Two-thirds of cloud attacks could be stopped by checking configurations, research finds

IBM says that over half of cloud security breaches are caused by issues simple to rectify.
Written by Charlie Osborne, Contributing Writer

Two-thirds of cloud security incidents could have been avoided if the configuration of apps, databases, and security policies were correct, new research suggests.

On Wednesday, IBM Security X-Force published its latest Cloud Security Threat Landscape report, spanning Q2 2020 through Q2 2021. 

According to the research, two out of three breached cloud environments observed by the tech giant "would likely have been prevented by more robust hardening of systems, such as properly implementing security policies and patching systems."

While sampling scanned cloud environments, in every case of a penetration test performed by X-Force Red, the team also found issues with either credentials or policies. 

"These two elements trickled down to the most frequently observed initial infection vectors for organizations: improperly configured assets, password spraying, and pivoting from on-premises infrastructure," IBM says. "In addition, API configuration and security issues, remote exploitation and accessing confidential data were common ways for threat actors to take advantage of lax security in cloud environments."

The researchers believe that over half of recent breaches also come down to shadow IT, which may include apps and services that are not managed or monitored by central IT teams.

Misconfiguration, API errors or exposure, and oversight in securing cloud environments have also led to the creation of a thriving underground market for public cloud initial access. According to IBM, in 71% of ads listed -- out of close to 30,000 -- Remote Desktop Protocol (RDP) access is on offer for criminal purposes. 

In some cases, cloud environment access is being sold for as little as a few dollars, although depending on the perceived value of the target -- such as for information theft or potential ransomware payments -- access can fetch thousands of dollars.

IBM's report also states there has been an increase in vulnerabilities impacting cloud applications, with close to half of over 2,500 reported bugs being disclosed in the past 18 months. 


Once an attacker has obtained access to a cloud environment, cryptocurrency miners and ransomware variants were dropped in close to half of the cases noted in the report. There is also evolution in the payloads being dropped, with old malware strains focused on compromising Docker containers, whereas new code is often being written in cross-platform languages including Golang

"Many businesses don't have the same level of confidence and expertise when configuring security controls in cloud computing environments compared to on-premise, which leads to a fragmented and more complex security environment that is tough to manage," IBM says. "Organizations need to manage their distributed infrastructure as one single environment to eliminate complexity and achieve better network visibility from cloud to edge and back."

In other cloud security news, Apple paid a bug bounty hunter $28,000 after he accidentally wiped out Shortcuts functionality for users while testing the firm's apps and CloudKit. The issue was caused by a misconfiguration on the iPad and iPhone maker's part and allowed the researcher to -- albeit unintentionally -- delete default zones in the Shortcuts service.

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards