Skip to main content
close search
site logo
Dive Brief

Weak credentials behind nearly half of all cloud-based attacks, research finds

Credential mismanagement was the top initial access vector for cloud environment attacks during the first half of 2024, a Google Cloud report found.

Published July 17, 2024
Matt Kapko's headshot
Senior Reporter
Hand grabbing password out of blurred code.
LuisPortugal/Getty Images Plus via Getty Images

Dive Brief:

  • Weak credentials and misconfigurations across cloud systems were at the root of 3 in 4 network intrusions during the first half of 2024, Google Cloud said Wednesday in its latest Threat Horizons Report.
  • Google Cloud said systems with weak or no credentials were the top initial access vector, accounting for 47% of cloud environment attacks during the first six months of the year. That’s a slight decrease from the second half of 2023 when weak or no credentials were at the root of 51% of attacks, according to Google Cloud.
  • Misconfigurations were the initial access vector for 30% of all cloud environment attacks during the first half of 2024, marking a significant jump from 17% in the second half of 2023.

Dive Insight:

Poor identity governance is a chronic condition that cybersecurity professionals, threat hunters and incident response firms have been sounding the alarm over for years.

Legitimate credentials were at the root of a spree of attacks in April targeting more than 100 Snowflake customer environments, resulting in massive data breaches at AT&T, Advance Auto Parts, Pure Storage and other organizations.

Snowflake customers’ credentials were obtained from multiple infostealer malware infections on non-Snowflake owned systems, according to the cloud-based data warehouse vendor and Mandiant. Impacted customer accounts were not configured with multifactor authentication, Mandiant’s investigation found.

Dozens of companies recovering from data theft, extortion demands and advertisements for the sale of allegedly stolen data on the dark web remain mostly shrouded in mystery.

A ransomware attack snarled the U.S. healthcare industry for months earlier this year when an attacker used stolen credentials for a Citrix remote access server to gain access to systems used by Change Healthcare, a subsidiary of UnitedHealth Group. The Citrix portal did not have MFA turned on.

“Weak or no credentials remained a key driver of initial access, accounting for the most frequent successful vector and the second most commonly seen trigger for detection rules,” Google Cloud said in the report.

The identity challenge confronting enterprises is persistent. The Cybersecurity and Infrastructure Security Agency pinned more than half of all attacks on critical infrastructure networks and state and local agencies on valid account credentials in 2022.

In almost 40% of ransomware attacks Mandiant responded to last year, cybercriminals used legitimate credentials or brute-force attacks to gain initial access to victim environments.

IBM X-Force’s annual Threat Intelligence Index report found valid account compromises accounted for almost one-third of global cyberattacks last year, making it the most-common initial access vector for attacks in 2023.

Filed Under: Breaches, Cyberattacks

Editors' picks

Company Announcements

View all | Post a press release
DigiCert Unveils 2025 Security Predictions
From DigiCert
November 21, 2024
Nile Adds Industry’s First Campus Zero Trust Delivered As a Service
From Nile
November 21, 2024
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Editors' picks
Latest in Breaches
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell