| Report | Takeaways |
|---|---|
| Palo Alto Unit 42: Cloud Threat Report H2 2020 | Unit 42 research shows that cryptojacking affects at least 23% of organizations globally that maintain cloud infrastructure |
| Accenture: Cyber Threat Intelligence Report Volume 2 - 2021 | Cloud environments were and continue to be attractive targets, perhaps due to lower monitoring levels than on-premise environments. ... cloud-related malware has evolved faster than more traditional malware in 2021 based on analysis of the rate of code changes between cryptominers (a primary malware malicious actors deploy in compromised cloud environments) compared to code changes in botnets and ransomware ... Accenture observed ransomware and extortion operators targeting cloud infrastructure and hosted backups in attempts to increase operational impact |
| Fugue: The State of Cloud Security 2021 | N/A |
| IBM Security: 2021 X-Force Cloud Threat Landscape Report | The three most commonly observed methods for threat actors to compromise cloud environments in cases studied by X-Force IR were password spraying, software vulnerability, and pivoting from an on-premise compromise to the cloud |
| IDC for Ermetic: State of Cloud Security 2021 | Most organizations (63%) confirmed that their sensitive data has been exposed in the cloud |
| Snyk: State of Cloud Native Application Security 2021 | Over 56% experienced a misconfiguration or known unpatched vulnerability incident involving their cloud native applications |
| GCP: November 2021 Cloud Threat Intelligence report | Of 50 recently compromised GCP instances, 86% of the compromised Google Cloud instances were used to perform cryptocurrency mining |
| AWS: 2022 re:Inforce session on ransomware h/t Rich Mogull | ransomware is a common problem for AWS customers, stemming from two common exploit vectors: A traditional ransomware attack against instances in AWS. The attacker compromises an instance (often via phishing a user/admin, not always direct compromise), then installs their malware to encrypt the data and spread to other reachable instances. This is really no different than ransomware in a data center since it doesn’t involve anything cloud-specific. The attacker copies data out of an S3 bucket and then deletes the original data. This is the most commonly seen cloud native ransomware on AWS. |
| AWS: AWS CIRT announces the release of five publicly available workshops | Over the past year, AWS CIRT has responded to hundreds of such security events, including the unauthorized use of AWS Identity and Access Management (IAM) credentials, ransomware and data deletion in an AWS account, and billing increases due to the creation of unauthorized resources to mine cryptocurrency. |
| CheckPoint: Cyber Security Report 2022 | Since late 2021, we have witnessed a wave of attacks leveraging flaws in the services of industry-leading cloud service providers |
| CrowdStrike: 2022 Global Threat Report | Cloud-related threats are particularly likely to become more prevalent and to evolve, given that targeted intrusion adversaries are expected to continue prioritizing targets that provide direct access to large consolidated stores of high-value data |
| CrowdStrike: Protectors of the Cloud eBook | CrowdStrike continues to see adversary activity in three particular areas concerning the cloud: Neglected cloud infrastructure that is slated for retirement yet still contains sensitive data A lack of outbound restrictions and workload protection to exfiltrate your data Adversaries leveraging common cloud services to obfuscate malicious activity |
| Datadog: State of AWS Security 2022 | N/A |
| ENISA Threat Landscape 2022 | Cybercriminals target cloud services mostly in the following ways. * Exploiting cloud vulnerabilities: virtualisation infrastructure has been increasingly targeted (e.g. VMWare vSphere and ESXi platforms) by cybercriminals and especially by ransomware groups. • Using cloud services for hosting their infrastructure: cybercriminals take advantage of the highly scalable and reliable cloud infrastructure and use legitimate cloud services to bypass security controls by blending into normal network traffic. • Targeting cloud credentials: cybercriminals use social engineering attacks to harvest credentials for cloud services (e.g. Microsoft Office 365, Okta, etc.). • Exploiting misconfigured image containers cybercriminals increasingly target poorly configured Docker containers and Kubernetes clusters. • Targeting cloud instances for cryptomining (e.g. TeamTNT group): security researchers have identified a cloud-focused toolset from the TeamTNT group. • Targeting cloud infrastructure (e.g. Azure AD), cloud application programming interfaces (APIs), and cloud-hosted backups by ransomware groups to infiltrate cloud environments and increase impact. |
