Cado Security Labs Releases Inaugural 2023 Cloud Threat Findings Report

Cado Security, provider of the first cloud forensics and incident response platform, today announced the release of Cado Security Labs 2023 Cloud Threat Findings Report. The report reveals noteworthy discoveries about the evolving cloud threat landscape, shedding light on the heightened risk of cyberattacks due to the rapid adoption of cloud-focused services.

"Our goal with this report is to equip incident responders and security professionals with essential knowledge, enabling them to adequately secure their organization amid this rapidly-evolving threat environment," said James Campbell, CEO and Co-Founder of Cado Security. "By sharing our key findings, we uphold our commitment to continuous investment in initiatives aimed at empowering the broader security community."

Cado Security Labs is the internal threat research division within Cado's engineering team. Responsible for conducting industry-leading threat intelligence and cloud security research, the team proactively monitors the latest cloud attack trends and Tactics, Techniques, and Procedures (TTPs). Since its inception, Cado Security Labs have discovered numerous novel cloud-based malware and threat techniques. One such example being Denonia, the first publicly-known case of malware specifically designed to execute in an AWS Lambda environment.

"As a threat researcher myself, I take immense pride in fostering a culture that emphasizes investments and focuses on areas dedicated to researching the latest attack patterns," said Chris Doman, CTO and Co-Founder of Cado Security. "Building an exceptional team of experts who share this vision is a testament to our commitment to strengthening the collective power of the security community. Our researchers proactively monitor cloud-focused attack techniques and generate findings that serve as the foundation for developing industry-leading resources that keep security teams at the forefront of securing organizations worldwide."

Cado Security Labs researchers operate honeypot infrastructure to collect cloud attacker telemetry across services known to be targeted by cloud-focused threat actors. Findings are examined in real time and novel attack patterns are identified, reported on, and distributed to the security community.

As organizations increasingly embrace cloud technologies and inherently expose themselves to new and evolving risks, understanding emerging cloud trends on a deeper level is critical. In this report, Cado equips the security community with knowledge that will help them better protect against the latest threats.

Key findings from the report include:

• Botnet agents are the most common malware category, representing around 40.3% of all traffic. Use of botnets has been especially relevant in the context of the Russia-Ukraine war, where they have been leveraged by hacktivists on both sides to conduct DDoS attacks on strategic targets.
• SSH is the most commonly targeted service accounting for 68.2% of the samples seen, followed by Redis at 27.6%, and low Log4Shell traffic at a mere 4.3%, indicating a shift in threat actor strategy no longer prioritizing the vulnerability as a means of initial access.
• Further, in an overwhelming majority, nearly all (97.5%) opportunistic threat actors scan for vulnerabilities in only one "single" specific service to identify vulnerable instances deployed in the wild. This could be due to the fact that attackers are aware of a specific vulnerability in a particular service or they have development experience in that area.

From the attacker telemetry analyzed, Cado Security Labs has derived several projections and recommendations. The team anticipates attacks leveraging serverless functions will increase in severity and sophistication, ransomware groups will develop more non-Windows ransomware, and threat actors will continue to exploit cloud services to aid in phishing and spam campaigns.

In light of these predictions, Cado Security experts advise organizations to understand the AWS shared responsibility model, ensure access to relevant evidence, limit the exposure of services like Docker and Redis, check public repositories for cloud credentials, and apply the principle of least privilege.

To download the full report, please visit: https://offers.cadosecurity.com/cado-security-labs-2023-threat-findings-report.

About Cado Security

Cado Security provides the first cloud forensics and incident response platform. By leveraging the scale and speed of the cloud, the Cado platform automates forensic-level data capture and processing across cloud, container, and serverless environments. Only Cado empowers security teams to respond at cloud speed. Backed by Eurazeo, Blossom Capital, and Ten Eleven Ventures, Cado Security has offices in the United States and the United Kingdom. For more information, please visit https://www.cadosecurity.com/ and follow us on Twitter @CadoSecurity.