Cado Security Labs Releases Inaugural 2023 Cloud Threat Findings Report

New Research Equips Security Community for Evolving Cloud-Focused Threats

Cado Security, provider of the first cloud forensics and incident response platform, today announced the release of Cado Security Labs 2023 Cloud Threat Findings Report. The report reveals noteworthy discoveries about the evolving cloud threat landscape, shedding light on the heightened risk of cyberattacks due to the rapid adoption of cloud-focused services.

“Our goal with this report is to equip incident responders and security professionals with essential knowledge, enabling them to adequately secure their organisation amid this rapidly-evolving threat environment,” said James Campbell, CEO and Co-Founder of Cado Security. “By sharing our key findings, we uphold our commitment to continuous investment in initiatives aimed at empowering the broader security community.”

James Campbell, CEO and Co-Founder, Cado Security

Cado Security Labs is the internal threat research division within Cado’s engineering team. Responsible for conducting industry-leading threat intelligence and cloud security research, the team proactively monitors the latest cloud attack trends and Tactics, Techniques, and Procedures (TTPs). Since its inception, Cado Security Labs have discovered numerous novel cloud-based malware and threat techniques. One such example being Denonia, the first publicly-known case of malware specifically designed to execute in an AWS Lambda environment.

“As a threat researcher myself, I take immense pride in fostering a culture that emphasises investments and focuses on areas dedicated to researching the latest attack patterns,” said Chris Doman, CTO and Co-Founder of Cado Security. “Building an exceptional team of experts who share this vision is a testament to our commitment to strengthening the collective power of the security community. Our researchers proactively monitor cloud-focused attack techniques and generate findings that serve as the foundation for developing industry-leading resources that keep security teams at the forefront of securing organisations worldwide.”

Chris Doman, Chief Technology Officer and Co-Founder of Cado Security

Cado Security Labs researchers operate honeypot infrastructure to collect cloud attacker telemetry across services known to be targeted by cloud-focused threat actors. Findings are examined in real time and novel attack patterns are identified, reported on, and distributed to the security community.

As organisations increasingly embrace cloud technologies and inherently expose themselves to new and evolving risks, understanding emerging cloud trends on a deeper level is critical. In this report, Cado equips the security community with knowledge that will help them better protect against the latest threats.

Key findings from the report include:

  • Botnet agents are the most common malware category, representing around 40.3% of all traffic. Indeed, the vast majority of observed traffic is dedicated to spreading common botnet families, these include Mirai, XorDDoS and IRCbot – a generic name for botnets making use of the IRC protocol. It’s worth noting that samples categorised as Mirai may actually be one of the many existing variants of this malware. Such variants could be considered commodity malware at this stage, since threat actors actively repurpose the Mirai source code and adapt it to their needs. This has resulted in families such as Cayosin and Qbot, which are sold and redistributed as a service. From the telemetry analysed by Cado Security Labs, it’s clear that threat actors still place significant value in botnets and their usefulness in DDoS attacks. Use of botnets has been especially relevant in the context of the Russia-Ukraine war, where they have been leveraged by hacktivists on both sides to conduct DDoS attacks on strategic targets.
  • SSH is the most commonly targeted service accounting for 68.2% of the samples seen, followed by Redis at 27.6%, and low Log4Shell traffic at a mere 4.3%, indicating a shift in threat actor strategy no longer prioritising the vulnerability as a means of initial access.
    • Since SSH is a protocol used across the internet, not just in cloud infrastructure, this statistic is unsurprising. SSH allows secure communication between clients and servers, and is typically used for server administration. This often means that SSH servers are internet facing and can pose an easy target if inadequately secured.
    • Accounting for just over a quarter of all traffic to the Cado Security Labs honeypot is traffic destined for Redis. Redis is an in-memory data store and is frequently deployed as part of a distributed application in cloud environments. The developers of Redis strongly discourage exposing the data store to the internet, as their security model is designed with trusted clients in mind. Despite this, Redis is frequently observed as an initial access vector for cryptojacking groups, such as 8220 Gang, TeamTNT and WatchDog.
    • The low levels of Log4Shell traffic seen by Cado’s infrastructure indicate that cloud-focused threat actors are no longer prioritising this vulnerability as a means of initial access.   This could be due to the high levels of press coverage that the vulnerability received at the time, with multiple private and public sector organisations providing guidance on how to remediate it for users.
  • Further, in an overwhelming majority, nearly all (97.5%) opportunistic threat actors scan for vulnerabilities in only one “single” specific service to identify vulnerable instances deployed in the wild. This could be due to the fact that attackers are aware of a specific vulnerability in a particular service or they have development experience in that area.

From the attacker telemetry analysed, Cado Security Labs has derived several projections and recommendations. The team anticipates attacks leveraging serverless functions will increase in severity and sophistication, ransomware groups will develop more non-Windows ransomware, and threat actors will continue to exploit cloud services to aid in phishing and spam campaigns.

In light of these predictions, Cado Security experts advise organisations to understand the AWS shared responsibility model, ensure access to relevant evidence, limit the exposure of services like Docker and Redis, check public repositories for cloud credentials, and apply the principle of least privilege:

  1. Understand the Cloud Service Provider (CSP) shared responsibility model.
    The first step toward security in the cloud is to carefully understand that security and compliance is a shared responsibility of the cloud service provider and its customers. To summarise, customers are responsible for everything “IN” the cloud, whereas the CSP is responsible for security “OF” the cloud. For example, customers are responsible for maintaining security of their own data, operating systems, network and firewall configurations, identity and access management, and more. On the other hand, the CSP is responsible for securing the overall hardware and global infrastructure.
  2. Ensure you have access to the right data.
    Data capture in the cloud is different from traditional infrastructure, therefore it’s important to ensure you have enabled sufficient logging to support an incident investigation. Additionally, you should regularly test that you are able to acquire, process and analyse data from CSP log sources, disk images and other key artifacts from deployed resources. Another key point is to ensure you have the right level of automation in place so that you are able to capture evidence from ephemeral environments before it disappears.
  3. Avoid unnecessarily exposing services like Docker and Redis to the internet.

Performing regular scans of your entire estate, both cloud and on-premises, for exposed services that could be leveraged by an attacker is key. If any are found, then you should perform a triage check to determine if they have been compromised.

4. Check public repositories for any cloud credentials.
Breaches of cloud accounts are typically from credentials being found from publicly accessible repositories such as github. If any exposed credentials are found, then you should take the necessary corrective actions and perform an investigation to determine if they have been used by an attacker.

5. Implement the principle of least privilege.
By implementing the principle of least privilege, you can protect higher value resources if lower value resources are compromised. Lateral movement is a key stage of the attack lifecycle and can result in significant damage in the event an account breach does occur.

To download the full report, please visit: