Google Cloud posts new Threat Horizons Report

Google Cloud has published its latest Threat Horizons Report, bringing decision-makers strategic intelligence on threats to cloud enterprise users.

key takeaways from the report include:

  • Credentials factor into over half of incidents in Q1 2023
    • In Q1 2023 our Cloud incident response teams observed that credential issues continue to be a consistent challenge accounting for over 60% of compromise factors, which could be addressed by stronger identity management guardrails in place at the organisation level.
    • Misconfiguration accounted for 19% of compromise factors which were also associated with other compromise factors such as sensitive UI or APIs exposed which account.
    • An example of how these two factors are associated could include a misconfigured firewall that unintentionally provided public access to a UI.
    • Top risky actions that can lead to compromises: cross-project abuse of access token generation permission, replacement of existing compute disks/snapshots, service account key creation, and GCE project SSH keys.
  • Mobile Apps Evading Cloud Enterprise Detection through Versioning
    • Researchers have identified instances of Android applications downloading malicious updates after installation, attempting to evade Google Play Store’s malware detections.
    • Campaigns using versioning commonly target users’ credentials, data, and finances.
    • In an Enterprise environment, versioning demonstrates a need for defense in-depth, including but not limited to, limiting application installation sources to trusted sources such as Google Play or managing corporate devices via a mobile device management (MDM).
  •  Identifying Compromised Customer Domains and IPs on Google Cloud
    • Using 2022-23 VirusTotal (VT) and Mandiant data, Google discovered 19 customer domains and one IP hosted on Google Cloud, compromised in Q1 2023.
    • Each of the uncovered 19 websites had at least one malicious file downloaded from it; while the one IP had bi-directional communications with external malware, using ports above the well-known port range (i.e. numbering 1024-65535).
  •  Telecommunications Industry Profile: Cloud Adoption Requires Zero Trust Approach to Address Threats Amid Growing Systemic Cyber Risk Concerns
    • As the telecommunications industry adopts cloud services, threats from nation states and cybercriminals will likely persist—along with pre-existing systemic cyber risk—that require modern cybersecurity approaches such as Zero Trust (ZT) to address.
    • The most frequently targeted telecom subsectors observed by Mandiant over the last two years include wireless telecommunications, IT and telecom services, and data services.
    • Geopolitical activity is likely driving state actors to focus on targeting the telecom industry while financially motivated cybercriminals are evolving their tools and methods for doing so.
    • Digital security threats to telecom industry business continuity and use of legacy systems will likely persist, along with increased focus on cloud service providers, as the industry continues migrating critical IT operations and business support systems to the cloud.
    • Modern cybersecurity approaches such as ZT combined with cloud services can help the telecom industry create and secure new services, maintain resiliency of operations, and reduce risk of data breaches.
  • Threat Insights: Implications of Source Code Leaks
    • This article increases awareness of how compromises or leaks of source code can help cyber threat actors facilitate a variety of exploitation activities, including exposure and abuse of legitimate credentials and certificates, unauthorised reproduction and use of leaked software, the development or insertion of vulnerabilities, and supply chain compromise.
    • Common Causes of Source Code Leaks: While credential or authentication token compromise are often cited as causes for source code incidents, there have been cases in which a compromise of a third-party service involved in hosting the code or the continuous integration/continuous development (CI/CD) process led to compromises of users of these services, as well as malicious insider incidents and misconfigurations
    • Mitigation recommendations for code repositories and third-party resources reflect commonly cited IT security best practices, including adhering to the principle of least privilege, network segmentation, and log monitoring.
  •  Leveraging third-party services while reducing risk
    • Bad actors looking to evade detection can exploit these trusted relationships to gain access to organisations through supply chain attacks. These threats can be categorised as reputable third parties being compromised or bad actors intentionally creating malicious third-party services and luring users to use them.
    • Though each offers different levels of security to help secure their users and reduce risk – they are essentially black boxes for organisations integrating with them. We highlight where malicious behaviour has been observed, where we assess threat actors may target, and measures organisations can take to mitigate these risks.