Cloud Threat Report, Volume 4 | 2022

In the six months since the last Cloud Threat Report, Lacework Labs has seen a marked increase in efficiencies used by cybercriminals: speed is the name of the game. Identities continue to be a key target for attackers, and our findings indicate that the time to use those identities are shortening, consistently. We believe this is due to both automated attack techniques and an opportunity that attackers have spotted.

As an organization’s cloud maturity improves, they generate more operational data as a result of more frequent changes to their environment. This ever-shifting nature affords attackers an evergreen opportunity. They are using the sheer amount of data teams are analyzing to delay detection long enough to either steal data, enumerate resources, or start cryptojacking for profit.

Cryptojacking remains a consistently profitable activity for cybercriminals. We highlighted this in our first few Cloud Threat Reports while exploring some new and unique approaches of attackers using this technique. Getting someone else—you, the victim—to pay for the resources needed to generate cryptocurrency remains a “go-to” move. But it’s not their only move.

This report details cases of attackers searching for trade secrets, identifying customer information, enumerating account info for profiling, or gathering general intelligence in addition to ongoing infrastructure compromise activities.

The information provided here will help improve your security practice by explaining these techniques. This is information that you can use to adjust your defenses. We’ve also taken things a step further in this report. We’re releasing a new open source tool, Cloud-Hunter, designed to help take your threat hunting activities on the Lacework Polygraph Data Platform to the next level.

If the community freely shares information on attack techniques and malware, we can collectively improve our security postures. The more organizations that strengthen their security, the harder it will be for attackers to compromise as many victims.

Most cybercriminals are playing a volume game—they need to quickly and easily compromise a large number of victims to make enough profit to justify their risks.