According to a survey, 80% of companies have experienced at least one cloud security incident in the last year, and 27% of organizations have experienced a public cloud security incident.
Cloud accounts hold sensitive data, including personal information, customer data, and confidential business documents. However, the rise in the use of cloud technology has also led to an increase in cyber threats, with cloud account compromise and takeover emerging as significant concerns.
Proofpoint, a leader in cybersecurity, states, “Cyber criminals are following businesses into the cloud. As more companies adopt hosted email and webmail, cloud productivity apps like Microsoft Office 365 and Google Workspace, and cloud development environments like AWS and Azure, cybercriminals have quickly learned that the basic corporate account credential is a potential source of money and power. They now target these credentials in growing numbers of threat campaigns. And their relentless efforts are just the opening salvos in their mission to execute wire fraud, industrial espionage, PII data theft, and more”
Cloud account compromise typically involves unauthorized access to a cloud account, leading to data breaches, loss of sensitive data, and potential financial loss. In contrast, a cloud account takeover is a more severe form of compromise where the attacker gains full control over the cloud account, potentially altering data, deleting information, or even locking out the legitimate user.
These incidents are often the result of weak or compromised credentials, lax security protocols, or sophisticated phishing attacks. Cybercriminals exploit these vulnerabilities to gain unauthorized access to cloud accounts.
Read more: What is a phishing attack?
The consequences of cloud account compromise and takeover can be devastating. They can lead to:
Furthermore, according to 86% of IT leaders polled in a Ponemon Institute report commissioned by Proofpoint, cloud account compromises cost organizations more than $500,000 a year. Survey respondents also reported 64 cloud account compromises per year on average, with 30% exposing sensitive data.
Preventing cloud account compromise and takeover involves several strategies, including:
Strong, unique passwords are the first line of defense against account compromise. Passwords should be complex, combining letters, numbers, and symbols.
Two-factor authentication (2FA) adds an extra layer of security by requiring users to provide two forms of identification before accessing their accounts. This could be a password and a temporary code sent to a user’s phone.
Employees should be educated about the risks of cloud account compromise and the need to follow security protocols. This includes recognizing and avoiding phishing emails, not sharing passwords, and reporting any suspicious activity.
Regular monitoring and auditing of cloud accounts can help detect any unusual activity that could indicate a compromise. This could include multiple failed login attempts, unfamiliar IP addresses, or sudden changes in account settings.
In the event of a cloud account compromise or takeover, several steps should be taken:
Immediately lock down the compromised account to prevent further unauthorized access. This can involve changing passwords, disabling account features, or even temporarily suspending the account.
Conduct an investigation to understand how the compromise occurred, what data was accessed, and who was responsible. This may involve working with cybersecurity professionals or law enforcement agencies.
If the compromise resulted in a data breach, notify all affected parties. This could include customers, employees, or business partners. Depending on the nature of the data and jurisdiction, there may be legal requirements for data breach notifications.
After addressing the immediate threat, review and update your security measures to prevent future incidents. This could involve strengthening password policies, implementing additional security features, or providing further employee training.
Read also: The underlying risks of using cloud storage
An ongoing Microsoft Azure cloud account takeover (ATO) campaign targeting senior executives and managers, identified by Proofpoint, uses personalized phishing lures to compromise accounts across various organizational functions. The threat group, yet unidentified, employs tactics such as MFA manipulation and data exfiltration upon gaining unauthorized access to accounts within the Azure environment.
With a diverse selection of targeted roles, including top-level positions like president and CEO, the group tries to infiltrate decision-making hierarchies within victim organizations. The campaign's operational infrastructure traces back to proxies, data hosting services, and hijacked domains, with potential links to Russia and Nigeria, suggesting parallels to previous cloud attacks. This ATO sheds light on the need for advanced security measures to safeguard against sophisticated cyber threats.
Related: What is account takeover (ATO)?
Encryption helps protect data stored in cloud accounts by converting it into a secure format that can only be accessed with the correct decryption key, thus preventing unauthorized access to sensitive information.
Cloud service providers offer security measures such as advanced threat detection, identity and access management tools, and compliance certifications to help mitigate the risk of account compromise for their users.
Users can distinguish between legitimate and phishing attempts by verifying the sender's email address, avoiding clicking on suspicious links or attachments, and being cautious of requests for sensitive information.
See also: HIPAA Compliant Email: The Definitive Guide