Cado Security Releases H2 2023 Cloud Threat Findings Report

Cado Security Labs, Cado’s internal threat research function, today released its H2 2023 Cloud Threat Findings Report to help security teams secure against cloud-focused threat actors.

Cado Security believe that safeguarding both large enterprises and small businesses alike requires a collective effort. To this end, Cado prioritizes the security community with its frequent release of free tools, technical playbooks, and threat research. As part of this effort, the team is excited to deliver it’s second bi-annual Cloud Threat Findings Report. The report findings are based on real-world techniques employed by cloud-focused threat actors.

The report covers a deep-dive analysis of recently discovered cloud-based malware campaigns including Qubitstrike, Legion, Blackcat, Bioset, Cetus, P2Pinfect, and 9hits. Further, it summarizes key technical findings from attacker telemetry gathered across Cado’s honey pot infrastructure. These technical findings, which are covered in detail within the report, include:

  • Attackers target cloud services that require specialist technical knowledge to exploit. Attackers are increasingly targeting services, such as Docker, Redis, Kubernetes, and Jupyter, that require expert technical knowledge to exploit, different from what’s required for attacking generic Linux servers.
  • Docker is the most commonly exploited “cloud-native” service for initial access. Although cloud-focused attackers aim to exploit various services typically deployed in cloud environments, Docker remains the most frequently targeted for initial access, with 90.65% of honeypot traffic when discounting SSH.
  • Threat actors leverage hosting companies across the globe for their infrastructure. Identified malware campaigns, such as P2Pinfect, had a wide geographical distribution with nodes belonging to providers in China, the US, and Germany, which shows that regardless of where your infrastructure is located, it is still susceptible to Linux and cloud-focused attacks.
  • Cryptojacking is no longer the sole focus of cloud attackers. While cryptojacking is a legitimate and significant threat, Cado Security Labs has started to see a diversification in objectives displayed by recent Linux and cloud malware campaigns. For example, with the discovery of new Linux variants of ransomware families, such as Abyss Locker, there is a worrying trend of ransomware on Linux and ESXi systems. Cloud and Linux infrastructure is now subject to a broader variety of attacks.

Other observations also include:

  • Attackers continue to exploit web-facing services in cloud environments to help them gain access to cloud environments and invest significant time into hunting for misconfigured deployments of these services.
  • Rust malware continues to increase as the language gains popularity in general software development and will also become increasingly popular in the malware community, with threat actors increasingly developing malicious payloads in Rust.

The report also covers recommendations on how to best prevent and prepare for such threats. To download the the full report, click here.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.


Leave a Comment

Latest Articles