Cloud attacks are malicious activities that target cloud data and infrastructure. By exploiting cloud vulnerabilities, attackers try to access and tamper with cloud data by exfiltrating sensitive information or disrupting operations. It’s a pressing issue: Example attacks include the April 2024 attack on AT&T and the February 2024 attack on CISA.
So how do they happen? Cloud attacks occur through attack vectors: cloud vulnerabilities that serve as entry points for attackers to execute their malicious intentions.
Security Leaders Handbook: The Strategic Guide to Cloud Security
Learn the new cloud security operating model and steps towards cloud security maturity. This practical guide helps transform security teams and processes to remove risks and support secure cloud development.
Download handbook
Common attack vectors
Attack vectors provide the path of least resistance into a cloud system. Although several vectors exist, some are more common because they're easier to exploit. Let’s look at a few of these common vectors:
1. Cloud misconfigurations
Cloud misconfigurations are a hacker’s favorite because they create easy entry points into a system without the need for complex or advanced techniques. Organizations frequently leave storage buckets, virtual machines, or databases exposed on the internet due to oversight. Attackers are on the prowl for these kinds of leaky buckets—and once they’re found, they become vectors that let the attackers exfiltrate sensitive data, leading to a breach.
2. Stolen credentials
Stolen credentials are one of the oldest attack vectors, and in 2024, they were associated with 86% of security breaches in cloud networks. With credentials stolen from legitimate users via techniques like social engineering, attackers can escalate privileges if IAM roles are overly permissive.
3. Insecure APIs
APIs facilitate communication between applications and data centers, making them vulnerable to cloud attacks. APIs are a common attack vector in cloud environments. Attackers exploit vulnerabilities such as broken object-level authorization (BOLA), broken authentication, and excessive data exposure to gain unauthorized access to cloud resources and sensitive data.
4. Third-party applications
Third-party applications are unavoidable, and any discrepancies between your security mechanisms and the external applications’ security mechanisms can transform them into vectors. (The Microsoft–CrowdStrike incident is a major example.) These security gaps create jackpots for attackers looking for weak links in the software supply chain. Exploitation of these weak links to gain entry is only the start: Attackers usually pivot from the third-party service into more delicate cloud areas to spread the attack.
5. Zero days
Zero-day attacks occur when attackers exploit previously unknown vulnerabilities before a fix is available. Without proper logging and detection capabilities, these attacks can persist undetected for extended periods. These attacks thrive without proper logging and detection capabilities, allowing attackers to exfiltrate data without tripping alarm bells.
Categorizing vectors using the MITRE ATT&CK matrix
MITRE ATT&CK is a comprehensive, open-source knowledge base that categorizes attacks into tactics, techniques, and procedures (TTPs). Tactics tell you the why of an attack; techniques outline how the attacker will do it, and procedures give a use-case of how the attacker will behave in the wild.
MITRE ATT&CK studies the real-world behavior of adversaries and uses the insights to develop detailed maps of how attackers execute cyberattacks, from initial access to impact. With the MITRE ATT&CK framework, organizations can identify patterns in malicious activity and apply defense measures.
| Tactic | Technique | Subtechnique | Attack Vector | Detection | Mitigation |
|---|---|---|---|---|---|
| Initial Access | T1566 – Phishing | Spearphishing Attachment (T1566.001) | Phishing to steal admin credentials |
|
|
From the table above, you can visualize how an adversary seeking to gain initial access to a network (tactic) can use phishing (technique) to steal credentials to use as vectors in a cloud system. The matrix outlines phishing sub-techniques—such as Spearphishing Attachment (T1566.001)—to show how attackers can steal credentials, plus examples of how these techniques have been used in different instances.
The matrix guides you in adjusting your security structure to scan for and detect vectors and mitigate their chances of being exploited. In this instance, the matrix recommends monitoring application logs, files, and network traffic, followed by phishing mitigation strategies such as regular audits and antivirus/antimalware installation.
What is an Attack Surface?
An attack surface is refers to all the potential entry points an attacker could exploit to gain unauthorized access to a system, network, or data.
Read more
How do cloud attacks exploit attack vectors?
A cloud attack follows the Cyber Kill Chain and starts with an attacker doing a port scan of a cloud environment to identify potential vectors or exposed entry points. This reconnaissance involves scanning for publicly accessible cloud services, insecure APIs, misconfigured storage buckets, or compromised access controls. The attacker may use botnets to identify cloud services, seeking common vulnerabilities (for instance, exposed data or endpoints without proper authentication).