| Expel: Q1 2022 Threat Report | Misconfigurations and exposed long-term credentials in Amazon Web Services (AWS) and Google Cloud Platform (GCP) accounted for 3% of incidents These incidents break down into two categories: 1. Admins accidentally setting AWS S3 Buckets to Public 2. Threat actors gaining access to exposed long-lived credentials in AWS and GCP, which resulted in unauthorized access |
| Fidelis: 2022 AWS Cloud Security Report | For the 31% of organizations that experienced a security incident in the cloud, misconfiguration was the leading cause (28%), followed by inappropriately shared data (17%) and account compromise (15%). Exploited vulnerabilities account for 13% of incidents |
| GCP: July 2022 Cloud Threat Intelligence report | the most common attack vectors used across cloud providers was brute force of cloud services that are exposed to the internet and have a weak or default password ... close behind brute force attacks was the exploitation of vulnerable software |
| IBM: Cost of a Data Breach 2022 | 45% of Breaches Were Cloud-Based. Stolen or compromised credentials were the number one attack vector in the past two years. Following credentials, the next most common initial attack vectors were: Second place: Phishing - 16% of breaches, $4.91M average costs Third place: Cloud misconfigurations - 15% of breaches, $4.14M average costs Fourth place: Third-party software vulnerability - 13% of breaches, $4.55M average costs |
| IBM Security X-Force: 2022 Cloud Threat Landscape Report | Scanning for and exploiting vulnerable infrastructure was the most commonly observed initial access vector in cloud environments, based on X-Force responding to related cases. This vector represented the initial infection vector for 26% of cloud incidents. Stolen credential use was the second most observed at 9%. |
| (ISC)2: 2022 Cloud Security Report | We asked cybersecurity professionals about the cloud security threats that most concern them. Misconfiguration of cloud security remains the biggest cloud security risk according to 62% of cybersecurity professionals in our survey. This is followed by insecure interfaces/APIs (54%), exfiltration of sensitive data (51%) and unauthorized access (50%). |
| Orca: 2022 State of Public Cloud Security | N/A |
| Palo Alto Unit 42: Incident Response Threat Report 2022 | Nearly 65% of known cloud security incidents were due to misconfigurations. The main culprit? IAM configuration. |
| riskrecon: Cloud Risk Surface Report | N/A |
| Snyk: State of cloud security 2022 | 80% of organizations experienced a serious cloud security incident during the last year - 33% breach, 26% leak, 27% intrusion, 23% cryptomining |
| Trend Micro: 2022 Midyear Cybersecurity Report | 62% of the respondents admitted to having blind spots that weaken their security posture. 37% of the organizations also claimed to have the least insight into cloud assets. 35% said the same of their insights into networks, while 32% responded that they have the least insight into their end-user assets. |
| Wiz: 2022 cloud security threats report | Effectively, unintentionally exposed databases are one of the most common sources of data breaches |
| GCP: GCAT Threat Horizons January 2023 | The most common cloud compromise factors from Q3 2022 include Weak or No Credentials (41.1%), API Compromise (19.6%), Software issue (17.9%), and Misconfiguration (16.1%) |
| Wiz: State of the Cloud 2023 | In experiments we ran where we created S3 buckets ... we spotted attempts to list the contents of the S3 buckets in as little as 13 hours |
| Permiso: 2022 - End of Year Observations | All of the incidents we detected and responded to were a result of a compromised credential ... GitHub is still one of the primary sources ... The majority of exposed keys live in three main file types: APKs, Windows Biaries, Plain Text Files |
