Almost all cloud users, roles, services, and resources grant excessive permissions leaving organizations vulnerable to attack expansion in the event of compromise, a new report from Palo Alto\u2019s Unit 42 has revealed. The security vendor\u2019s research discovered that misconfigured identity and access management (IAM) is opening the door to malicious actors that are targeting cloud infrastructure and credentials in attacks.The findings indicate that when it comes to IAM in the cloud, organizations are struggling to put good governance in place. The report also identifies five attack groups that have been detected targeting cloud environments and reveals their attack methods.99% of cloud identifies are too permissiveIn Identity and Access Management: The First Line of Defense, Unit 42 researchers analyzed more than 680,000 identities across 18,000 cloud accounts and over 200 different organizations to understand their configurations and usage patterns. It revealed that 99% of the cloud users, roles, services, and resources granted \u201cexcessive permissions\u201d that were left unused for 60 days. Adversaries who compromise these identities can leverage such permissions to move laterally or vertically and expand the attack radius, the report read.Unit 42\u2019s data showed that there were two times more unused or excessive permissions within built-in Content Security Policies (CSPs) compared to customer-created policies. \u201cRemoving these permissions can significantly reduce the risk each cloud resource exposes and minimize the attack surface of the entire cloud environment.\u201d However, cloud security is being hampered by poorly implemented IAM and credential management, the report stated.Unit 42 said that misconfigurations are behind 65% of detected cloud security incidents, while 53% of analyzed cloud accounts allowed weak password usage and 44% allowed password reuse, the report read. What\u2019s more, almost two-thirds (62%) of organizations had cloud resources publicly exposed. \u201cMisconfigurations within the identity user, role, or group policies within a cloud platform can significantly increase the threat landscape of an organization\u2019s cloud architecture,\u201d and these are vectors adversaries constantly seek to exploit, Unit 42 said. \u201cAll the cloud threat actors that we identified attempted to harvest cloud credentials when compromising a server, container, or laptop. A leaked credential with excessive permissions could give attackers a key to the kingdom.\u201dUnit 42 identifies five attacks groups targeting cloud infrastructureUnit 42 detected and identified five threat actors leveraging unique escalation techniques and collecting credentials to directly target cloud service platforms. Of them, three performed container specific operations including permission discovery and container resource discovery, two performed container escape operations, and all five collected cloud service or container platform credentials as part of their operating procedures. They are:TeamTNT: Considered the most sophisticated cloud threat actor in terms of cloud identity enumeration techniques, this group\u2019s operations include lateral movement within Kubernetes clusters, establishment of IRC botnets, and the hijacking of compromised cloud workload resources to mine the Monero cryptocurrency.WatchDog: While technically adept, this group is willing to sacrifice skill for easy access, Unit 42 said. It uses custom-built Go scripts as well as repurposed cryptojacking scripts from other groups (including TeamTNT) and are an opportunistic threat group that targets exposed cloud instances and applications.Kinsing: Another opportunistic cloud threat actor with heavy potential for cloud credential collection, this group targets exposed Docker Daemon APIs using GoLang based malicious processes running on Ubuntu containers and has begun to expand their operations outside of Docker containers, specifically targeting container and cloud credential files contained on compromised cloud workloads.Rocke: An \u201cold-timer\u201d group ramping up cloud endpoint enumeration techniques, Rocke specializes in ransomware and cryptojacking operations within cloud environments and is known for using the computing power of compromised Linux-based systems, typically hosted within cloud infrastructure.8220: Rocke\u2019s cousin, this group is adopting containers into its target set. Tools commonly employed during their operations are PwnRig or DBUsed, which are customized variants of the XMRig Monero mining software. The group is believed to have originated from a GitHub fork of the Rocke group\u2019s software.IAM misconfigurations a common entry point\u00a0Unit 42 advised organizations to address IAM vulnerabilities to secure their cloud infrastructures. \u201cProperly configured IAM can block unintended access, provide visibility into cloud activities, and reduce the impact when security incidents happen,\u201d it stated. \u201cHowever, maintaining IAM in the most secure state is challenging due to its dynamic nature and complexity. Historically, IAM misconfigurations have been the entry point and pivot cybercriminals most commonly exploit.\u201dTo assist in the defense of cloud environments against threat actors, Unit 42 said organizations should implement cloud-native application protection platforms (CNAPP), focus on hardening IAM permissions, and increase security automation.