Once they identify a vulnerability, the attacker weaponizes it to gain initial access. In the case of compromised credentials, they might use stolen login details (which they’ve purchased or obtained through phishing or credential dumps) to authenticate their way into the cloud. If the attack vector is a misconfigured API, they may exploit it by sending special requests to access sensitive data or perform unauthorized actions.
Next, the attacker escalates their privileges inside the cloud to gain broader control over the environment. This escalation is executed by exploiting overly permissive IAM roles or misconfigured policies. Some may install their payload into cloud memory or add a registry to run malware along with system operations. By taking these actions, the attacker can secure and maintain access to a cloud command shell.
From there, the attacker moves laterally within the cloud infrastructure, accessing additional services, databases, or storage accounts until they have seen enough of the system to execute their intent. The kill chain closes with the attacker either achieving their goals and exiting the environment or staying hidden to exploit it further.
Types of cloud attacks
Cloud attacks target different segments of the cloud, and their severity varies. Types of cloud attacks include:
1.Account compromise
Account compromise occurs when an attacker manipulates a cloud infrastructure user into giving up their access credentials. The attack usually begins with phishing, in which the attacker sends a malicious email designed to trick the user into revealing their login credentials.
Regardless of the method used to obtain the credentials, the attacker gains access to the cloud infrastructure or logs into multiple cloud services. These attacks exploit the target's failure to adequately manage vulnerabilities and secure access per the shared responsibility model.
2. Account takeover (ATO)
Account takeovers occur when attackers gain unauthorized access to cloud accounts through stolen credentials. Account takeovers occur when attackers gain unauthorized access to cloud accounts through stolen credentials, credential stuffing attacks, or session hijacking. Unlike phishing-based compromises, ATO often involves using leaked credentials or bypassing authentication controls through session token theft.
Next, the attackers use credentials to privileged accounts, such as admin or service accounts, to rewrite their access and escalate their privileges within a system. The attack may also involve kicking out other admins to prevent interference and maintain a persistent presence in the network.
These cloud attacks are effective because attackers impersonate legitimate users, exploiting trust relationships within the cloud environment to evade detection.
3. Distributed denial-of-service (DDoS) attacks
DDoS attacks flood cloud resources with excessive requests, often leveraging botnets, UDP amplification, or HTTP floods. While cloud providers implement mitigation strategies like rate limiting and auto-scaling, sophisticated DDoS attacks can still disrupt services by overwhelming API endpoints, exhausting database connections, or targeting cloud networking infrastructure.
While some cloud platforms are designed to absorb and respond to high traffic volumes, attackers can still exhaust resources or disrupt smaller-scale services. These attacks typically leverage botnets to send thousands or even millions of requests to cloud infrastructure, generating traffic spikes that cloud systems struggle to keep up with.
4. Man-in-the-cloud (MitC) attacks
Instead of stealing user credentials, man-in-the-cloud (MitC) attackers target synchronization tokens that provide access to cloud storage services such as Google Drive, Dropbox, or OneDrive. Once attackers get these tokens, they can impersonate the legitimate user, gaining persistent access to cloud data without triggering authentication alerts or requiring re-authentication.
MitC attacks exploit weaknesses in cloud synchronization mechanisms, bypassing traditional security measures that protect against unauthorized access. This attack technique is highly effective because it leverages the trust inherent in legitimate cloud services and synchronization processes.
Best practices to prevent and detect cloud attacks
Combating cloud attacks requires a proactive approach that's focused on implementing cloud security best practices. Here are the top 10 best practices:
1. Enforce Strong Identity and Access Management (IAM) Controls
Enable Multi-Factor Authentication (MFA) for all users—especially administrators and service accounts—to reduce credential-based attacks.
Use Conditional Access Policies to restrict logins based on location, device, or risk level.
Rotate API keys and credentials frequently and store them in a secrets manager (e.g., AWS Secrets Manager, HashiCorp Vault).
Implement Just-In-Time (JIT) Access to grant users temporary elevated privileges instead of persistent access.
2. Continuously Detect and Remediate Cloud Misconfigurations
Deploy a Cloud Security Posture Management (CSPM) tool to automate misconfiguration detection and enforce security policies.
