Today we're excited to unveil our first yearly cloud threat findings report. The report reveals noteworthy discoveries about the evolving cloud threat landscape, shedding light on the heightened risk of cyberattacks due to the rapid adoption of cloud-focused services.
A Note From our Founders
As experienced incident responders, we've provided crucial support to numerous large enterprises in their response to significant attacks. Time is of the utmost importance in incident response. And, as organizations increasingly adopted cloud technologies, we encountered growing challenges in assisting our clients with swift incident response. Traditional forensics tools and approaches were no longer sufficient, compelling us to seek a better solution. Our frustrations and personal experiences paved the way for the founding of Cado Security, where we developed a platform to revolutionize incident response for the cloud era.
At Cado Security, our mission extends beyond serving enterprises by offering a platform to facilitate efficient cloud forensics and incident response. Our vision for Cado involved investing in initiatives aimed at empowering the broader security community. In pursuit of this goal, we established an internal threat research division dedicated to monitoring the latest attack trends and cloud-focused tactics, techniques, and procedures (TTPs). The following report provides a summary of our team's significant discoveries in 2022.
Our intention in sharing these findings is to equip fellow incident responders and security personnel with the knowledge they need to remain at the forefront of securing organizations.
Who is Cado Security Labs?
Cado Security Labs is the internal threat research division within Cado’s engineering team. Responsible for conducting industry-leading threat intelligence and cloud security research, the team proactively monitors the latest cloud attack trends and Tactics, Techniques, and Procedures (TTPs). Since its inception, Cado Security Labs have discovered numerous novel cloud-based malware and threat techniques. One such example being Denonia, the first publicly-known case of malware specifically designed to execute in an AWS Lambda environment.
Key Report Findings
- Botnet agents are the most common malware category, representing around 40.3% of all traffic. Use of botnets has been especially relevant in the context of the Russia-Ukraine war, where they have been leveraged by hacktivists on both sides to conduct DDoS attacks on strategic targets.
- SSH is the most commonly targeted service accounting for 68.2% of the samples seen, followed by Redis at 27.6%, and low Log4Shell traffic at a mere 4.3%, indicating a shift in threat actor strategy no longer prioritizing the vulnerability as a means of initial access.
- Further, in an overwhelming majority, nearly all (97.5%) opportunistic threat actors scan for vulnerabilities in only one "single" specific service to identify vulnerable instances deployed in the wild. This could be due to the fact that attackers are aware of a specific vulnerability in a particular service or they have development experience in that area.
You can read the full report here.
Cloud Investigations
