveraging broad IAM permissions.
- Collection: Bulk downloading of cloud storage objects (305% increase) and creation/export of infrastructure snapshots.
- Exfiltration: High volume suspicious downloads of storage objects.
- Impact: Potential for ransomware, extortion, and infrastructure compromise.
## Impact Assessment
- Financial: Not specified, but inferred to be significant due to scope of cloud compromise.
- Data Breach: Sensitive organizational or customer data stored in cloud storage, plus configuration/IAM credentials held within image snapshots.
- Operational: Potential for significant disruption due to control over compute resources and data centers.
- Reputational: High risk due to potential customer data theft and operational downtime.
## Indicators of Compromise
- Network Indicators: API requests for compute resources originating from outside usual regions; Login events characteristic of "impossible travel."
- File Indicators: Exported cloud image snapshots.
- Behavioral Indicators: Single IAM identity downloading a large volume of storage objects in a narrow time window; Remote command-line execution utilizing serverless function IAM tokens.
## Response Actions
- Containment: Immediate rotation/revocation of compromised IAM tokens and credentials, especially related to serverless functions. Application of Cloud Detection and Response (CDR) tooling for runtime prevention.
- Eradication: Identifying and terminating all command-line sessions executed via compromised tokens. Auditing all access associated with targeted IAM roles.
- Recovery: Restoring data integrity based on storage activity; Reconfiguring security posture management based on learned weaknesses.
## Lessons Learned
- Cloud identity (IAM) is the single most critical defense perimeter in modern cloud environments.
- Serverless function credentials are a high-value target due to their direct link to remote command execution.
- Attacks are evolving beyond simple perimeter breaches to focus on credential theft and exploitation of configuration data (snapshots).
## Recommendations
- Implement robust multi-factor authentication (MFA) enforcement across all critical IAM roles.
- Adopt Cloud Detection and Response (CDR) tooling to monitor and prevent malicious runtime operations, focusing specifically on API anomalies and excessive data movement.
- Review and implement the principle of least privilege for all serverless function execution roles, minimizing the impact of a compromised token.
- Regularly audit and secure cloud storage access policies to prevent bulk extraction of data objects.