In 2024, organizations experienced a dramatic escalation in cloud-based security threats, with attacks increasing nearly fivefold by year’s end compared to January. This surge predominantly targeted Identity and Access Management (IAM) tokens, which are critical for controlling access to cloud resources.
A comprehensive analysis by Unit 42 revealed a 388% overall increase in cloud security alerts throughout 2024, with high-severity alerts rising by 235%. Particularly concerning was the threefold increase in remote command-line access events utilizing IAM tokens and credentials. By December, the average cloud environment faced over 200 alerts for such activities, up from just two in January.
Additional alarming trends included a 116% rise in IAM-based “impossible travel” alerts, a 60% increase in IAM API requests from unauthorized regions, a 45% uptick in cloud snapshot exports, and a 305% surge in suspicious downloads of multiple cloud storage objects.
These findings align with the 2024 State of Cloud-Native Security Report, which indicated that 71% of organizations attributed increased vulnerability exposures to accelerated deployments, while 45% reported a rise in advanced persistent threat (APT) attacks.
A notable example involved a ransomware campaign that harvested over 90,000 credentials from 110,000 targeted domains, including nearly 1,200 cloud IAM credentials, leading to successful extortion attacks against multiple organizations.
The concentration of attacks on serverless functions is particularly concerning. Serverless functions are designed to operate autonomously, and remote usage of a serverless function’s IAM token indicates compromise and potential lateral movement within cloud environments.
Recommendations for Enhanced Cloud Security:
– Deploy Cloud Detection and Response (CDR) security for all cloud environments.
– Ensure runtime-enabled agents on mission-critical cloud endpoints.
– Implement cloud audit log monitoring from Cloud Service Providers (CSPs).
– Restrict CSP regions where compute and serverless functions can operate.
– Enforce least-privilege architecture for IAM credentials.
– Enable cloud storage versioning and encryption.
Given the increasing threats targeting cloud environments, requiring cloud-based agents for publicly exposed and critical cloud endpoints is essential. Runtime monitoring is crucial for detecting and mitigating malicious activities as they occur.
