Incident Response Report - 2025

Issues with identity and access management continue to be contributing factors in a significant number of cases. Cybercriminals such as Bling Libra (distributors of ShinyHunters ransomware) and Muddled Libra gain access to cloud environments by exploiting misconfigurations and finding exposed credentials.

While lack of multi-factor authentication (MFA) is still the most prevalent contributing factor of this type, we are seeing that issue less frequently. We saw it about one fourth of the time in 2024, compared to about a third of the time in 2023.

Other identity and access management issues are trending in the wrong direction. Excessive policy access, excessive permissions and password issues all became more prevalent in 2024, as shown in Figure 2 below.

IAM misconfigurations were the initial access vector in about 4% of cases, but this figure should be considered alongside the scale and impact of cloud attacks. Incidents of this type can affect an organization on a wide scale, and can also affect other organizations if threat actors are able to commandeer cloud resources.

One extortion campaign's cloud operation took advantage of exposed environment variables, the use of long-lived credentials and the absence of least-privilege architecture. Once the threat actors succeeded in embedding attack infrastructure within multiple organizations' cloud environments, they used this as a jumping off point to attack other organizations on a large scale. This included scanning more than 230 million unique targets for additional exposed API endpoints. As a result, the threat actor was able to target exposed files from at least 110,000 domains, collecting more than 90,000 unique leaked variables. Of these variables, 7,000 were associated with cloud services and 1,500 with social media accounts, often including account names in addition to information needed for authentication.

On multiple occasions, Unit 42 has observed threat actors using leaked API/access keys for initial access. This often gives threat actors leverage for further compromise. The use of valid cloud accounts (T1078.004) appears repeatedly in our case data in relation to the following tactics:

• Initial Access (13% of cases where we observed this tactic)
• Privilege Escalation (8%)
• Persistence (7%)
• Defense Evasion (7%)

We responded to multiple cases of threat actors accessing, exfiltrating and then deleting organizations' cloud storage. The speed of exfiltration (often less than a day), combined with data destruction can put extreme pressure on organizations to comply with extortion demands.

In some cases, attackers have also exfiltrated cloud snapshots, which are point-in-time copies of the contents of a cloud storage volume. This activity can expose critical data and can also be difficult to detect amid legitimate uses of snapshots for backup purposes.

The use of cloud resources for exfiltration is very common, even though cloud dataplane compromises represent a small percentage of overall cases (less than 5%). In 45% of cases where we observed exfiltration, attackers sent the data to cloud storage (T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage), a technique that can also mask the attackers' activity within legitimate organizational traffic.

A common issue for SaaS and cloud-based systems is lack of visibility into or attention to issues on those systems.

In one investigation, the organization successfully mitigated an attack, only to be compromised again a short time later.

Our investigators discovered that threat actors had automated exploitation of a vulnerability within a service used within the organization's cloud-based products. By combining this with using anti-forensic techniques to hide activity, the threat actor was able to regain access to the organization and its clients even after internal teams appeared to have successfully removed them.

Though data scraping is not always malicious, its weaponization emerged as a significant threat in 2024. In one case, a threat actor executed billions of daily unauthorized scraping requests. This was an operation that would have cost more than $6 million annually in compute resources had we not identified the activity and aided with its mitigation.

Our incident response teams responded to attacks leveraging advanced techniques to bypass security controls, while cybercrime groups integrated scraping into their attack lifecycle to fuel fraud operations. In another case, attackers' systematic, unauthorized scraping of documents forced an organization to completely re-architect their API infrastructure.

With privacy laws evolving to address automated collection, organizations face pressure to implement unauthorized scraping detection measures. Yet many struggle to differentiate between legitimate access and malicious scraping, often discovering data harvesting only after significant exposure has occurred.

Attackers frequently use compromised cloud resources to attempt to exploit or brute force other unrelated targets.

Another emerging trend is adversaries manipulating environment configurations (beyond a single host) to further enable or conceal their activity. In cloud environments, threat actors can perform the following activities, for example:

• Abuse admin-level access (or the equivalent user account permission misconfigurations, T1098 - Account Manipulation)

• Hijack cloud resources (T1578 - Modify Cloud Compute Infrastructure, T1496.004 - Resource Hijacking: Cloud Service Hijacking)

• Infect critical centrally managed configuration settings (T1484 - Domain or Tenant Policy Modification).

In 2024, we responded to a number of incidents related to the software supply chain.

A critical vulnerability in the data compression library XZ Utils was identified before it could do large-scale damage. However, it remains a lesson in the potential impact of supply chain compromises. According to Red Hat at the time of the disclosure, the XZ tools and libraries contained “malicious code that appears to be intended to allow unauthorized access.” Since XZ Utils is included in a variety of major Linux distributions - which are used in turn by countless organizations around the world - successful deployment of this malicious code could have exposed thousands of organizations around the world. The result of a "multi-year effort,” the issue in XZ Utils underscores the need for all organizations to implement best practices around the open source software incorporated into their systems.

Several vulnerabilities in VPN appliances also raised concerns about the integrity of third-party software. We saw these vulnerabilities used as initial access vectors by both nation-state threat actors and cybercriminals.

Threat actors do not always need to use vulnerabilities to attack organizations through third-party software. In June 2024, the cloud-based data platform Snowflake warned that threat actors were targeting some of its customers' accounts. The company said its research indicated that attackers were using previously compromised credentials (T1078 - Valid Accounts) and cited “ongoing industry-wide, identity-based attacks with the intent to obtain customer data.”

In a different matter worked by Unit 42, threat actors spent months brute-forcing a VPN (T1110 - Brute Force). Their eventual success allowed them to gain access to and maintain persistence in the organization's environment.

The complexity of infrastructure and resulting lack of visibility can make it challenging to fully remediate attacks, particularly when incorporating third-party software.

To reduce risk from supply chain and cloud-based attacks, focus on a few key tactics:

• Limit credential abuse: Enforce strict IAM controls, granting only the privileges necessary for each role. Use short-lived credentials and multi-factor authentication wherever possible.

• Centralize logging and auditing of production cloud resources: Forward logs off the originating host to prevent tampering, and aggregate them for correlation across services. Track anomalies such as unusual API calls or large data transfers.

• Monitor usage patterns: Use log analytics to establish baselines for normal resource consumption and trigger alerts for deviations. Attackers frequently spike CPU or bandwidth usage during data exfiltration or cryptomining.

• Patch promptly: Treat third-party libraries, container images and open-source components as part of your operational infrastructure. Develop a process to regularly review and quickly deploy security updates.

• Secure APIs and supply chain integrations: Apply rate limiting to thwart excessive scraping or brute-force attempts, and use robust scanning tools to assess new dependencies before integrating them into production.

By applying these measures consistently, security teams can identify attacks early, limit their impact and maintain confidence that cloud resources and software pipelines remain under control.