SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
New Zealand
Guides
#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware
Search
Story image
#
Malware
#
Cloud Security
#
Phishing

ReliaQuest report reveals new cloud phishing tactics

Today
Author image
By Catherine Knowles, Journalist

ReliaQuest has published a new report detailing the methods cyber attackers use to exploit cloud environments.

Between December 2023 and September 2024, ReliaQuest analysed true-positive alerts from customer environments, focusing on initial access and discovery commands against public-facing cloud APIs. The analysis revealed that self-service password reset requests accounted for 28% of all alerts, which indicates attempts by threat actors to intrude into cloud environments and potentially gain administrator privileges.

The GetVersion command was present in 31% of alerts in Kubernetes environments, showing that attackers were probing for software vulnerabilities. Additionally, more than 50% of the source IP addresses associated with attacks demonstrated extensive malicious activity, pointing to their consistent use by threat actors for scanning organisations and searching for vulnerabilities.

An emerging phishing tactic described in the report involves hosting malicious links within cloud-storage SaaS solutions, such as OneNote files shared via SharePoint or Google documents shared via Google Drive. Attackers use phishing emails to direct recipients to the cloud-stored document containing the link, leveraging user trust in well-known cloud platforms and making the phishing attempts harder to detect.

The report notes that phishing constituted a significant 71.1% of all techniques, tactics, and procedures (TTPs) observed in 2023 customer true-positive incidents. The phishing method is dangerous as it exploits the inherent trust users place in platforms like Google Drive or Dropbox, complicating detection and response efforts. As the document link points to a legitimate platform, email filtering systems might not detect it as malicious, allowing such phishing emails to bypass initial security measures.

ReliaQuest employs an extensive detection rule library that identifies attacks at various stages of the attack lifecycle. GreyMatter containment and response playbooks operate independently of email security tools to provide more comprehensive security.

The report also highlights the threat of cloud environment hijacking. Gaining initial access allows attackers to exploit cloud resources, for example, using them for expensive cryptocurrency mining or to target resources holding sensitive data, causing brand or operational damage. Attackers can also launch phishing campaigns against other organisations from these hijacked resources, impersonating the compromised organisation using services like AWS Simple Email Service (SES). This tactic can damage the organisation's brand image and impact relationships with third parties and customers.

In response to these threats, ReliaQuest recommends strict monitoring and management of API keys. They advise using API gateways to generate an SSL certificate, which serves as a second form of identity verification alongside an API key. This additional measure can enhance security if an API key is exposed.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
IriusRisk unveils Jeff: AI tool for threat modelling images
AppOmni earns FedRAMP status, enhancing SaaS security
Grip Security report reveals unmanaged SaaS app risks
AI impersonation emerges as top cyber threat in new report
Fortinet report: 70% of staff lack cybersecurity awareness
Top stories
CyberArk highlights new security threats at Impact World Tour
Zoho invests USD $10m in NVIDIA AI for language models
Dynatrace named a leader in 2024 Gartner's Magic Quadrant
Qualys VMDR recognised as leader in 2024 GigaOm report
Transmit Security leads in account takeover prevention