IAM permissions lax, lead image.
Image: iStock/kanawatvector

In most cloud environments, identity and access management (IAM) is the first line of defense against threats. A 2021 study conducted by Forrester Consulting for ForgeRock and Google Cloud found that more than 80% of global IT decision makers have already adopted, or plan to adopt or expand, cloud-based identity and access management initiatives over the next two years. The idea behind IAM is that every user or device has one digital identity on services they need to access. Once that digital identity has been established, it must be maintained, modified and monitored throughout each user’s or device’s access lifecycle. It is the most critical and complex component that governs the authentication and authorization of every resource in a cloud environment.

New cloud threat research from team Unit 42 at Palo Alto Networks reveals several security issues due to bad permissions handling and misconfiguration, which opens doors wide for threat actors.

99% of digital identities are too permissive

In cloud environments often composed of more than hundreds or thousands of workloads, every device or machine identity might be a risk for the cloud infrastructure. The number of credentials needed for different services generally grows with time and makes it difficult to manage identity access control efficiently.

Palo Alto Networks’ Unit 42 studied 680,000 cloud users, roles and services, and found out that 99% of cloud identities were overly permissive. To come to that staggering percentage, the researchers considered a cloud identity to be overly permissive if it was granted permissions that were unused in the past 60 days. These unused permissions might be used by threat actors who managed to get initial access and could use it to move laterally or vertically inside the infrastructure and increase the attack surface.

SEE: Secure your data with two-factor authentication (free PDF) (TechRepublic)

Misconfiguration in IAM makes life easier for attackers

According to Palo Alto Networks, 65% of observed security incidents are due to misconfiguration.

53% of the cloud accounts studied allowed weak IAM passwords, which means fewer than 14 characters. Also, 44% of the accounts allowed IAM password reuse. Weak passwords are vulnerable to brute-force attacks, and old passwords should not be reusable, in case an attacker manages to access old data revealing such a password.

CSP (cloud service provider) managed policies are convenient because they can be applied quickly, but they tend to be too general and grant too many unnecessary permissions. CSP-managed policies are granted 2.5 times more permissions than customer-managed policies.

In particular, Administrator policies are among the top three granted managed policies (Figure A).

Figure A

Frequently used CSP-managed policies.
Most frequently used CSP-managed policies. Source: Palo Alto Networks

Five cloud threat actors exposed

Palo Alto Networks researchers have curated a list of five cloud threat actors that are directly targeting cloud services platforms.


Historically the first threat actor to have actively targeted cloud credential files on compromised workloads, TeamTNT is considered the most sophisticated cloud threat actor in terms of cloud identity enumeration techniques.

TeamTNT has been witnessed enumerating cloud platform services, making lateral movements within Kubernetes clusters, establishing IRC botnets and hijacking compromised cloud workload resources to mine Monero cryptocurrency. TeamTNT is also known for infecting Docker images to spread malware.


This cloud threat actor uses a variety of scripts programmed in Go language, as well as repurposed cryptojacking scripts from other groups, including TeamTNT. It is an opportunistic threat actor made of technically adept programming, but according to Palo Alto Networks “they are willing to sacrifice skill for easy access.”


The name of this threat actor comes from the fact that it uses a directly named “kinsing” to store cryptocurrency mining malware. The threat actor targets exposed Docker Daemon APIs using GoLang-based malicious processes running on Ubuntu containers. It has begun to expand its operations outside Docker containers, specifically targeting container and cloud credential files contained on compromised cloud workloads.


Rocke is specialized in ransomware and cryptojacking operations within cloud environments. It also has the skills to disable and remove cloud security tools from compromised cloud servers. In August 2019 it was reported to have compromised 28.1% of organizations with cloud infrastructure.


This threat actor is interested in cryptocurrency mining and is believed to have originated from a GitHub fork of the Rocke threat actor’s software. It has elevated its mining operations with the use of cloud service platform credential scraping through the usage of the Log4j exploitation starting in December 2021.

SEE: Security incident response: Critical steps for cyberattack recovery (TechRepublic Premium)

More threat actors in the wild

In addition to the exposed five threat actors, Palo Alto Networks also reports that advanced persistent threat (APT) actors, which are often nation-state actors, employ cloud infrastructure when needed.

APT threat actors APT28 (aka Fancy Bear or Pawn Storm), APT29 (Cozy Bear) and APT41 (Gadolinium) have used cloud infrastructure in the past. The use of Kubernetes infrastructure to perform brute-force attacks, cloud container images compromised to spread malware and the use of cloud infrastructure to host command and control servers are a few ways these actors have used the cloud.


IAM permissions should be hardened carefully by:

  • Removing unused permissions for every user, role or service to significantly reduce risk and minimize the attack surface of the whole cloud environment.
  • Minimizing the use of Administrator credentials.
  • Enforcing multifactor authentication (MFA) for strategic operations allowance: database or snapshot deletion, encryption key update, backup handling, etc.

Regarding policies, the principle of least privilege should always be applied. Administrator access, in particular, should not be granted by default to entities.

Password policy should be enforced and allow only strong passwords, but the best practice for secure password handling is to federate identities or use single sign-on (SSO) to reduce the number of usernames/passwords.

CNAPP (cloud-native application protection platforms) software should be used and deployed to monitor and provide alerts on cloud-based security events.

Disclosure: I work for Trend Micro, but the views expressed in this article are mine.

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday