- The road to S/4HANA: How CIOs are managing SAP ECC’s end of support
- My favorite Garmin safety feature is coming to Forerunner models - and I can't recommend it enough
- Liquid cooling becoming essential as AI servers proliferate
- SEC SIM Swapper Gets 14 Months for X Account Hijack
- Are wind power generators viable at home? My verdict after months of testing
#Infosec2025: How CISOs Can Stay Ahead of Evolving Cloud Threats
Cloud environments have become a lucrative target for cyber-threat actors, a subject that will be discussed by experts during the upcoming Infosecurity Europe conference.
Research has shown that nearly half of all data breaches now originate in the cloud, with 80% of organizations experiencing a cloud security breach in the past year.
This is a result of organizations moving their key applications and data from on-prem to cloud environments to improve efficiency.
Yet, in many cases, security strategies have not evolved to account for this shift, with some organizations believing they are offloading security responsibilities to their cloud service provider.
However, under the shared responsibility model, the customer remains responsible for the protection of its data.
Amid this trend, cloud-based threats have grown in scale and sophistication, with techniques continually changing.
It is critical that security leaders understand the current cloud threat landscape, and the core priorities for protecting their organizations from damaging breaches.
How Attackers Are Targeting the Cloud Today
Security experts Infosecurity spoke to shared insights into the main techniques threat actors are currently using to target the cloud.
Vulnerability Exploitation
Bar Kaduri, Head of Security Research at Orca Security, said that vulnerability exploitation is the number one attack vector in the cloud as the number of new vulnerabilities published grows each year and security teams struggle to keep up with patching.
“We see an increase of organizations with public facing neglected assets – assets that have a lot of unpatched vulnerabilities, running on end of life operating systems or weren’t updated for a while. Last year 81% of the organizations were running these assets, compared to 89% this year,” Kaduri noted.
Christian Reilly, Field CTO EMEA at cloud service provider Cloudflare, told Infosecurity that Cloudflare had observed increased attempts to exploit zero day flaws in the cloud in the past year, with attackers getting quicker at targeting these vulnerabilities following public disclosure.
Non-Human Credential Compromise
Researchers have also observed an uptick in credential compromise in the cloud. In particular non-human credentials such as API keys, OAuth tokens and cloud provider access tokens that grant programmatic access to sensitive resources.
In many cases, compromise of such credentials is enabled by accidental exposure.
Martin Zugec, Technical Solutions Director at Bitdefender, noted: “Attackers actively scan public code repositories like GitHub for these inadvertently committed credentials, which can then be used for unauthorized access, data exfiltration and resource manipulation, bypassing traditional authentication mechanisms.”
Zugec added that attackers are leveraging sophisticated scripts and bots to speed up their identification of these exposed secrets.
Securing non-human identities is a growing cloud concern. Kaduri noted that identities such as API keys and service accounts are now at a rate of 50 to one human identity.
This scale of identities is difficult for organizations to manage and maintain, growing the risk of breaches and even supply chain attacks, such as the tj-actions attack that affected 218 GitHub repositories.
Exploiting Cloud Misconfigurations
Improperly configured cloud system settings continue to be a common cause of breaches in these environments. Misconfigurations are errors or incorrect settings in cloud systems that create vulnerabilities that leave data publicly accessible or enable unauthorized access.
“Cloudflare has observed a rise in attacks targeting open S3 buckets, unsecured Kubernetes clusters and exposed APIs,” commented Reilly.
One way threat actors are leveraging cloud misconfigurations is in the development of DDoS botnets.
Cloudflare has detected increasingly large DDoS attacks, many of which originated from vulnerable cloud instances that were hijacked or misconfigured. This included the record-breaking 5.6Tbps DDoS attack that the firm mitigated in October 2024.
“Unlike traditional botnets relying on consumer devices, modern botnets are now largely built on compromised cloud workloads, with the consequence of offering attackers’ greater bandwidth and compute power,” Reilly explained.
Evolving Social Engineering Campaigns
Social engineering attacks designed to compromise cloud accounts have also surged, with techniques like phishing, vishing and smishing prevalent.
““Unlike traditional botnets relying on consumer devices, modern botnets are now largely built on compromised cloud workloads”
Attackers are getting more novel with these techniques to bypass defenses such as multi-factor authentication (MFA).
Kieran B, Head of Security Engineering at Bridewell, noted: “Impersonation of help-desk agents, promoting users to take actions such as approving MFA prompts or ‘assisting’ users to reset passwords, are more novel deceptions designed to bypass some of the most common defenses in place in enterprise organizations today.”
He added that the availability of generative AI tools has assisted attackers in crafting more realistic messages, including removing language barriers, to make these deceptions more believable.
Shadow AI
An emerging security threat to the cloud is the rise of unauthorized workloads in these environments. These include large language model (LLM) deployments and model-training pipelines by internal teams, often without proper vetting or security posture review.
Orca Security’s Kaduri warned: “AI has been a significant addition to organizations’ environments, and adoption is outpacing security.”
Post-Compromise Activity
Security experts have also observed attackers becoming more adept at post-compromise activities in the cloud, once initial access has been achieved.
“It is increasingly common for attackers to construct their attacks to ‘live-off-the-cloud’ once they have gained an initial identity, hiding in plain sight and creating their own infrastructure in a customer’s cloud environment (even going as far as using the same naming conventions) to blend in,” Keiran B explained.
Attackers are even able to expand their access without compromising privileged credentials.
Bitdefender’s Zugec noted: “Attackers are increasingly chaining together compromised, lower-privileged tokens to escalate their access within cloud environments, highlighting the danger even seemingly less sensitive credentials can pose when combined.”
The ability to move across different environments in multi-cloud architecture is another growing threat actor capability. This tactic exploits the growth of multi-cloud architecture, where credentials or permissions are shared across platforms.
Cloudflare’s Reilly said: “A more advanced and subtle threat Cloudflare helped detect in 2024 involves attackers breaching one cloud environment (e.g., AWS) and then pivoting into adjacent providers (e.g., Azure) through federated identity services or misconfigured multi-cloud VPNs.”
Cloud Security Best Practices for CISOs
There are a range of areas CISOs should focus on to protect their cloud environments in the current threat landscape:
- Protect the crown jewels. It is important to completely understand the nature of your cloud environment, including the tools users are deploying, where the most important data and assets are stored and who are able to access them. Organizations should use these insights to make sure their crown jewels are isolated and guarded
- Authentication for non-human identities. Organizations should enforce the principle of least privilege for all tokens and keys, regularly rotating these credentials
- Stringent monitoring practices. Automated scanning tools focused on detecting accidental exposure in internal and public code repositories like GitHub should be deployed. Additionally, anomaly-based monitoring of cloud resources, such as unusual access patterns and logins, can boost security teams’ ability to detect cloud attacks early
- Risk-based patch management. While patching every vulnerability in cloud environments is an impossible undertaking, it is possible to prioritize the biggest threats. Organizations are advised to continuously check information such as which vulnerabilities are being exploited in the wild, where they are exposed to on the internet and which ones are actually running in your environment. This information can be used to determine which vulnerabilities should be prioritized for patching
- Conduct regular audits. Regular audits of cloud services should be conducted to ensure security policies are being adhered to, thereby preventing misconfigurations occurring
- Awareness and education. General awareness training for staff, including the need for strong authentication and identifying social engineering campaigns, are important in reducing the risk of cloud exploits. Additionally, developers should be educated on secure coding practices and how to reduce the risks of hardcoding or committing secrets
Cloud Security at Infosecurity Europe 2025
Cloud security will be a major focus at this year’s Infosecurity Europe event, both across the talks on stage and on the exhibition floor.
On Tuesday June 3, at 15.15, Kaduri will deliver a talk on the Keynote Stage titled ‘The Infosec Big Fat Annual Cloud Security Update’.
In this presentation, she will set out the biggest cloud threats to look out for in the coming year, what we can learn from the latest novel threats and how to update security practices for the year ahead.
The 2025 event will celebrate the 30th anniversary of Infosecurity Europe. Register here to attend and discover the latest developments and research in cybersecurity.
