X-Force Report Reveals Top Cloud Threats: AITM Phishing, Business Email Compromise, Credential Harvesting and Theft

As we step into October, and mark the start of Cybersecurity Awareness Month, organizations’ focus on protecting digital assets has never been more important. As innovative new cloud and generative AI solutions help advance today’s businesses, it’s also important to understand how these solutions have added to the complexity of today’s cyber threats, and how organizations can address them. That’s why IBM – as a leading global security, cloud, AI and business service provider– advocates to our global clients to take a proactive approach to embedding security into all aspects of their business.

To that end, the 2024 IBM X-Force Cloud Threat Landscape Report provides an in-depth look at the most impactful risks organizations face today, and why implementing proper security mitigation strategies for cloud environments is vital to an organization’s success. Drawing upon threat intelligence, incident response engagements, and partnerships with Cybersixgill and Red Hat Insights, IBM’s X-Force team offers unique insights on how adversaries are compromising cloud infrastructure by leveraging adversary-in-the-middle (AITM) attacks, business email compromise (BEC), and other attack methods.

For example, this year’s report highlights how attackers know that credentials are the keys to cloud environments and are highly sought-after on dark web marketplaces. For this reason, attackers are using phishing, keylogging, watering hole and brute force attacks to harvest credentials. Furthermore, dark web research highlights the popularity of infostealers, which are used to steal cloud platform and service-specific credentials.

Some of the other key findings from this year’s report reveal sophisticated attack methods and ways of exploiting cloud environments that include:

Phishing is the leading initial access vector. Over the past two years, phishing has accounted for 33% of cloud-related incidents, with attackers often using phishing to harvest credentials through adversary-in-the-middle (AITM) attacks.
• Business Email Compromise (BEC) attacks go after credentials. BEC attacks, where attackers spoof email accounts posing as someone within the victim organization or another trusted organization, accounted for 39% of incidents over the past two years. Threat actors commonly leverage harvested credentials from phishing attacks to take over email accounts and conduct further malicious activities.
• Continued demand for cloud credentials on the dark web, despite market saturation. Gaining access via compromised cloud credentials was the second most common initial access vector at 28%, despite overall mentions of SaaS platforms on dark web marketplaces, which decreased by 20% compared to 2023.

AITM Phishing Leads to Business Email Compromise and Credential Harvesting

AITM phishing is a more sophisticated form of a phishing attack where attackers position themselves between the victim and a legitimate entity to intercept or manipulate communications. This type of attack is particularly dangerous because it can bypass some forms of MFA, making it a powerful tool for cybercriminals.

Once inside a victim’s environment, threat actors seek to carry out their objectives. Two of the most common actions observed by X-Force were BEC attacks (39%) and credential harvesting (11%). For example, after an attacker compromises a cloud-hosted email platform, they could perform several tasks such as intercepting sensitive communications, manipulating financial transactions, or using compromised email accounts to conduct further attacks.

Leveraging security threat intelligence to inform the business’ employee training programs can be key to helping mitigate all forms of phishing attacks, including AITM. Employees should be trained to accurately recognize and report phishing techniques, spoofed emails, and suspicious links to their IT or security teams. Deploying advanced email filtering and protection tools that leverage AI to detect and block phishing attempts, malicious links, and attachments before they can reach end users is also an effective mitigation strategy. Finally, passwordless authentication options, such as a QR code or FIDO2 authentication, can help protect against AITM phishing attacks.

Gaining Access through Cloud Credentials More Cost Effective than Ever

The average price per compromised cloud credentials on the dark web is USD 10.23 in 2024, a decrease of 12.8% since 2022. This price drop, in addition to the 20% decrease in overall mentions of SaaS platforms on dark web marketplaces, may indicate that the market for these credentials is becoming oversaturated. However, it also reflects an increasing availability of these credentials for threat actors to leverage before and during attacks. Thus, it’s no surprise that more than a quarter of cloud-related incidents involved the use of valid credentials, making it the second most common initial attack vector. As the price of for-sale cloud credentials decreases, it’s becoming more cost effective (and stealthier) for attackers to compromise organizations by logging in using valid credentials.

The desire for adversaries to obtain cloud credentials for malicious purposes and illicit financial profit is also evident from the continued trend of credential theft from infostealers specifically designed to exfiltrate credentials from cloud services. This threat highlights the need for organizations to manage their cyber exposure and digital risk. Businesses should seek a solution that specifically focuses on discovering, indexing, and tracking operators, malware, and data across clear web and deep and dark web sources. Early detection of compromised credentials allows swift response measures, such as password resets and changes to access controls, to prevent potential future breaches.

A Robust Framework for Improving Cloud Security

Cloud security is especially relevant in today’s business environment, with enterprises increasingly migrating their critical business data from on-prem solutions to cloud environments. Alongside this technology migration is an evolving cyber threat landscape, where threat actors are actively seeking to compromise organizations’ heavy reliance on cloud infrastructure, particularly those handling sensitive business data. This growing dependence on cloud infrastructure has only widened the attack surface for threat actors to exploit, and why securing the cloud is more crucial than ever.

As long as victims’ cloud environments remain accessible through valid credentials, cybercriminals will continue to seek and use them for their campaigns and operations, whether through phishing, business email compromises (BEC), or selling them on the dark web. As seen in IBM’s 2024 Cost of a Data Breach report, the financial implications and business disruptions for organizations continues to climb.

These examples illustrate the wide-ranging impact of stolen cloud credentials, from intellectual property theft to ransomware deployment. Attackers can use valid credentials to remain undetected and bypass standard security measures, making credential-based attacks a significant and ongoing threat to organizations.

By implementing a holistic approach to cloud security—including protecting data, having an identity and access management (IAM) strategy, proactively managing risks, and being ready to respond to a cloud incident—organizations can be better prepared to defend their cloud infrastructure and services and reduce the overall risk of credential-based attacks.

As IBM Cybersecurity Services (CSS) continues to release major security reports like its 2024 Cost of a Data Breach (CODB) report and the 2024 Threat Intelligence Index, this cloud-focused report captures the specific risks businesses face as they continue along their cloud migration journey. For a deeper dive into the latest cloud-related threats and trends, download the 2024 IBM X-Force Cloud Threat Landscape Report.