Shield
Back to Library
Resources

Cloud Security – External Threat Attack Surface

Understanding evolving threat actor tactics and implementing robust defenses against data exfiltration and identity exploitation

S
Suronex
July 3, 2025
18 min read

Critical Threat Alert

Cloud environments are facing an evolving threat from threat actors prioritizing data exfiltration, exploiting identity as the new perimeter, and adapting tactics to evade detection and attribution.

Despite the ongoing presence of ransomware and data theft risks, recent trends reveal a concerning shift. Threat actors are not only refining their tactics, techniques, and procedures (TTPs) within cloud environments, but they are also becoming more adept at obscuring their identities.

Current Threat Landscape

Global security and threat intelligence experts have identified the following critical threats in the current landscape:

Risks to Service Accounts

Over-privileged service accounts and lateral movement tactics are increasingly significant threats.

Identity Exploitation

Compromised user identities in hybrid environments can lead to persistent access and lateral movement.

Cloud Databases Under Attack

Threat actors are actively exploiting vulnerabilities and weak credentials to access sensitive information.

Increased Adaptability

Threat actors are leveraging Ransomware-as-a-Service (RaaS) offerings and adjusting tactics to evade detection.

Diversified Attack Methods

Using privilege escalation and charging against victim billing accounts to maximize profits.

Overprivileged Service Accounts: The New Attack Vector

Cloud security research highlights that threat actors are shifting focus. Instead of solely focusing on stealing user login information and exploiting misconfigurations, they are now targeting overprivileged service accounts—accounts that have more privileges than necessary.

Post-Initial Access: Threat Actor Activities

Lateral Movement62.2%
Insecure Private Keys Search13.7%
Access Token Manipulation11.3%
Other Activities12.8%

Data reveals 62.2% of post-access activities involve lateral movement attempts

Mitigations for Service Account Protection

Reduce service account key risk

Consider alternative solutions to using service account keys to reduce this attack surface.

Restrict service account key creation

Use organization policies to restrict service account key creation and limit assigned roles.

Optimize IAM policies

Ensure only necessary services have access to critical assets and regularly review IAM policies.

Enhance internal threat monitoring

Reinvigorate lateral movement detection technologies and policies for internal-facing sensors.

The Boundary of Identity

As organizations expand the cyber boundary to cover a hybrid plane of on-premises, multi-cloud, and multi-Software as a Service-based applications, the common "boundary" has shifted from the network perimeter to the identity plane.

Identity Compromise Methods

Identity compromise is no longer limited to password theft. Threat actors are now gaining access through:

Brute-forcing using common/guessable passwords
Replaying stolen credentials from previous breaches
Credential stuffing
Phishing and social engineering
SIM swapping
MFA fatigue (push/text-based notifications)
Adversary in the Middle (AitM) attacks
Targeted social engineering

Mitigations for Identity Protection

Strong Authentication with Attribute-based Validation

Geo-verification for where the authentication request was initiated
Identity risk reviews and verification (suspicious logins, leaked credentials, atypical travel)
Time-based access enforcement (Just-in-Time) or predefined session durations
Device state review and verification (pre-defined attributes, trusted health status)

Comprehensive Identity Incident Response

Enforcing mandatory MFA for an account if not already configured
Disabling and rotating credentials for an account
Revoking access tokens within the IdP/cloud platform(s)/accessible application(s)
Revoking cookies for authenticated identities within applications
Reviewing, revoking, and regenerating programmatic/long-lived identities
Reviewing registered devices and revoking any unauthorized/recently added devices
Reviewing enforced MFA methods and removing weak methods
Reviewing and revoking credentials/access for any newly registered applications

Database Security: Critical Cloud Protection

Threat actors are increasingly targeting databases, exploiting misconfigurations and vulnerabilities to gain access to sensitive information. Insecure databases containing critical business data and PII are particularly attractive targets.

Database Protection Best Practices

Secure private connections
Enable logging & monitoring
Use robust Identity and Access Management (IAM)
Proactively approach vulnerability management
Enhance data protection with Virtual Private Cloud (VPC) service controls

Threat Actor Spotlight: UNC2165

UNC2165: Ransomware and Data Theft Extortion

UNC2165 is a set of financially motivated threat actor activity dating to at least 2019 that abuses cloud services to host data exfiltrated from victim environments.

Attack Methodology

  • • FAKEUPDATES infections for initial access
  • • COLORFAKE.V2 in-memory dropper
  • • MYTHIC post-exploitation framework
  • • Cloud storage abuse for data exfiltration

Impact Scope

  • • Nearly every industry affected
  • • Global victim distribution
  • • Links to Evil Corp operations
  • • Evolving ransomware families

Growing Threat from Data Leak Sites

Security experts have observed threat actors increasingly extorting victim organizations by exposing their stolen data on Data Leak Sites (DLS). This tactic impacts organizations across multiple cloud service providers, not just those with on-premises systems.

EMBARGO DLS Activity

Data Exfiltration

Internal databases breached in ransomware attacks with personal data leaked on the dark web

Extortion Attempt

Victim blog posts created with company details, incident descriptions, screenshots, and data links

Comprehensive Protection Strategy

Prevention

  • Enroll in multifactor authentication (MFA)
  • Implement robust IAM policies
  • Use Security Command Center (SCC)
  • Enable proactive VM scanning

Detection & Response

  • Automated sensitive data monitoring
  • Monitor unexpected costs
  • Prevent data exfiltration
  • Cloud-specific backup strategy
62.2%
Post-access activities involve lateral movement
13.7%
Threat actors search for insecure private keys
11.3%
Access token manipulation attempts

Protect your cloud infrastructure from evolving threats

Discover how Suronex provides comprehensive protection against external threats with AI-powered threat detection, identity protection, and automated response capabilities.

Book a Demo