Lacework Releases Quarterly Cloud Threat Report

Enterprising criminals are selling direct access to cloud accounts.

August 31, 2021

4 Min Read


SAN JOSE, Calif., Aug. 31, 2021 /PRNewswire/ -- Lacework, the data-driven
security platform for the cloud, today released its quarterly cloud threat
report, unveiling the new techniques and avenues cybercriminals are infiltrating
to profit from businesses.

The rapid shift of applications and infrastructure to the cloud creates gaps in
the security posture of organizations everywhere. This has increased the
opportunities for cybercriminals to steal data, take advantage of an
organization's assets, and to gain illicit network access.

"It's in enterprises' best interest to start thinking of cybercriminals as
business competitors," said James Condon, Director of Research at Lacework.
"Last year alone, cybercrime and ransomware attacks cost companies $4 billion in
damages. As more companies shift to cloud environments, we're seeing an increase
in demand for stolen access to cloud accounts and evolving techniques from
cybercriminals, making enterprises even more vulnerable to cloud threats."

New research from Lacework Labs, the dedicated research team at Lacework that
focuses on new threats and attack surface risks within the public cloud, sheds
light on the crimeware and growing ransomware landscape in the face of new
threat models and emerging cybersecurity challenges. Based on anonymized data
across the Lacework platform from May 2021 - July 2021, key findings of the
report include:

-- Initial Access Brokers (IABs) Expand to Cloud Accounts
-- As corporate infrastructure continues to expand to the cloud, so do
opportunistic adversaries as they look to capitalize on the
opportunity. Illicit access into cloud infrastructure of companies
with valuable data/resources or wide-reaching access into other
organizations offers attackers an incredible return on investment. In
particular, Lacework Labs found Amazon AWS, Google Cloud, and Azure
administrative accounts are gaining popularity in underground
-- Threat Actor Campaigns Continue to Evolve: Lacework Labs has observed a
variety of malicious activity originating from known adversary groups
and malware families. This section showcases those who continue evolving
their operators as a valuable return on investment:
-- 8220 Gang Botnet and Custom Miner: Lacework Labs recently found a new
cluster of activity linked to an 8220 Gang adversary group campaign of
infecting hosts, primarily through common cloud services, with a
custom miner and IRC bot for further attacks and remote control. This
cluster shows operations are evolving on many levels, including
efforts of hiding botnet scale and mining profits.This is indicative
of attacks growing in size.
-- TeamTNT Docker Image Compromise: The Lacework Labs team discovered
threat actor TeamTNT backdooring legitimate Docker Images in a supply
chain-like attack. Networks running the trusted image were unknowingly
-- Developer teams need to be certain they know what's in the image
they pull. They need to validate the source or they could open a
door to their environment.
-- Popular cloud relevant crimeware and actors:
-- Cpuminer, the open-source multi-algorithm miner, has been legitimately
used for years. However, Lacework Labs observed an increase in its
illicit use for cryptomining altcoins.
-- Monero and XMRig are the most common accounts for cryptomining
against cloud resources, hence activity involving lesser-seen coins
and tools may be more likely to go undetected.
-- Cloud services probing:
-- Lacework Labs captures a range of telemetry in both product
deployments and custom honeypots, which allows the company to see
trends relevant to cloud defense purposes. For these sources, many
cloud-relevant applications are continually targeted, but Lacework
found that AWS S3, SSH, Docker, SQL and Redis were by far the most
Based on the findings of this report, Lacework Labs recommends that defenders:

-- Ensure Docker sockets are not publicly exposed and appropriate firewall
rules/ security groups and other network controls are in place. This
will help to prevent unauthorized access to network services running in
an organization.
-- Ensure the access policies you set via the console on S3 buckets are not
being overridden by an automation tool. Frequent auditing of S3 policies
and automation around S3 bucket creation can ensure data stays private.
To view a copy of the full report or the executive summary, please visit here.

The new research findings are part of Lacework's second volume of its Cloud
Threat Report, a quarterly report that details new crimeware incidents,
vulnerabilities, and attacker opportunities.

About Lacework
Lacework is the data-driven security platform for the cloud. The Lacework Cloud
Security Platform, powered by Polygraph, automates cloud security at scale so
our customers can innovate with speed and safety. Polygraph is the only security
solution that can collect, analyze, and accurately correlate data across an
organization's AWS, Azure, GCP, and Kubernetes environments, and narrow it down
to the handful of security events that matter. Customers all over the globe
depend on Lacework to drive revenue, bring products to market faster and safer
and consolidate point security solutions into a single platform. Founded in 2015
and headquartered in San Jose, Calif., with offices all over the world, Lacework
is backed by leading investors like Sutter Hill Ventures, Altimeter Capital,
Liberty Global Ventures, and Snowflake Ventures, among others. Get started at

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights