Massive Cloud Provider Cyberattacks in 2024: Examples and Prevention Strategies

A cloud provider cyberattack usually has several different phases: reconnaissance, initial access, privilege escalation, lateral movement, data exfiltration. For initial access, attackers often target misconfigurations, exposed credentials, and vulnerabilities in cloud infrastructure.

Once inside, they exploit weaknesses in identity and access management, inadequate logging and monitoring capabilities, and poor network segmentation to spread laterally across the environment.

The goal is usually data theft, disrupting services, or extorting money via ransomware. A successful attack can permanently damage customer trust and attract regulatory fines if personal or financial data is compromised.

A recent attack in 2024 targeted over 230 million unique cloud environments on Amazon Web Services (AWS). The attackers exploited exposed environment variable files (.env) on web servers, which are often overlooked but contain sensitive information such as access information. By accessing these files, the attackers gained unauthorized entry into systems and further infiltrated networks.

Using automated tools, they scanned millions of domains for exposed .env files, conducted reconnaissance using AWS API calls, and escalated their privileges by creating new IAM roles with full administrative rights.

The attackers then deployed malicious Lambda functions to scan for more .env files across multiple AWS regions, particularly focusing on Mailgun credentials to conduct phishing campaigns. They accessed .env files on over 110,000 domains, targeting more than 230 million endpoints. The attack concluded with data exfiltration to S3 buckets controlled by the attackers, who then uploaded ransom notes to emptied S3 buckets.

Although not recent, the Capital One data breach in 2019 remains an example of a cloud provider cyberattack. The breach exposed the personal information of over one hundred million customers due to a misconfigured firewall in Capital One’s cloud infrastructure.

The attacker, a former AWS employee, exploited this misconfiguration to launch a server-side request forgery (SSRF) attack, gaining unauthorized access to Capital One’s AWS resources and obtaining credentials stored in Amazon S3 buckets. The stolen data included names, addresses, credit scores, and social security numbers.

Preventing cloud provider cyberattacks requires several strategies rolled together:

1. Proper Access Control

Effective access control is essential for securing cloud environments. Applying the principle of least privilege (POLP) ensures that users and services have only the minimal permissions they need to perform their tasks. Regularly rotating credentials, implementing multi-factor authentication (MFA), and using identity federation can help minimize the risk of unauthorized access. Additionally, conditional access policies that consider different risk factors like geolocation and device compliance can protect cloud resources.

2. Attack Surface Management

Attack surface management (ASM) is about finding, monitoring, and reducing potential attacker entry points. This includes securing public endpoints, managing, and securing all API gateways, and making sure any sensitive files including .env files are not exposed publicly. Automated scanning tools/services can detect misconfigurations/exposed secrets/unpatched vulnerabilities in real time. In addition, network segmentation along with zero-trust architecture can prevent attackers from moving laterally in a cloud environment.

3. Secure Coding Practices

Vulnerabilities in cloud applications require secure coding practices. Developers should use input validation/output encoding and secure error handling to avoid server-side request forgery (SSRF), cross-site scripting (XSS), and SQL injection (SQLi) vulnerabilities. Including secure development lifecycle processes like code reviews, automated static and dynamic analysis, and security testing in the software development lifecycle (SDLC) ensures security is built into the application from the start. Also, infrastructure as code tools should contain security checks to prevent the deployment of insecure configurations.

Below we will answer some frequently asked questions regarding how cloud providers and customers can work on different defenses.

1. What are some of the risks of cloud provider cyberattacks?

The main risks include data breaches and theft, ransomware attacks encrypting cloud resources, disruption of cloud-hosted services and applications, and loss of sensitive customer or proprietary business data.

2. Why are human errors and misconfigurations such a big issue?

Cloud environments have a large attack surface and human errors can inadvertently expose vulnerabilities. Misconfigured access controls, firewalls and other settings may allow unauthorized access that automation tools can easily exploit at scale.

3. My company uses a cloud provider but doesn’t configure anything. Are we still at risk?

Yes, while cloud providers do provide security by default, they still recommend extensive access management and configuration hardening by customers. Relying only on the providers leaves “low-hanging fruit” vulnerabilities that attackers target. Proactive security is needed.

4. What should companies look for in a cloud security solution?

Look for solutions that give visibility into activity, enforce least privilege access (as previously mentioned above), integrate with identity providers, monitor configurations, detect anomalies and threats automatically, and integrate with cloud platforms with no disruption of workflows.

BlackFog specializes in on-device anti data exfiltration (ADX) technology, which is crucial in preventing data breaches and unauthorized data transfers. This technology works in real time to detect and block attempts to exfiltrate data from a range of different environments, which is often the end goal of cyberattacks.

To learn more about our solution, schedule a no-obligation personalized demo today.