There’s no getting around it — the cloud is a necessity for modern businesses. These days it’s nearly impossible to run a business without interacting with the cloud in some way. While most businesses rely on cloud-based tools to conduct day-to-day operations, these tools also significantly expand a company’s attack surface. Cloud-related attacks are one of the top threats for businesses, with 80% of companies seeing an increase in the frequency of attacks in their cloud environments.
Whether you’re storing data in a cloud service provider like AWS, Microsoft Azure, or the Google Cloud Platform or have invested in SaaS apps like Salesforce, Jira, Slack, or Microsoft 365, protecting your cloud environment is essential to staying in business.
Here are the top cloud security risks organizations face, including real-world examples of breaches, and how to protect against these risks to ensure your data, your reputation, and your business remains safe.
As the adoption of SaaS applications continues to rise, supply chain attacks are also increasing. With the industry maturing and consolidating, B2B SaaS apps that are used by a large majority of corporations are targeted as enticing backdoors for bad actors. By compromising one of these SaaS apps, a cybercriminal group can impact hundreds of companies and thousands or even millions of customers.
Some of the biggest cyberattacks of the last five years have been supply chain attacks, including both the SolarWinds and Colonial Pipeline hacks. Even in the last two years, there have been several major disruptions that were the result of supply chain attacks. In 2023, Okta, one of the leading identity and authentication management services providers that serves nearly 20,000 customers, disclosed a significant breach wherein bad actors were able to access the private data of Okta’s customers and their customers. Unfortunately, the breach wasn’t detected for weeks, giving bad actors plenty of time to act. Similarly, bad actors hacked into MOVEit, a tool used by businesses to securely transfer sensitive files, and were able to steal sensitive data from 620 organizations.
In both cases, hackers were able to break into a SaaS application and then move through the supply chain to access the data of major corporations that relied on the vendor, highlighting the need for supply chain security.
Organizations with a large software development function that are managing and relying on vast cloud environments need to take extra precautions to protect the integrity of their databases. Open-source software and components are commonly used here and there are a number of ways hackers can target these public databases.
One tactic used by bad actors is to install malware into popular database components or parts of an impending update. When a company installs the update, bad actors immediately gain access to the company’s database. In its State of Software Supply Chain Security 2024, ReversingLabs reported a 28% year-over-year increase in the total number of malicious packages uploaded to open-source repositories.
Another common attack vector is SQL injections, which involves placing malicious code into database queries via an SQL form. This allows bad actors to gain access to both the database and restricted data and lets them tamper with both. Denial of service or DoS attacks are also very common and take down database servers by overwhelming them with so many queries the database can no longer fulfill legitimate requests from actual users.
Though database security may not apply to every company, larger organizations that manage databases in-house need to take the appropriate precautions to ensure they haven’t opened themselves to another area of risk.
One of the advantages of SaaS applications is that software updates are constantly pushed out to users. The downside of rapid development cycles is that it leads to software vulnerabilities. Most breaches start with bad actors exploiting a critical vulnerability existing in systems, applications, and devices that act as open doors for threat actors until they are patched.
Vulnerabilities are everywhere and they continue to grow in number as organizations adopt more cloud-based software. A majority of vulnerabilities are found in the cloud and if companies aren’t actively searching for and patching vulnerabilities, they are leaving themselves open to attack.
Exploiting known and zero-day vulnerabilities is becoming a popular tactic for ransomware groups. For instance, the aforementioned MOVEit breach began when the Cl0p ransomware group exploited a zero-day vulnerability. Similarly, EstateRansomware, a relatively new ransomware group, exploited a year-old vulnerability in backup software from Veeam to dive deep into the organization, conduct network discovery, and harvest credentials before ultimately deploying ransomware. It was a thorough and well-executed attack that was made possible by unpatched software.
The practice of exploiting known and zero-day vulnerabilities, diving deep into an organization, and then deploying ransomware is far more dangerous than previously used encryption-based ransomware tactics. It also requires organizations to engage in proper vulnerability management in order to protect themselves.
With businesses using more and more applications, credential stuffing and account compromises are becoming larger threats. Each new vendor requires a new login for each employee that could be compromised. Without the appropriate account security, malicious actors have countless opportunities to access a cloud environment through any user’s account.
Using leaked or stolen password and email address combinations, bad actors can test that same combination on all other SaaS applications making their odds of success high given how common password reuse is. That means that companies with robust cloud-based tech stacks need to be even more vigilant about enabling multi-factor authentication and encouraging the use of unique passwords.
The Okta breach previously mentioned was caused by a credential stuffing attack – bad actors were able to access an employee’s personal Google account that was used on a company laptop. The Google account contained Okta credentials which were then misused by the hackers. Similarly, 925,000 Norton Password Manager accounts were locked down due to suspicious activity after the company experienced a credential stuffing attack in late 2022 and early 2023. Last year’s 23andMe data breach, which resulted in the leak of personal health information of 7 million users was also due to credential stuffing wherein malicious actors illegally acquired 20andMe login information that was also used on other websites.
Unfortunately, a great deal of sensitive data is exposed to the public and stolen simply because a cloud database wasn’t properly secured. This could be due to poorly implemented encryption or a total lack of encryption, inadequate access control, or misconfigurations. In some cases, organizations simply lose track of the number of databases and cloud tools being used or don’t understand where data is being stored.
When IT and security teams aren’t aware that databases exist in the company’s environment or they don’t realize where data is being stored, they can’t put the appropriate security protocols and processes in place to secure that database. Unsecured databases then give cybercriminals easy access to all the information living within that database. Using automated bots, they can quickly scan the internet for unsecured databases, steal thousands of records in one grab, and sell them on the dark web.
NordPass research suggests that there are upwards of 9,500 unsecured databases on the internet that house more than 10 billion entries with emails, passwords, and phone numbers. NordPass also estimates that 39% of all databases have already been hit with a ransomware attack.
One of the most famous unsecured database attacks occurred in 2019 when bad actors stole the data of 419 million users from an unsecured Facebook database. Ironically, Cognyte, a cybersecurity firm left a database exposed that housed 5 billion records in 2021. Information – including usernames, email addresses, and passwords – was available to the public and required no authentication to access. While the company was able to lock the database, there’s no telling how many people saw and downloaded that information before it was secured. Many of those 5 billion records could be living on the black market, leaving users with little protection and lost faith in both Cognyte and the companies that entrusted Cognyte with their data.
Advanced persistent threat (APT) refers to a long-term play where threat actors gain access to a network and sit there undetected for long periods. While in that cloud environment, they can gain command and control (C&C) to steal sensitive company data and intellectual property, hijack computers, shut down networks, spread malware, and more.
APTs are often, though not exclusively, conducted by state-sponsored groups. Cloud environments are ideal for APTs because ownership for securing the environment is split between the cloud provider and the customer. If a company doesn’t implement the right visibility or detection tools, a hacker can lurk in the cloud for a long time exfiltrating data and/or monitoring the environment to collect additional sensitive information.
APTs that aim to gain command and control of cloud environments are not only becoming more popular, but they are also becoming increasingly sophisticated. Bad actors can use encryption to hide their data exfiltration activities and use private command and control servers to delay a security team’s ability to block their access to the environment. They are also deploying advanced backdoor programs to control environments and access and export sensitive files on an ongoing basis. These kinds of attacks require visibility, monitoring, and detection and response tools to detect and flush out the cybercriminals.
Beyond the risks of an attack or breach, businesses also need to consider compliance when it comes to cloud security. All public companies are subject to regulations that require businesses to protect data living in the cloud. Global companies and companies in highly regulated industries like finance and healthcare must meet even more requirements. These regulations require companies to have the appropriate security controls and processes in place to safeguard consumer data, including processes and tools to protect against supply chain attacks. There are also several data breach disclosure regulations companies must adhere to.
Businesses that don’t meet federal or global regulations face the risk of fines, investigations, and negative publicity should they experience a breach and come under the scrutiny of a federal agency. These fines add to the already massive expenses of a data breach. Unfortunately, ransomware criminal groups are aware of this, so they may target companies in highly regulated industries that aren’t compliant, knowing that those companies might be more likely to pay the ransom to avoid being exposed.
The fines businesses face for noncompliance can be substantial. After violating the NYDFS’s Cybersecurity Regulation in 2023, OneMain Financial Group was fined $4.25 million. The fine was issued because an NYDFS review of the company’s cybersecurity practices found that the financial institution was not properly storing passwords or sufficiently managing third-party data storage risk. In addition to paying a multi-million dollar fine, the company was also tasked to take significant (and costly) remediation measures to ensure its cybersecurity practices adhere to NYDFS’s regulations.
Although it can be time-consuming and expensive to build a security program that meets the appropriate regulations, it’s far less expensive than failing a review, getting fined, and then being ordered to meet the regulations anyway.
If your business is storing data in the cloud or using cloud-based SaaS applications — which you very likely are — you need to have the appropriate security controls in place or you’re leaving your business open to serious risks. Cloud-based attacks are becoming increasingly common and sophisticated, but a strong security program can keep those risks at bay.
Unfortunately, there isn’t a single tool or process that will solve cloud security. Companies need to get buy-in from leaders and take a holistic approach to cloud security. Your program should at least include 24/7 detection and response, visibility and monitoring tools, enhanced data protection tools, and access management protocols. Depending on your in-house capabilities, a managed security services provider can help you identify your specific needs and create an effective cloud security program.
While it takes considerable effort to stand up a cloud security program, whether you’re working in-house or with a security partner, it’s well worth the trouble in the end. You’ll avoid costly compliance fines, ransoms, and data breaches, and maintain your reputation among your customers as a trusted partner.
SolCyber is the first-of-its-kind outsourced security program partner. With our 24/7 detection and response services and Foundational Coverage, businesses of all sizes can ensure they are protected against threats. Reach out to the experts at SolCyber to learn more about how we help you secure your business.