Rise in Hacks Targeting Cloud Single Sign-On in 2024

In 2024, a notable increase in cyberattacks aimed at cloud infrastructures was documented, with malicious actors exploiting misconfigurations and single sign-on functionalities to deploy data and credential stealing malware.

According to an annual security report released by Google Mandiant, the number of breaches involving cloud components hit an unprecedented high. Mandiant attributed this surge in incidents to businesses transitioning from traditional on-premises setups to hybrid cloud environments without adequate security precautions.

Attackers are increasingly targeting centralized cloud assets protected by single sign-on systems. When compromised, these systems grant attackers extensive access and the ability to escalate privileges within the network. Mandiant emphasizes that the centralized nature of cloud identity and access management can facilitate quick access for malicious actors, presenting a narrow avenue for exposure.

In two-thirds of the cloud-related incidents that Mandiant investigated in 2024, data theft was identified as the primary motivation, while financial theft was the objective in 38% of cases. One such group, dubbed UNC3944, also known as 0ktapus or Scattered Spider, employs social engineering tactics to compromise its targets. This includes making calls to service desks to reset passwords and bypass multifactor authentication for privileged accounts.

Once they gain access, these attackers have been reported to exploit single sign-on solutions by linking a compromised account to all applications associated with a Single Sign-On (SSO) instance, thereby expanding their attack from internal systems to various cloud and Software as a Service (SaaS) applications.

In one documented case, UNC3944 utilized ransomware to encrypt a victim’s virtualized environment and misappropriated cloud synchronization tools to transfer sensitive data to external storage owned by the attackers. While ransomware remains a prevalent form of cybercrime globally, the deployment of info stealers for credential theft has also been substantially on the rise.

Another group under Mandiant’s surveillance, tagged as UNC5537, reportedly used stolen credentials likely acquired via info stealers to infiltrate a Snowflake client’s data. The attackers attempted to exfiltrate data for extortion purposes or for sale on underground forums. Similarly, the group known as Triplestrength was identified as selling compromised access to major cloud providers, including Google Cloud and AWS.

Among malicious actors, APT42, an Iranian threat group, has been noted for leveraging cloud services such as Google Sites and Dropbox in a campaign aimed at credential theft through deceptive login pages.

To fortify their cloud environments, Mandiant advocates for adopting multifactor authentication methods, including hardware security tokens and mobile authenticator applications, as well as implementing strict password rotation policies and limiting authentication capabilities for accounts. Additionally, establishing defined network restrictions is emphasized as a key security measure.

This situation highlights trending techniques that reflect adversarial tactics such as initial access through social engineering, persistence via compromised single sign-on processes, and privilege escalation granting expansive control within the targeted environments—all of which align closely with the MITRE ATT&CK framework.