Elastic report: Azure outpaces AWS in 2024 cyber threats analysis

Elastic Security Labs has released its latest Global Threat Report, providing an in-depth examination of the rapidly changing threat landscape.

The report focuses on key vulnerabilities within cloud systems, malware detection across major operating systems, and the influence of generative artificial intelligence on cybersecurity.

The report includes a thorough analysis of potential security risks across various cloud platforms such as Microsoft Azure, Google Cloud, and Amazon Web Services (AWS). One significant finding highlights that credential access attempts accounted for more than 23% of all observed activity. This was closely followed by initial access, impact, and defence evasion activities.

For the first time, Microsoft Azure overtook AWS as the most common environment for anomalous signals, representing 64% of total events observed. This shift indicates a deeper integration of Microsoft data sources in hybrid cloud deployments. Additionally, there was a notable 21% increase in trojan malware, which now constitutes 82.03% of all malware detected.

The focus largely remains on Windows environments, accounting for 66.1% of all malware detections.

The report also highlights emerging cyber threat tactics such as AI-augmented phishing, deepfake scams, and adaptive malware development. These innovative methods demonstrate the evolving capabilities of cyber adversaries.

Raymond Schippers, Director of Security Engineering for Detection and Response at Canva, commented on the importance of the report. "The Elastic Global Threat Report is a great asset that ensures our threat detection stays laser-focused on real-world adversary activity. Understanding the top adversary techniques in the cloud is critical, and unlike other vendor reports that simply drop a name, Elastic's diamond models give us a fast, in-depth look at adversary movements, helping us stay ahead of the game," he said.

Key findings in the report indicate that adversaries are making use of off-the-shelf tools, with offensive security tools (OSTs) such as Cobalt Strike and Metasploit accounting for approximately 54% of observed malware alerts. Specifically, Cobalt Strike was involved in 27% of malware attacks.

The report also underscores the prevalence of misconfigured cloud environments, which provide opportunities for adversaries.

Nearly 47% of Microsoft Azure failures were linked to storage account misconfigurations. Similarly, nearly 44% of Google Cloud users failed checks related to BigQuery, specifically due to a lack of customer-managed encryption. For AWS, S3 checks accounted for 30% of failures, mainly due to the absence of multifactor authentication (MFA) implementation.

Adversaries have increasingly turned to legitimate credentials to infiltrate systems, especially as defences against evasion improve. Credential access made up approximately 23% of all cloud behaviours, predominantly in Microsoft Azure environments. There was also a 12% increase in brute force techniques, making up nearly 35% of all techniques observed in Microsoft Azure. Endpoint behaviours, while small in percentage, were significant, with 89% involving brute-force attacks on Linux. Notably, there has been a 6% decrease in defence evasion tactics over the past year.

Jake King, head of threat and security intelligence at Elastic, highlighted the implications of these findings. "The discoveries in the 2024 Elastic Global Threat Report reinforce the behaviour we continue to witness: defender technologies are working. Our research shows a 6% decrease in defence evasion from last year. Adversaries are more focused on abusing security tools and investing in legitimate credential gathering to act on their objectives, which reinforces the need for organisations to have well-tuned security capabilities and policies," he stated.