The Next Wave of Cloud Attacks: The Growing Threat of Stolen Credentials

Uncategorized Blog

As organizations continue to embrace cloud technology, they often overlook one of the most fundamental security risks: cloud credential theft. Securing the cloud itself is instrumental for organizations to operate in our time (see the very recent CISA Binding Operational Directive regarding Implementing Secure Practices for Cloud Services). However, the theft and misuse of cloud credentials have become so common that it threatens to fuel the next wave of cloud-based cyberattacks, and it’s a threat that organizations of all sizes must take seriously.

The Growing Problem of Stolen Cloud Credentials

Cloud credentials, such as API keys, secret tokens, and access credentials, are critical components of the authentication process that grant access to cloud-based resources and services. These credentialsprovide cybercriminals with a direct path to an organization’s cloud infrastructure, often leading to significant data breaches, financial losses, and widespread disruption.

Recent security incidents highlight the ease with which attackers can steal cloud credentials in order to leverage them for malicious purposes. Hackers recently stole over 15,000 cloud credentials by exploiting exposed Git configuration files. These files are often unintentionally pushed to public repositories, containing sensitive information like API keys, access tokens, and other credentials. This simple mistake can provide attackers with easy access to cloud environments without the need for sophisticated hacking methods.

In addition to exposed Git files, threat actors have also increasingly turned their attention to malicious software packages as an attack vector. Attackers have been distributing malicious Python packages designed to extract AWS credentials from vulnerable systems. These packages often masquerade as useful libraries but, once installed, they silently exfiltrate sensitive credentials from developers’ machines. This attack method capitalizes on the trust developers place in open-source repositories and the convenience of package managers like PyPI.

The ease of which cloud credentials can be obtained hasled to a rise in cybercrime gangs targeting cloud environments.  Cybercriminal gangs are actively stealing thousands of AWS credentials, selling them on underground forums, or using them for ransomware attacks, data theft, and other malicious activities. With these stolen credentials, attackers are able to bypass traditional security measures and appear as a legitimate user, making it much more difficult to identify these users and their activities as malicious.

How Stolen Cloud Credentials Are Exploited

Once cybercriminals gain access to stolen cloud credentials, the potential for harm is immense. Attackers can use these credentials to:

  1. Steal Sensitive Data: Cloud platforms store vast amounts of sensitive data, including customer information, proprietary business data, and intellectual property. By gaining access to cloud environments, attackers can exfiltrate this data for sale on the black market or use it for extortion.
  2. Launch Ransomware Attacks: With access to cloud infrastructure, attackers can deploy ransomware, encrypt files, and demand ransom from organizations in exchange for decryption keys. This can cause significant downtime, operational disruption, and financial loss.
  3. Create New User Accounts or Escalate Privileges: Once in a system, attackers can create new user accounts with elevated privileges, giving them long-term access even if the stolen credentials are eventually discovered and revoked.
  4. Cryptocurrency Mining: Cybercriminals can also use cloud credentials to launch unauthorized cryptocurrency mining operations. This allows them to use an organization’s cloud resources for mining, which can result in high costs for the compromised organization.
  5. Launch Attacks on Other Organizations: With access to cloud services, attackers can also pivot to attacking other organizations. This could involve stealing or abusing data stored in cloud environments for phishing campaigns, credential stuffing, or other types of social engineering attacks.

 

Conclusion: A Growing Threat

Cloud credential theft is an escalating threat that organizations must take seriously. As cloud-based services continue to grow in popularity and sophistication, cybercriminals are increasingly targeting cloud environments to exploit stolen credentials for a wide range of malicious purposes. Whether through exposed Git files, malicious software packages, or other means, the risks posed by credential theft are too great to ignore.

Organizations must act now to strengthen their cloud security defenses. By implementing robust access controls, using multi-factor authentication, educating staff, and regularly monitoring cloud environments, businesses can reduce the risk of credential theft and ensure the ongoing safety of their data and infrastructure. The next wave of cyberattacks is here, and stolen cloud credentials are at the heart of it. It’s time for organizations to take proactive steps to secure their cloud environments before they become the next target.

Blog

Skyhawk Security has obtained Cloud Security Alliance (CSA) Security, Trust & Assurance Registry (STAR) Level 1, meaning that Skyhawk has publicly documented its compliance with CSA’s Cloud Controls Matrix (CCM). CSA STAR Level 1 (self-assessment) documents the security controls provided

Cloud Security
Blog

Skyhawk Security recently announced at RSA 2025 an expansion of our AI-Powered Purple Team to secure cloud applications and how they interact with the cloud infrastructure they are hosted on. This new capability identifies weaponized risks in cloud applications, the

Cloud Security
Blog

There are several reasons why cloud security is so challenging, and the leading issue is roles and responsibilities. In the cloud there are three main groups that interact when securing the cloud: Cloud Security Team, Security Operations Center, and DevOps.

Management
Blog

As Skyhawk Security wraps up another RSA, we can reflect on the conversations, learnings, and fun. The conversations at the booth are always good, and it is clear that organizations are looking for a preemptive approach to cloud security. Several

Cloud Security
Blog

This blog was written by Asaf Shahar, VP, Products at Skyhawk Security The UK Information Commissioner’s Office (ICO) recently fined Liverpool-based law firm DDP Law £60,000 following a ransomware attack that exposed highly sensitive criminal case data. The investigation revealed

AICloud BreachData BreachLLMsThreat Detection
Blog

Skyhawk Security is at the collision of two trends within cloud security – for more than a decade it is clear that the cloud is perimeter less, attackers are logging in and not breaking in, and in addition, threat actors

AICloud BreachData BreachLLMsThreat Detection
See the Purple Team
See the breach before it happens
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.