| GCP: GCAT Threat Horizons April 2023 | The most common cloud compromise factors from Q4 2022 include Weak or No Credentials (47.8%), API Compromise (19.6%), Software issue (13.0%), and Misconfiguration (10.9%) |
| Orca: 2023 Honeypotting in the Cloud Report | SSH honeypot within 4 minutes, but no attempts to use planted key. S3 bucket within 1 hour, key within 8 hours. Docker image never downloaded. ECR public registry accessed after four months. Elasticsearch scanned, but no attempts to use planted key. Public EBS backup never downloaded. Redis accessed after 2.5 hours, but no attempts to use planted key |
| Laminar: State of Public Cloud Data Security Report 2023 | More than three-fourths (77 percent) of respondents said their organization’s public cloud data has been accessed by an adversary in the last 12 months |
| GCP: GCAT Threat Horizons August 2023 | The most common cloud compromise factors from Q1 2023 include Weak or No Credentials (54.8%), Misconfiguration (19%), Sensitive UI or API exposure (11.9%) |
| CrowdStrike: 2023 Threat Hunting Report | 160% increase in attempts to abuse cloud instance metadata APIs. 95% increase in cloud exploitation in 2022. 3X increase in cases involving cloud-concious threat actors in 2022. |
| Dig Security: The State of Cloud Data Security 2023 | More than 7% of storage services containing sensitive data are public. More than 60% of storage services are not encrypted at rest, and almost 70% lack comprehensive logging. |
| CrowdStrike: 2023 Cloud Risk Report | "Cloud-conscious threat actors primarily gained initial access to the cloud by using valid existing accounts, resetting passwords or exploiting public-facing applications" |
| Wiz: I know what you mined last summer | Six cases via Open Jupyter Notebook, two via Unpatched Apache Solr. XMRig, CCminer, and XMR-Stak-RX deployed. |
| GCP: GCAT Threat Horizons October 2023 | The most common cloud compromise factors from Q2 2023 include Weak or No Credentials (54.3%), Misconfiguration (15.2%), Sensitive UI or API exposure (15.2%), Vulnerable Software (10.9%). ~70% of attacks are intended to facilitate coin mining. |
| GCP: GCAT Threat Horizons H1 2024 | The most common cloud compromise factors from 2023 include Weak or No Credentials (51.1%), Misconfiguration (17.3%), Sensitive UI or API exposure (13.7%), Vulnerable Software (11.5%). ~66% of attacks are intended to facilitate coin mining. ~25% of attacks are intended to then target third parties. |
| Palo Alto Unit 42: Incident Response Threat Report 2024 | "we’ve seen an increase in incident responses involving cloud cases, from 6% in 2021 to 16.6% in 2023." "Visibility gaps also led to unnecessary resource exposure, such as internet-exposed remote desktops or inadequately secured cloud workloads. These exposures contributed to 9.6% of cases." |
| CrowdStrike: 2024 Global Threat Report | Cloud environment intrusions increased by 75% YoY. 84% of adversary-attributed cloud-conscious intrusions were focused on eCrime. |
| Cado: H2 2023 Cloud Threat Findings Report | Attackers are getting more sophisticated around Docker, Jupyter, etc. Docker is ~90% of non-SSH honeypot traffic. Diversifying (non-cryptojacking) objectives. |
| AWS, Ben Fletcher: Security Lessons Learnt From The Cloud Frontline | Leaked credentials are the initial vector in 66% of incidents, 33% of these credentials are root. 13% of incidents are public EC2 instances. The goals are resource hijacking, ransom (delete + extort), and scorched earth |
| Red Canary: 2024 Threat Detection Report | Cloud Accounts was the fourth most prevalent ATT&CK technique we detected this year, increasing 16-fold in detection volume and affecting three times as many customers as last year ... expanded use of phishing kits and infostealers to collect credentials and/or MFA-signed access tokens |
| GCP: GCAT Threat Horizons H2 2024 | The most common initial vectors in H2 2024 include Weak or No Credentials (47.2%) and Misconfiguration (30.3%). ~59% of attacks are intended to facilitate coin mining. ~23.5% of attacks are intended to then target third parties. |
| Orca: 2024 State of Public Cloud Security | "87% of cloud malware attacks are via known Trojans." |
| Crowdstrike, Sebastian Walla: Cloud-Conscious Tactics, Techniques, and Procedures (TTPs) | ~250 cloud cases in 2023, 1/3 of which involve "cloud-conscious" threat actors, Initial access: Valid Accounts (28%), Exploit Public-Facing Application (16 %) |
| Sysdig: 2024 Global Threat Report | " Many of the attacks Sysdig TRT captured this year were motivated by income generation and free access to otherwise expensive resources". LLMJacking "can run victims over $100,000 daily" |
| Expel: Quarterly Threat Report (QTR) for Q3 2024 | "Incidents in cloud infrastructures (AWS, GCP, Azure, and Kubernetes) made up only 2% of the total incident volume. This has stayed consistent over the last few quarters" |
| Cowbell Insurance: Cyber Roundup Report 2024 | "Analysis relating to cloud provider usage found that businesses using Google Cloud report a 28% lower frequency of cyber incidents relative to other cloud users. In addition to a reduced frequency of incidents, Google Cloud exhibits the lowest severity of cyber incidents, while Microsoft Azure shows the highest." |
| Tenable: Cloud Risk Report 2024 | "38% of organizations have at least one cloud workload that is publicly exposed, critically vulnerable and highly privileged. 84.2% possess unused or longstanding access keys with critical or high severity excessive permissions." |
| GCP: GCAT Threat Horizons H1 2025 | The most common initial vectors in H1 2025 include Weak or No Credentials (45.7%) and Misconfiguration (34.3%), 17.1% API/UI compromise. "More than half (62.2%) of threat actor movements once they gained access involved attempting lateral movement within an environment and downloading tools designed for this purpose." |
| Expel: Annual Threat Report 2025 | "Attacks specifically targeting cloud infrastructure accounted for approximately 2% of threats, which was identical to 2023.", ~45% credential compromise, ~32% server-side exploitation, ~14% SSRF |
| Unit42: Global Incident Response Report 2025 | "86% of incidents that Unit 42 responded to involved business disruption", "in nearly one in five cases, data exfiltration took place within the first hour of compromise.", "A little less than one third of cases (29%) in 2024 were cloud-related." |
| Crowdstrike: Global Threat Report | "new and unattributed cloud intrusions increased 26% compared to 2023", "abusing valid accounts ... [accounted] for 35% of cloud incidents in the first half of 2024. |
| Mandiant: M-Trends 2025 | The most commonly observed initial infection vectors included email phishing (39%), stolen credentials (35%), SIM swapping (6%), and voice phishing or vishing (6%). Mandiant also noted use of prior compromise, exploits, third-party compromise, brute-force attacks, and malicious insiders—specifically North Korean IT workers applying for jobs under false pretenses-in order to gain access to cloud systems. data theft was observed in nearly two-thirds of cloud compromises (66%). Over a third of cases (38%), served financially motivated goals, including data theft extortion without ransomware encryption (16%), business email compromise (BEC) (13%), ransomware (9%) |
| Wiz: 2025 Cloud Attacks Retrospective | Phishing a top cause, 35% of breaches due to weaponized 1-day vulnerabilities |
| GCP: GCAT Threat Horizons H2 2025 | During the first half of 2025, weak or absent credentials were the predominant threat, accounting for 47.1% of incidents (Fig. 1). Misconfigurations (29.4%) and API/UI compromises (11.8%) followed as the next most frequently observed initial access vectors |
| CrowdStrike: 2026 Global Threat Report | Cloud-conscious intrusions rose 37% in 2025, with 266% increase among state-nexus actors. Valid account abuse accounted for 35% of cloud incidents. 42% of vulnerabilities exploited before public disclosure. Average eCrime breakout time fell to 29 minutes, fastest observed was 27 seconds. |
| Unit42: Global Incident Response Report 2026 | 20% of incidents involved cloud attack surface. 35% of investigations involved cloud or SaaS assets. "In one investigation, sensitive cloud credentials were found exposed in a public repository, expanding the paths attackers could use to reach cloud environments." Identity weaknesses were exploited in 89% of investigations. |
| GCP: GCAT Threat Horizons H1 2026 | Software exploitation (44.5%) overtook weak/no credentials as primary initial access vector for the first time. Identity compromise underpinned 83% of cloud compromises. Data targeted in 73% of incidents. Vulnerability-to-exploitation timelines collapsed from weeks to days. |