Regularly scan cloud environments for publicly exposed storage buckets, databases, and virtual machines.
Enable infrastructure-as-code (IaC) scanning to catch misconfigurations before deployment.
Enforce least privilege policies on IAM roles and cloud services to prevent privilege escalation attacks.
3. Strengthen API and Application Security
Use API gateways to enforce authentication and rate limiting on all cloud APIs.
Regularly scan APIs for vulnerabilities, such as broken authentication (BOLA) and SSRF attacks.
Implement OAuth 2.0, OpenID Connect (OIDC), and mutual TLS for strong API authentication.
Monitor API logs for unusual activity that could indicate credential stuffing or enumeration attacks.
4. Proactively Detect Threats with Behavioral Analytics
Deploy User Entity and Behavior Analytics (UEBA) to detect suspicious logins, privilege escalations, and lateral movement.
Set up real-time alerting for anomalous activity, such as sudden changes in IAM roles or API traffic spikes.
Implement cloud-native detection and response (CDR) solutions to correlate security events across multiple cloud services.
5. Have a Clear Cloud Incident Response Plan
Predefine response actions for cloud-specific threats (e.g., credential theft, misconfigurations, API abuse).
Run breach simulations (tabletop exercises, red team drills) to test your team’s response.
Ensure forensic logging is enabled—logs should be centralized, immutable, and timestamped.
Preconfigure isolation steps—know exactly how to contain a compromised cloud workload before an attack happens.
Quickstart Cloud Incident Response Template
The only IR plan template on the web built with the cloud in mind.
Download Template
6. Implement Zero Trust Security for Cloud Workloads
Apply microsegmentation to isolate workloads and prevent lateral movement in cloud networks.
Use identity-based authentication for workloads instead of static credentials.
Enforce strict least-privilege access policies across cloud workloads.
Implement continuous risk-based authentication (CRA) to dynamically adjust access permissions based on behavior.
7. Strengthen Cloud Backup and Disaster Recovery (BCDR)
Automate backups for critical cloud workloads and store them in multiple, geographically separate regions.
Use immutable backups to prevent ransomware from encrypting or deleting them.
Conduct regular disaster recovery (DR) drills to test recovery times and ensure preparedness.
Implement snapshots and versioning on cloud storage to mitigate data corruption risks.
8. Use Threat Intelligence to Strengthen Cloud Defenses
Map threat intelligence feeds to the MITRE ATT&CK framework to track adversary TTPs targeting cloud environments.
Continuously monitor dark web forums for leaked credentials tied to your organization.
Subscribe to cloud threat intelligence feeds (e.g., AWS Threat Intelligence, Mandiant, Wiz Research) to stay ahead of emerging attack patterns.
9. Apply Runtime Protection for Cloud Workloads
Deploy eBPF-based runtime security to detect suspicious behavior at the kernel level.
Monitor container runtime events to detect unauthorized modifications to running workloads.
Set up memory protection and syscall monitoring to catch fileless malware targeting cloud environments.
10. Conduct Continuous Red Teaming and Cloud Penetration Testing
Run automated cloud penetration tests to identify vulnerabilities before attackers do.
Conduct adversary emulation exercises using MITRE ATT&CK cloud tactics to test your defenses.
Implement purple teaming—collaborating between red teams (offense) and blue teams (defense) to fine-tune cloud security controls.
Stay ahead of cloud attacks with Wiz Defend
Wiz Defend is a cloud security platform that helps organizations patrol for and eliminate cloud attacks and attack vectors across their entire cloud platform.
Regardless of your current cloud security setup, you can integrate Wiz Defend to help you implement the best practices discussed in this article. Relevant use cases include:
Real-time visibility and control: The Wiz Security Graph allows organizations to identify and resolve their cloud vulnerabilities before they become attack vectors for adversaries.
Proactive threat detection and remediation: Equipped with an eBPF runtime sensor, Wiz Defend analyzes audit logs in real time to help you detect and isolate threats immediately.
Enhanced security posture: Wiz Defend protects you from being caught off guard by eliminating visibility blind spots, providing actionable recommendations to enhance your preparedness, and helping you understand how your telemetry collection aligns with MITRE ATT&CK coverage.
Ready to see how Wiz can help you prevent cloud attacks? Request a demo today!
A single platform for everything cloud security
Learn why CISOs at the fastest growing organizations choose Wiz to secure their cloud environments.
