Poorly configured cloud environments and off-the-shelf offensive security tools amplify organizations’ cyber attack risks. This is what the Global Threat Report 2024 from Elastic Security Labs shows.
Misuse of proactive security tools
The report reveals that hackers are increasingly using offensive security tools (OST Offensive Security Tools). These are testing tools created to proactively identify security vulnerabilities.
Another key risk is that businesses are exposed to cyber risks due to poor configuration of their Cloud environments. We are also observing the increase in brute force attacks and the use of access compromise techniques. The study is based on observations of more than a billion data points over the past 12 months.
Attackers misuse commercially available security tools for malicious purposes. Offensive security tools (OST), particularly Cobalt Strike and Metasploit, account for approximately 54% of malware alerts. Cobalt Strike alone accounts for 27% of the alerts recorded.
Misconfigured Cloud environments
On the other hand, IT professionals misconfigure their Cloud environments. One of the most common problems concerns storage. Nearly 47% of defects on Microsoft Azure are related to storage account configuration errors. Similarly, 30% of issues on Amazon Web Services (AWS) come from S3 controls in particular due to the lack of multi-factor authentication (MFA) in place by security teams.
Google Cloud users aren’t immune to configuration errors either, with nearly 44% of control failures coming from BigQuery, particularly from a lack of customer-defined encryption. Which makes it easier for attackers.
Compromise of access credentials
We also note that attackers are turning to compromising access credentials to penetrate their targets’ networks. Credential compromise accounts for approximately 23% of all behavior observed in cloud environments, primarily in Microsoft Azure environments.
There was a 12% increase in brute force attacks, accounting for nearly 35% of all attack techniques recorded on Microsoft Azure environments. While suspicious behaviors detected at endpoints (endpoints such as PC workstations or servers) represented only 3% of behaviors observed on Linux, 89% of them involved brute force attacks.
« Attackers hijack the original use of security tools and invest in credential compromise to achieve their goals » relève Jake King, Head of Threat and Security Intelligence chez Elastic.