Cloud Threats Rising, Identity And Access Management Under Threat, Shows Palo Alto Networks Report

by | April 1, 2025 5:08 pm | Latest Posts, Market, Trending News

The attacks against cloud-hosted infrastructure are on the rise. Organisations received over five times as many daily cloud-based alerts by the end of 2024 than they did at the beginning of the year, a report by cybersecurity company Palo Alto Networks shows.

As per the report, the greatest increases have been in high-severity alerts, which means successful targeting of critical cloud resources. These resources include: 

  • Identity and access management, wherein leaked credentials can compromise an organisation’s cloud infrastructure.

  • Storage, which contains sensitive data.

  • Virtual machines, which offer chances to attack internal services.

  • Container, which allows attackers to run malicious containers.

IAM Tokens Under Threat

Cloud infrastructure’s defence perimeter is identity. Since IAM tokens and credentials are the keys to the cloud, attackers target them in order to move laterally. Palo Alto’s research showed that there were three times as many remote command-line access events utilising IAM tokens. Findings included:

  • An 116% increase in IAM-based “impossible travel event” alerts (i.e., login events from distant geographic areas within a narrow time window).

  • A 60% increase in IAM API requests from outside regions for compute resources (cloud virtual machine).

  • A peak 45% increase in the number of cloud snapshot exports during November 2024.

  • A 305% increase in the number of suspicious downloads of multiple cloud storage objects.

Large-Scale Attacks Using IAM

Palo Alto cited examples of cloud attacks leveraging leaked IAM login credentials. In a 2024 ransomware attack, over 90,000 credentials were successfully extracted from 110,000 targeted domains, along with around 1,200 cloud IAM login credentials. The threat actor then extorted numerous organisations using these credentials.

Another recent example is Storm-2077, a China-based threat actor that uses cloud IAM credential harvesting methods to get and keep access to victim cloud environments.

High-Severity Cloud Alerts Rising

Throughout 2024, high-severity cloud alerts rose by 235%, the report showed. The most significant increases in these warnings were 204%, 247%, and 122% in August, October, and December, with the biggest single-month jump (281%) occurring in May.

There was a sustained spike in medium-severity alerts in mid-2024. This included an initial 186% spike and subsequent 24% increase, before a downward trend through December.

What Can Organisations Do?

The report makes several recommendations for enterprises to protect themselves against malicious cloud operations, including:

  • Implement cloud detection and response runtime monitoring.

  • Place limits on cloud service platform regions with compute and serverless functions.

  • Identify and prevent IAM service accounts from performing operations beyond their intended functions.

  • Ensure that cloud storage versioning and encryption are deployed for all cloud storage containers.

. Read more on Technology by NDTV Profit.