Between December 2023 and September 2024, cybersecurity analysts from ReliaQuest identified a concerning trend in the tactics, techniques, and procedures (TTPs) used by cyber attackers to exploit cloud environments. Based on the analysis of true-positive alerts from customer environments, the findings revealed innovative phishing methods and exploitation of cloud APIs that are becoming increasingly sophisticated. Self-service password reset requests made up 28% of the alerts, highlighting the attackers’ significant efforts to obtain administrative privileges. The GetVersion command surfaced in 31% of alerts within Kubernetes environments, signaling attempts by threat actors to identify software vulnerabilities susceptible to attack and gain unauthorized access.
A key focus of the report was the detection of sophisticated phishing tactics that embed malicious links within cloud storage SaaS solutions, effectively bypassing traditional email filtering systems. For instance, adversaries are increasingly utilizing OneNote files shared via SharePoint and Google Documents distributed through Google Drive. The tactic leverages the inherent trust users place in these well-known platforms, making detection far more challenging. Phishing was implicated in a staggering 71.1% of all TTPs in true-positive incidents, underscoring the significant threat level posed by exploits that rely on user trust and familiarity with common cloud services.
Security Recommendations and Observations
Between December 2023 and September 2024, ReliaQuest’s cybersecurity analysts identified worrisome trends in the tactics, techniques, and procedures (TTPs) of cyber attackers targeting cloud environments. Analyzing true-positive alerts from customer data, the researchers noted increasingly sophisticated phishing methods and the exploitation of cloud APIs. Notably, 28% of alerts were related to self-service password reset requests, highlighting attackers’ efforts to gain administrative privileges. In Kubernetes environments, the GetVersion command appeared in 31% of alerts, indicating attempts to discover software vulnerabilities for unauthorized access.
The report emphasized the detection of advanced phishing tactics that embed malicious links in cloud storage SaaS platforms, bypassing traditional email filters. Attackers increasingly use OneNote files shared through SharePoint and Google Docs via Google Drive, leveraging the trust users place in these platforms, complicating detection. Phishing was involved in an alarming 71.1% of all TTPs in true-positive incidents, illustrating the significant threat posed by exploits centered on user trust in common cloud services.
