Palo Alto Networks white logo Palo Alto Networks logo
  • Introduction
  • Techniques
  • Key Findings
  • Top Threats
  • Threat Report
  • Read the report
THREAT RESEARCH

Unit 42 Cloud Threat Report, 2H 2020

Learn how common misconfigurations can undermine enterprise security
Read the report
Introduction

Defense in depth starts
with identity in the cloud

Cloud is now the dominant platform for enterprise application development. Based on data from the 2020 State of the Cloud Native Security Report, up to 64% of enterprise workloads will be in the cloud in just the next 24 months. As architectures shift to take full advantage of cloud native technologies, governing identity and access management (IAM) will become an even more critical component of cloud security. IAM policies across all cloud accounts must be constantly monitored and evaluated to determine the potential risk exposure to the business.

Palo Alto Networks Unit 42® cloud threat researchers have undertaken major new research on IAM in an ongoing effort to assess the security posture of cloud technologies. This latest report details the current identity landscape, methods attackers use to silently perform reconnaissance as well as a look at common threat actors themselves.

matt signature Matthew Chiodi
Chief Security Officer, Public Cloud
Watch the interview
Request an exclusive briefing
The complex picture of cloud IAM

Consider Figure 1 below, where the user account has access across three different cloud providers—each with its own unique roles and permissions. The governance challenge here comes from the sheer volume of user and machine roles combined with permissions and services that are created in each cloud account.

While many organizations attempt to enforce a least privilege model, this often breaks down quickly with multi-cloud complexity. All these variables make visibility into effective permissions challenging.

complex picture of cloud IAM
RESEARCH TECHNIQUES

Uncovering identity
flaws worth millions

During a Red Team exercise in the spring of 2020, Unit 42 researchers were able to compromise an AWS environment with thousands of workloads.

research icon

An "outside in" penetration, where Unit 42 researchers, posing as attackers, unauthorized and with no credentials, were able to gain access to internal resources through a misconfigured IAM trust policy.

research icon

An “inside up” style of attack, where Unit 42 researchers, posing as attackers, started with limited (non-administrative) access and escalated their privileges to include administrative access to the entire cloud environment.

Unit 42 researchers note that all misconfigurations found during the exercise were customer misconfigurations, not AWS platform security misconfigurations. AWS has tried its best to detect and alert users when an IAM trust policy is misconfigured. However, while IAM trust policies are secure by default, users can still override the policies and introduce insecure configurations. AWS also offers its free IAM Access Analyzer to help identify unintended access to resources and data that are shared with an external entity.

Read the report
KEY FINDINGS

Cloud identity flaws are difficult to detect

Why it Matters: Unit 42 researchers used a single misconfigured IAM trust policy to compromise an entire AWS environment. Taking advantage of this flaw, an attacker could launch any number of attacks against the organization, including DoS and ransomware, or even advanced persistent threats. Difficult to detect, especially at scale, many identity defects go unnoticed, leaving organizations vulnerable to more attacks.

Identity misconfigurations lead to high-impact failures

Why it Matters: Once outside the development area, our researchers were able to identify and hijack a legitimate admin account and establish full control over the entire cloud environment. With the "keys to the kingdom," attackers could then launch multiple and varied attacks against the organization.

JAPAC and EMEA organizations display poor cloud identity hygiene

Why it Matters: Unit 42 researchers found that 75% of organizations in Japan and Asia-Pacific (JAPAC) and 74% of organizations in Europe, the Middle East and Africa (EMEA) using Google Cloud are running workloads with admin privileges. By contrast, only 54% of organizations in Americas run with the same type of privileges. It’s a best practice to limit permissions for users to the bare minimum needed. Compromising a workload with admin privileges allows an attacker to move laterally across cloud resources, making it easier for them to perform attacks like cryptojacking operations.

Read the report
Top Threats

An ongoing look at cloud infrastructure threats

In addition to the latest findings on risks stemming from IAM misconfigurations, Unit 42 researchers present updates on cloud security trends – looking for clear indications of the overall security posture of cloud infrastructure.

