Cloud environments are facing an evolving threat from threat actors prioritizing data exfiltration, exploiting identity as the new perimeter, and adapting tactics to evade detection and attribution.
Ransomware and data threats in the cloud are not new. Threat actors prioritizing data exfiltration over encryption and exploiting server-side vulnerabilities.
Despite the ongoing presence of ransomware and data theft risks, the trends it is observed in the last half of 2024 reveal a concerning shift. Threat actors are not only refining their tactics, techniques, and procedures (TTPs) within cloud environments, but they are also becoming more adept at obscuring their identities. This evolution makes it harder for defenders to counter their attacks and increases the likelihood of ransom payments.
Global security and threat intelligence experts have identified and are disrupting in the current threat landscape:
• Risks to service accounts: Over-privileged service accounts and lateral movement tactics are increasingly significant threats, even though credential and misconfiguration issues remain common for initial access.
• Identity exploitation: Compromised user identities in hybrid environments can lead to persistent access and lateral movement between on-premises and cloud environments, subsequently resulting in multifaceted extortion.
• Cloud databases are under attack: Threat actors are actively exploiting vulnerabilities and weak credentials to access sensitive information.
• Increased adaptability: Threat actors are leveraging Ransomware-as-a-Service (RaaS) offerings and adjusting tactics to evade detection and attribution.
• Diversified attack methods: A threat actor group we track as TRIPLESTRENGTH uses privilege escalation, including charging against victim billing accounts to maximize profits from compromised accounts.
• Threat actors are using increasingly sophisticated tactics to steal data and extort organizations in the cloud: Threat actors are using multifactor authentication (MFA) bypass in cloud-based services to compromise accounts and aggressive communication strategies with victims to maximize their profits.
To stay ahead of the curve in 2025, a robust cloud security strategy must prioritize data exfiltration and identity protection. The following content provides cloud security decision-makers with the latest intelligence on threat actor tactics and actionable mitigations to better inform cloud data security strategies.
New Data Points to Threat Actors Increasingly Exploiting Overprivileged Service Accounts to Move Laterally à Cloud security research highlights that threat actors are shifting focus. Instead of solely focusing on stealing user login information and exploiting misconfigurations to gain initial entry, they are now targeting overprivileged service accounts, or accounts that have more privileges than necessary. By exploiting these accounts, actors can more easily move laterally within an organization’s systems, potentially causing more damage from their intrusions. This research shares key internal cloud risk factors that make organizations more susceptible to these attacks.
Post-Initial Access Efforts: Lateral Movement Dominates à Data sources also reveal valuable insights into the actions threat actors take once they’ve gained access to an organization’s systems, more than half (62.2%) of threat actor movements once they gained access involved attempting lateral movement within an environment and downloading tools designed for this purpose. To help address the need for effective detective controls capable of identifying and remediating lateral movement on cloud assets.
Research also shows a significant trend in threat actors searching for insecure private keys (13.7%), reinforcing the need for organizations to prioritize the security and proper management of private keys. Access token manipulation also appeared often enough to be notable (11.3%), highlighting the ongoing importance of Identity and Access Management (IAM) as a critical security focus area.
Mitigations à We recommend the following risk mitigations to enhance your security posture to help protect against threats to service accounts:
• Reduce service account key risk: Consider alternative solutions to using service account keys to reduce this attack surface. When they cannot be removed, review best practices for managing service account keys.
• Restrict service account key creation: Use organization policies to restrict service account key creation and limit the roles assigned to service accounts.
• Optimize identity and access management (IAM) policies: Ensure only necessary services have access to critical assets, and regularly review IAM policies to apply the principle of least privilege. Consider using IAM Recommender to help navigate proper permissioning for roles.
• Enhance internal threat monitoring: Reinvigorate lateral movement detection technologies and policies for internal-facing sensors.
The Boundary of Identity
As organizations expand the cyber boundary to cover a hybrid plane of on-premises, multi-cloud, and multi-Software as a Service-based applications, the common “boundary” has shifted from the network perimeter to the identity plane. With the expansion to cloud, the scope of what represents an “identity” has also expanded, including managed identities (typically associated with human interaction to resources) and identities associated with workloads (including programmatic/automated interaction). Without proper controls and processes, a single compromised identity could cause a disproportionately impactful cyber event, including data theft and/or ransomware deployment, causing significant damage to organizations.
Identity Threats Identity compromise is no longer limited to password theft based upon misconfigurations or weak passwords. Threat actors are now gaining access by intercepting or stealing post-authenticated tokens or cookies, effectively bypassing traditional authentication criteria. The most common methods of identity compromise include brute-forcing using common/guessable passwords, replaying stolen credentials from a previous breach, credential stuffing, phishing, and social engineering.
Organizations have responded to these growing threats by enhancing authentication requirements like enforcing multifactor authentication (MFA), but threat actors continue to adapt their techniques by invoking SIM swapping, MFA fatigue (push/text-based notifications), Adversary in the Middle (AitM) attacks, and targeted social engineering—masquerading as a trusted resource to convince someone to provide MFA codes or accept an MFA validation prompt.
A single stolen credential can initiate a chain reaction, granting attackers access to applications and data, both on-premises and in the cloud. This access can be further exploited to compromise infrastructure through remote access services, manipulate MFA, and establish a trusted presence for subsequent social engineering attacks. Stolen credentials can also be used to register malicious applications for persistent access to communication platforms, or to obtain longlived credentials like access keys and certificates, further solidifying a foothold. Ultimately, an initial credential compromise can enable attackers to pivot across on-premises or cloud infrastructure, escalate privileges, and establish persistence, resulting in stolen data, extortion, and destructive activities.
Mitigations To protect against the impact of attacks on the identity plane, organizations must level up their authentication processes and playbooks for responding to threats in the following ways:
Combine strong authentication with attribute-based validation: The authentication process should not be based on a single identity attribute like a password. Rather, organizations should shift towards the concept of a positive identity transaction, which requires strong authentication (e.g., phishing resistant MFA methods, passwordless) combined with attribute-based validation, which may include:
• Geo-verification for where the authentication request was initiated
• Identity risk reviews and verification (suspicious logins, leaked credentials, atypical travel, recent changes to identity attributes following a large scope of access attempts)
• Time-based access enforcement (Just-in-Time) or predefined session durations based upon sensitivity of what is being accessed
• Device state review and verification (pre-defined attributes, trusted health status)
Comprehensive identity incident response: In addition to fortifying authentication processes, organizations must also modernize playbooks and processes for proper containment and remediation for identities, which may include:
• Enforcing mandatory MFA for an account if not already configured
• Disabling and rotating credentials for an account
• Revoking access tokens within the identity provider (IdP)/cloud platform(s)/accessible application(s)
• Revoking cookies for authenticated identities within applications
• Reviewing, revoking, and regenerating programmatic/long-lived identities (access keys/ certificates)
• Reviewing registered devices associated with compromised identities, and revoking any devices which are unauthorized/recently added
• Reviewing enforced MFA methods associated with compromised identities, and removing any methods that are weak or subject to MFA bypass techniques
• Reviewing and revoking (credentials/access) for any newly registered applications associated with a compromised identity
Database Security: Critical Cloud Protection à
Threat actors are increasingly targeting identities and databases, exploiting misconfigurations and vulnerabilities to gain access to sensitive information and resources. Insecure databases containing critical business data and personally identifiable information (PII) are particularly attractive targets. Once inside, attackers can leverage compromised credentials to move laterally and access potentially even more valuable data, which may lead to additional attack paths with accesses that may contain even more valuable information.
Mitigations A variety of services and products to help ensure the security and integrity of managed databases. Recommendations include:
• Secure private connections
• Enable logging & monitoring
• Use robust Identity and Access Management (IAM)
• Proactively approach vulnerability management
• Enhance data protection with Virtual Private Cloud (VPC) service controls
Threat Actor Spotlight: UNC2165 Ransomware and Data Theft Extortion
UNC2165 is a set of financially motivated threat actor activity dating to at least 2019 that abuses cloud services to host data exfiltrated from victim environments. The threat actors behind this activity have shifted to using new ransomware families over time, likely in response to sanctions and their desire to hinder attribution efforts by security defenders. UNC2165 has notable similarities to operations publicly attributed to Evil Corp, including a heavy reliance on FAKEUPDATES infections to obtain initial access to victims and overlaps in their infrastructure, and use of particular ransomware families. UNC2165 has impacted nearly every industry, including healthcare, retail, construction, engineering, legal and professional services, with victims located in North America, Europe, Asia Pacific, and the Middle East, according to Mandiant.
Threat Actors Abusing Cloud Storage Services to Host Data Exfiltrated from Victim Environments Beginning in December 2023, UNC2165 resumed their intrusion operations after a period of dormancy dating back to April 2023. UNC2165 has almost exclusively obtained initial access to victims’ networks from UNC1543, financially motivated threat actors that have distributed FAKEUPDATES since at least April 2018. Consistent with previous campaigns, UNC2165 leveraged UNC1543 distribution channels, involving search engine optimization (SEO) poisoning and FAKEUPDATES, to deliver the COLORFAKE.V2 inmemory dropper and MYTHIC payloads. Historically, UNC2165 operations heavily relied on BEACON for lateral movement and to maintain access to the victim environment. However, as of late 2023, UNC2165 has used the MYTHIC post-exploitation framework in intrusions.
Mitigations A number of capabilities to help customers protect against threat actors similar to UNC2165 conducting ransomware and data theft extortion operations.
• Regularly review user permissions
• Enhance cloud security posture with Google SecOps
• Use Virtual Private Cloud (VPC) Service Controls
• Define access policies
• Strengthen ransomware defense with protection and containment strategies
Disrupting Financially Motivated Threat Actors Conducting Cloud Hijacking Campaigns
This actor engaged in a variety of threat activity, including cryptocurrency mining operations on hijacked cloud resources and ransomware activity. Additional opportunistic threat activity includes:
• Account hijacking focused on cloud service accounts to mine cryptocurrency
• Ransomware and extortion operations, including activity that overlaps with multiple ransomware deployments and efforts to recruit partners in blackmail operations
• Advertising access to servers, including those from cloud platforms such as Google Cloud, Amazon Web Services, Microsoft Azure, Linode, OVHCloud, and Digital Ocean.
Mitigations à We recommend the following risk mitigations to enhance your security posture to protect against threats like account takeover, which could lead to threat actor ransomware or data extortion operations. Help prevent cloud account takeover: • Enroll in multifactor authentication (MFA • Use automated sensitive monitoring and alerting
• Implement robust Identity and Access Management (IAM) policies
• Establish a cloud-specific backup strategy
• Enable proactive virtual machine scanning
• Monitor and control unexpected costs
Growing Threat from Data Leak Sites Enabling Extortion in the Cloud à
Security experts has observed threat actors increasingly extorting victim organizations by exposing their stolen data on Data Leak Sites (DLS). This threat actor tactic is alarming because in the last year we have seen this activity impact victim organizations who rely on cloud technologies across multiple cloud service providers, not just those with on-premises systems. The expanded use of these extortion tactics combined with the prevalence of DLS poses a growing threat for all organizations, regardless of where their data is stored.
Since April 2024, it has been observed 11 different postings to the EMBARGO DLS, which includes the following activity:
• Data Exfiltration: An internal database of a mortgage lender was breached in a major ransomware attack that leaked the personal data of multiple customers on the dark web.
• Extortion Attempt: Alleged victims appear on the EMBARGO DLS. Affiliates of EMBARGO can create a victim blog post with the company’s name, their logo, a description of the company, a description of the incident (e.g., what and how much were stolen), any screenshots, and a possible link to the data.
Mitigations
Organizations can leverage multiple Google Cloud products to enhance protection against ransomware and data theft extortion:
• Leverage Security Command Center (SCC
• Prevent data exfiltration
• Incorporate automation and awareness strategies
• Enhance security with government insights
