Full Report
Each member of the Crying out Cloud team at Wiz shares their top stories from the past year
Analysis Summary
# Industry News: 2023 Cloud Security Retrospective and Key Threat Vectors
## Summary
Wiz's "Crying Out Cloud" team compiled a retrospective of 2023's most impactful cloud security events, highlighting critical vulnerabilities like those affecting shared libraries (initially flagged in Chrome) and the widespread exploitation of MOVEit Transfer by the Cl0p group. The review also noted the concerning trend of financially motivated threat actors like Scattered-Spider and ALPHV making inroads into cloud environments, signaling an evolution in ransomware tactics.
## Key Details
- Date: End of 2023 (Retrospective published)
- Companies Involved: Wiz, Google (Chrome), Progress (MOVEit), Scattered-Spider, ALPHV
- Category: Industry Analysis / Threat Review
## The Story
The summary provided is a look back by the Wiz "Crying Out Cloud" analysis team at significant cloud security events from 2023. Key discussions centered on high-profile vulnerabilities:
1. **Ubiquitous Library Flaws (CVE-2023-4863/5217):** Critical flaws initially labeled as Chrome vulnerabilities were revealed to be deeper library issues affecting many products (Firefox, Slack, Signal). While mostly client-side, the industry debated the potential for widespread cloud exploitation. An artifact of this involved confusing duplicate CVE assignments showing organizational gaps.
2. **MOVEit Transfer Exploitation:** The aggressive zero-day exploitation of Progress's MOVEit Transfer by the Cl0p ransomware group served as a major supply chain disruption, demonstrating the high return on investment for targeting niche, widely used data transfer software, even if its cloud footprint was small (<1%).
3. **Cloud Expansion by Ransomware Groups:** The collaboration between Scattered-Spider (using sophisticated social engineering) and ALPHV (BlackCat) demonstrated a noticeable shift toward cloud lateral movement and RansomOps, challenging the historical perception that ransomware rarely targets cloud-native infrastructure.
4. **Other Topics:** The team also discussed topics like lessons from the Microsoft key theft incident and the persistent challenge of misconfigurations, emphasizing the link between cloud cost efficiency and security hygiene.
## Business Impact
### For the Companies Involved
- **Wiz:** Reinforces their position as a leading voice in cloud security research and thought leadership, utilizing their platform to contextualize complex threats for their growing customer base.
- **Progress (MOVEit):** Faced significant reputational and financial damage due to the failure to secure a widely used managed file transfer product, leading to potentially mandatory security uplifts for all their customers.
### For Competitors
- Competitors like Zscaler, Palo Alto Networks, and CrowdStrike benefited from increased industry awareness and budget allocation towards Cloud-Native Application Protection Platforms (CNAPPs) capable of monitoring the breadth of these supply chain and identity-based threats.
### For Customers
- Customers across every sector were forced to re-evaluate their software supply chain risk management, patching cadence (especially for critical third-party appliances), and identity hygiene, given the expansion of ransomware into their cloud tenants.
### For the Market
- The MOVEit incident validated the business risk inherent in third-party software vulnerabilities, driving further investment not just in workload protection, but also in broader Software Bill of Materials (SBOM) and Vendor Risk Management (VRM) solutions beyond just traditional cloud infrastructure.
## Technical Implications
The analysis underscores the shift in focus from purely infrastructure misconfigurations to application-level and software dependency risks impacting cloud workloads:
* **Library Risk:** Highlights that security testing must extend deep into third-party libraries used within applications deployed to the cloud, not just the container image perimeter.
* **Identity & Lateral Movement:** The Scattered-Spider/ALPHV activity confirms that sophisticated credential compromise (often starting via social engineering) is a viable pathway for deep cloud exploitation, necessitating stronger **Workload Identity Governance (WIG)** and **Zero Trust** principles within the cloud fabric.
* **CVE Standardization:** Confusion around duplicate CVEs points to a need for stricter cross-vendor coordination protocols, which complicates the automated vulnerability management process.
## Strategic Analysis
- **Market Positioning:** The review positions Wiz as an authority deeply embedded in the cloud security ecosystem, capable of correlating disparate events (supply chain, ransomware, vulnerability management) into a coherent threat narrative.
- **Competitive Advantage:** Wiz leverages its deep visibility across cloud environments (indicated by their 1% usage stat on MOVEit) to provide authoritative threat context that pure endpoint or perimeter vendors might miss.
- **Challenges:** The rapid evolution of threat actors into the cloud necessitates constant adaptation by security providers to cover new vectors like sophisticated multi-stage collaboration between initial access brokers and ransomware affiliates.
## Industry Reactions
- **Analyst Opinions:** Analysts generally agree that 2023 marked the year cloud security became mainstream security risk, moving beyond initial adoption concerns to tackle truly sophisticated, existential threats residing within production environments.
- **Expert Commentary:** Experts reinforced the need to prioritize rapid patching for high-reputation, low-footprint software (like MOVEit) due to the disproportionate impact they can cause.
- **Market Response:** Increased spending focus on Cloud Security Posture Management (CSPM) that integrates vulnerability data, and Identity Threat Detection and Response (ITDR) tools.
## Future Outlook
- **Predictions and Expectations:** Expect continued focus on Application Security Posture Management (ASPM) tools to vet the security of application components deployed in the cloud. AI security, particularly concerning large language models and insecure integrations, is poised to dominate 2024 discussions.
- **What to Watch For:** The industry will watch closely to see if threat actors develop sustainable, scalable methods for monetizing cloud-native attacks (e.g., cryptojacking or resource misuse) that don't rely solely on traditional data exfiltration that MOVEit enabled.
## For Security Professionals
Cybersecurity practitioners must:
1. **Elevate Supply Chain Audits:** Ensure comprehensive inventory and strict patching policies for all COTS software running in or interacting heavily with cloud assets, regardless of perceived cloud nativity.
2. **Strengthen Identity Defenses:** Assume initial network access will be achieved via compromised credentials (phishing/social engineering) and focus deeply on least privilege, MFA everywhere, and monitoring for lateral movement signals across cloud IAM roles.
3. **Integrate Tools:** Move away from siloed vulnerability scanning towards integrated platforms that correlate asset inventory, configuration posture, and threat intelligence to quickly prioritize fixes based on immediate exploit potential.