The rapid rise in digitalization and shifting applications to the cloud has given birth to new attack surfaces and opportunities to threat actors. Cybercriminals are working hard and smart to make money and an interesting trend has been observed.

What’s the trend?

Rising demand for cloud account access has been observed in the dark web portals by Lacework, thanks to initial access brokers who have expanded to offering cloud admin credentials. Today, underground marketplaces are rife with admin accounts of Azure, Amazon AWS, and Google Cloud. 

Who’s responsible?

  • Cpuminer-related malware has been a legitimate tool for a long time that infects WordPress installations. However, it is being used to illegally mine altcoins. 
  • Keksec is using a new DDoS malware strain called Tsunami-Ryuk. The group, completely unrelated to the Ryuk ransomware group, has been spotted attacking cloud infrastructure to conduct DDoS and cryptomining campaigns.
  • The 8220 gang is leveraging PwnRig—a custom XMRig-based miner—and IRC bot to infect hosts via common cloud services. 

Recent cloud-based threats

  • Linux-based cloud environments are vulnerable to coin miners, web shells, and ransomware attacks. The first half of this year witnessed 13 million malware incidents targeting these cloud environments. 
  • An attacker backdoored legitimate Docker images in a supply-chain attack. 

Why attack cloud infrastructure?

Experts surmise two reasons for the growing trend of selling cloud accounts:
  • Threat actors are striving to profit from both ransom payments and extortion.
  • Apart from direct profits, they are also looking for indirect gains by stealing resources and selling access to them. 

The bottom line

Cybercriminals should be considered as business threats owing to their attack sophistication and evolution. Moreover, they constantly invest in campaigns targeting cloud services. This indicates that businesses now face a greater threat than ever before.

Cyware Publisher