Cryptojacking tool spotlight: an analysis of Kinsing Unit 42 researchers provide an analysis of the cryptojacking tool Kinsing with a detailed look at its worm-like capabilities and established use in cryptojacking operations around the world.
Cryptojacking continues to be a persistent threat for organizations Unit 42 research shows cryptojacking to affect at least 23% of cloud-enabled organizations globally. Cloud environments are being targeted, with a focus on malicious cryptomining (also known as cryptojacking) operations.
THREAT REPORT

Unit 42 Cloud Threat Report, 2H 2020

Read the report
PRISMA CLOUD

See how Prisma Cloud can address the cloud threats in your enterprise.

Learn more
register brochure
Get your copy now!
By submitting this form, you agree to our Terms. View our Privacy Statement.

Your guide is ready for download!

We hope you find this guide insightful as you work towards your EDR evaluation.
Download the report
guide brochure

Highlights from the Unit 42 Cloud Threat Report, 2H 2020

Deep dive into the IAM security threats with this latest blog from Unit42.

Unit 42 Cloud Threat Report - Spring 2020

Learn about which Infrastructure as code (IaC) vulnerabilities to watch out for.

Secure identity across cloud native environments with Prisma Cloud

Manage and secure identity across workloads, users and cloud services.
Request an exclusive briefing
By submitting this form, you agree to our Terms. View our Privacy Statement.

Thank you for your interest!

We will be contacting you shortly to set up your briefing.
complex picture
research modal

Get the latest news, invites to events, and threat alerts

By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement.

Products and Services

  • AI-Powered Network Security Platform
  • Secure AI by Design
  • Prisma AIRS
  • AI Access Security
  • Cloud Delivered Security Services
  • Advanced Threat Prevention
  • Advanced URL Filtering
  • Advanced WildFire
  • Advanced DNS Security
  • Enterprise Data Loss Prevention
  • Enterprise IoT Security
  • Medical IoT Security
  • Industrial OT Security
  • SaaS Security
  • Next-Generation Firewalls
  • Hardware Firewalls
  • Software Firewalls
  • Strata Cloud Manager
  • SD-WAN for NGFW
  • PAN-OS
  • Panorama
  • Secure Access Service Edge
  • Prisma SASE
  • Application Acceleration
  • Autonomous Digital Experience Management
  • Enterprise DLP
  • Prisma Access
  • Prisma Access Browser
  • Prisma SD-WAN
  • Remote Browser Isolation
  • SaaS Security
  • AI-Driven Security Operations Platform
  • Cloud Security
  • Cortex Cloud
  • Application Security
  • Cloud Posture Security
  • Cloud Runtime Security
  • Prisma Cloud
  • AI-Driven SOC
  • Cortex XSIAM
  • Cortex XDR
  • Cortex XSOAR
  • Cortex Xpanse
  • Unit 42 Managed Detection & Response
  • Managed XSIAM
  • Threat Intel and Incident Response Services
  • Proactive Assessments
  • Incident Response
  • Transform Your Security Strategy
  • Discover Threat Intelligence

Company

  • About Us
  • Careers
  • Contact Us
  • Corporate Responsibility
  • Customers
  • Investor Relations
  • Location
  • Newsroom

Popular Links

  • Blog
  • Communities
  • Content Library
  • Cyberpedia
  • Event Center
  • Manage Email Preferences
  • Products A-Z
  • Product Certifications
  • Report a Vulnerability
  • Sitemap
  • Tech Docs
  • Unit 42
  • Do Not Sell or Share My Personal Information
PAN logo
  • Privacy
  • Trust Center
  • Terms of Use
  • Documents

Copyright © 2025 Palo Alto Networks. All Rights Reserved

  • Youtube
  • Podcast
  • Facebook
  • LinkedIn
  • Twitter
  • Select your language