Google Cybersecurity Action Team Threat Horizons Report #7 Is Out!
Published in
2 min readAug 8, 2023
This is my completely informal, uncertified, unreviewed and otherwise completely unofficial blog inspired by my reading of our seventh Threat Horizons Report (full version) that we just released (the official blog for #1 report, my unofficial blogs for #2, #3, #4, #5 and #6).
My favorite quotes from the report follow below:
- “Credential issues continue to be a consistent challenge, accounting for over 60% of compromise factors” [A.C. — again, file under ‘shocking but not surprising’]
- “Misconfiguration accounted for 19% of compromise factors, which were also associated with other compromise factors such as sensitive UI or APIs exposed which account. ” [A.C. — to me, ‘creds first, misconfigs second’ makes sense as a top-line descriptor for cloud security issues yesterday, today and probably tomorrow]
- “The predominant alerts for Q1 2023 [A.C. — from another data set, see the report] at nearly 75% were for cross-project abuse of access token generation permission associated with MITRE ATT&CK® tactic of Privilege Escalation (TA0004) and technique of Valid Accounts: Cloud Accounts (T1078.004).” [A.C. — to me, this is a good reminder that cloud is NOT just somebody else’s computer, and you need to learn cloud to protect it]
- “Researchers have identified instances of Android applications downloading malicious updates after installation.[…] DCL (aka MITRE T1407) enables attackers to download and execute code not included in the original application after installation. The technique enables an attacker to evade static analysis and pre-publication checks by the Google Play Store. ” [A.C. — this is a scary scenario indeed, it happens to be the one I always worry about with any 3rd party mobile app — what if the app is taken over and updated to a malicious version?]
- “We found 13 compromised domains likely belonging to Google Cloud customers and malware having bi-directional communications with one compromised customer-owned IP.” [A.C. — just because you use the cloud, does not mean that your domain isn’t taken over by the attackers…]
Now, go and read the report!
P.S. Admittedly, this one has less eye opening data, but hey … maybe the attackers are doing fewer cool things in the cloud :-)
Related posts:
- Google Cybersecurity Action Team Threat Horizons Report #6 Is Out!
- Google Cybersecurity Action Team Threat Horizons Report #5 Is Out!
- Google Cybersecurity Action Team Threat Horizons Report #4 Is Out!
- Google Cybersecurity Action Team Threat Horizons Report #3 Is Out!
- Google Cybersecurity Action Team Threat Horizons Report #2 Is Out!
- Illicit coin mining, ransomware, APTs target cloud users in first Google
- Cybersecurity Action Team Threat Horizons report
- All past and future reports are posted at Google Cybersecurity Action Team site.
