Lacework Quarterly Cloud Threat Report Shows the Automated Techniques Cybercriminals are Using to Attack Businesses in the Cloud

Lacework | August 31, 2021

Lacework, the data-driven security platform for the cloud, today released its quarterly cloud threat report, unveiling the new techniques and avenues cybercriminals are infiltrating to profit from businesses.

The rapid shift of applications and infrastructure to the cloud creates gaps in the security posture of organizations everywhere. This has increased the opportunities for cybercriminals to steal data, take advantage of an organization's assets, and to gain illicit network access.

"It's in enterprises' best interest to start thinking of cybercriminals as business competitors," said James Condon, Director of Research at Lacework. "Last year alone, cybercrime and ransomware attacks cost companies $4 billion in damages. As more companies shift to cloud environments, we're seeing an increase in demand for stolen access to cloud accounts and evolving techniques from cybercriminals, making enterprises even more vulnerable to cloud threats."

New research from Lacework Labs, the dedicated research team at Lacework that focuses on new threats and attack surface risks within the public cloud, sheds light on the crimeware and growing ransomware landscape in the face of new threat models and emerging cybersecurity challenges. Based on anonymized data across the Lacework platform from May 2021 - July 2021, key findings of the report include:

Initial Access Brokers (IABs) Expand to Cloud Accounts
As corporate infrastructure continues to expand to the cloud, so do opportunistic adversaries as they look to capitalize on the opportunity. Illicit access into cloud infrastructure of companies with valuable data/resources or wide-reaching access into other organizations offers attackers an incredible return on investment. In particular, Lacework Labs found Amazon AWS, Google Cloud, and Azure administrative accounts are gaining popularity in underground marketplaces.
Threat Actor Campaigns Continue to Evolve: Lacework Labs has observed a variety of malicious activity originating from known adversary groups and malware families. This section showcases those who continue evolving their operators as a valuable return on investment:
8220 Gang Botnet and Custom Miner: Lacework Labs recently found a new cluster of activity linked to an 8220 Gang adversary group campaign of infecting hosts, primarily through common cloud services, with a custom miner and IRC bot for further attacks and remote control. This cluster shows operations are evolving on many levels, including efforts of hiding botnet scale and mining profits.This is indicative of attacks growing in size.
TeamTNT Docker Image Compromise: The Lacework Labs team discovered threat actor TeamTNT backdooring legitimate Docker Images in a supply chain-like attack. Networks running the trusted image were unknowingly infected.
Developer teams need to be certain they know what's in the image they pull. They need to validate the source or they could open a door to their environment.
Popular cloud relevant crimeware and actors:
Cpuminer, the open-source multi-algorithm miner, has been legitimately used for years. However, Lacework Labs observed an increase in its illicit use for cryptomining altcoins.
Monero and XMRig are the most common accounts for cryptomining against cloud resources, hence activity involving lesser-seen coins and tools may be more likely to go undetected.
Cloud services probing:                                                            
Lacework Labs captures a range of telemetry in both product deployments and custom honeypots, which allows the company to see trends relevant to cloud defense purposes. For these sources, many cloud-relevant applications are continually targeted, but Lacework found that AWS S3, SSH, Docker, SQL and Redis were by far the most targeted.
Based on the findings of this report, Lacework Labs recommends that defenders:

Ensure Docker sockets are not publicly exposed and appropriate firewall rules/ security groups and other network controls are in place. This will help to prevent unauthorized access to network services running in an organization.
Ensure the access policies you set via the console on S3 buckets are not being overridden by an automation tool. Frequent auditing of S3 policies and automation around S3 bucket creation can ensure data stays private.

About Lacework
Lacework is the data-driven security platform for the cloud. The Lacework Cloud Security Platform, powered by Polygraph, automates cloud security at scale so our customers can innovate with speed and safety. Polygraph is the only security solution that can collect, analyze, and accurately correlate data across an organization's AWS, Azure, GCP, and Kubernetes environments, and narrow it down to the handful of security events that matter. Customers all over the globe depend on Lacework to drive revenue, bring products to market faster and safer and consolidate point security solutions into a single platform. Founded in 2015 and headquartered in San Jose, Calif., with offices all over the world, Lacework is backed by leading investors like Sutter Hill Ventures, Altimeter Capital, Liberty Global Ventures, and Snowflake Ventures, among others.


Keep your cybersecurity skills relevant in 2020. Learn more about the cybersecurity skills gap and how you can take small steps to increase your cybersecurity awareness.


Keep your cybersecurity skills relevant in 2020. Learn more about the cybersecurity skills gap and how you can take small steps to increase your cybersecurity awareness.

Related News


Cyware & GuidePoint Security Partner to Share Threat Intelligence

GuidePoint Security | April 21, 2022

Cyware, the industry's leading supplier of platform-agnostic Cyber Fusion Centers with next-gen SOC capabilities, today announced a collaboration with GuidePoint Security, a leader of cybersecurity solutions. GuidePoint Security joins a renowned group of Cyware Technology Partner Program solution providers, managed security service providers (MSSPs), and systems integrators in assisting clients in making wiser choices and minimizing risk. GuidePoint is broadening its threat management portfolio and expanding its service offerings with actionable threat intelligence and incident response solutions as a result of its new relationship with Cyware. GuidePoint's enterprise solutions for Cyware will allow clients to aggregate, analyze, and autonomously exchange data for enhanced threat visibility, as well as provide users with threat response collaboration capabilities. “Our partnership with GuidePoint couldn’t have come at a better time when the global threat landscape is witnessing a massive deterioration because of high impact threats targeting enterprises globally. Together, GuidePoint and Cyware will enable enterprises, ISACs/ISAOs, MSSPs, and government bodies to bring together siloed security operations, operationalize threat data more efficiently, and collaborate on threat response using next-gen cyber fusion solutions.” Amit Patel, Senior Vice President, Global Sales, Cyware The Cyber Fusion Center platform from Cyware combines SOAR and actionable threat intelligence to provide a cohesive, automated, and modular solution for bi-directional threat intelligence sharing, comprehensive case and workflow management, and unified orchestration for enterprises, ISACs/ISAOs, MSSPs, industry groups, National CERTs, and government organisations around the world. GuidePoint is a renowned cybersecurity adviser and solutions provider, with thousands of businesses around the nation relying on its expertise. Customers can depend on the company's proven experience, customized solutions, and services to help them make smarter cybersecurity choices that reduce risk. GuidePoint is the most recent multinational IT business to use Cyware as one of the engines powering its security service. Cyware collaborates with some of the world's most notable technology companies to provide enhanced solutions and intelligence.

Read More

$16+ Billion Global Security as a Service Industry up to 2025-Rising Web Safety and E-mail Safety Demand

prnewswire | September 01, 2020

The "Security as a Service Market - Forecasts from 2020 to 2025" report has been added to's offering. The global Security as a Service market is projected to grow at a CAGR of 19.52% to reach a value of US$16.239 billion by 2025 from US$5.572 billion in 2019. There has been an increase in the number of security breaches over the past few years and has led to severe losses to the end-user industries such as BFSI, and Communication and Technology among others. This has led to an increase in the concerns among the end-users and is forcing them to adopt advanced approaches to secure their infrastructure from attacks. Security as Service providers includes the different security services companies dealing in cloud security services, data security services, ransomware protection services, and e-mail security services among others.

Read More


F-Secure has Launched a Modular Platform for Cyber Security Servitization

F-Secure | May 20, 2021

Today, cybersecurity provider F-Secure launched F-Secure Elements: a replacement cloud-based platform that streamlines how organizations provide cybersecurity services. Available from F-Secure's service partners with fixed-term license subscriptions, or usage-based billing for greater flexibility, F-Secure Elements empowers organizations to select cybersecurity services on terms that accommodate their needs. Many organizations operate in complex environments dominated by a variety of dynamic risks and opportunities. Keeping these complexities in mind, also because of the rising costs of security and therefore the lack of experienced security professionals, it's no surprise that an awesome number of organizations want to simplify how they source cybersecurity capabilities. F-Secure Executive vice-chairman of Business Security Juha Kivikoski says these demands are driving a shift toward providing cybersecurity as services instead of products. "Even with updates, products are static and can't adapt fast enough to stay up with threats, or businesses, as they evolve. Services help businesses stay agile and are less expensive when delivered right, which is why the longer term of our industry is in delivering everything as a service," he explained. "Having a platform designed for the servitization of cybersecurity can help organizations recover protection, which is why simplicity and adaptability are F-Secure Elements' core design principles." F-Secure Elements may be a modular platform that mixes endpoint protection, endpoint detection and response, vulnerability management, and collaboration protection for cloud services (such as Microsoft Office 365). F-Secure Elements' key capabilities and benefits include: • Comprehensive situational awareness and meaningful visibility across assets, configurations, vulnerabilities, threats, and events. • Streamlined and autonomous operations to make sure efficient workflows and faster responses to real threats. • Real-time, connected data flow between elements to enable faster detection of threats. • Intelligent, extended detection and response capabilities for data-informed decisions. • On-demand choice to elevate difficult cases to F-Secure experts. About F-Secure Nobody has better visibility into real-life cyber attacks than F-Secure. We're closing the gap between detection and response, utilizing the unequaled threat intelligence of many of our industry's best technical consultants, many devices running our award-winning software, and ceaseless innovations in AI. Top banks, airlines, and enterprises trust our commitment to beating the world's most potent threats. alongside our network of the highest channel partners and over 200 service providers, we're on a mission to form sure everyone has the enterprise-grade cybersecurity we all need.

Read More