Sysdig 2024 Global Threat Report

Cloud attackers work smarter, not harder
By Michael Clark - OCTOBER 22, 2024

SHARE:

We know that cloud attacks happen very quickly. Our 2024 global threat year-in-review, the third annual threat report from the Sysdig Threat Research Team (TRT), revisits the team’s hottest findings from the last 12 months and explores how they relate to the broader cyber threat landscape. This year’s report also includes informed predictions about 2025’s security outlook and potential trends.

In the 2023 Global Cloud Threat Report, Sysdig TRT discovered that telecommunications and financial sectors are most often the target of cloud attacks. The team also detailed multiple abused cloud services and targeted misconfigurations, and dove into malicious images hidden in supply chains. Most importantly, Sysdig TRT proved that on average, cloud attackers can go from initial access to impact in 10 minutes or less — a finding that has driven Sysdig’s prioritization of real-time threat detection and rapid response over the last year.

This year, the Sysdig Global Threat Year-in-Review explains how cybercriminals, driven by free cloud resources and financial motivations, quickly exploit cloud environments, often causing tens of thousands of dollars in resource consumption charges. Every section of the report identifies the open source tools that attackers are weaponizing as they capitalize on access to public-facing or stolen credentials and known vulnerabilities. Last, but certainly not least,  attackers have become comfortable in the cloud; with the right tools, access, and knowledge, attackers are focusing on leveraging automation to scale their campaigns with frightening efficiency.

As cloud computing becomes more integral to global businesses, understanding how attacks occur and how they can be mitigated is crucial. We’ll review some of this year’s highlights below, but you can read the full report for more details. 

The fast lane for hackers

One of the most striking findings from Sysdig’s 2024 report is how rapidly large-scale attacks can unfold. Cloud infrastructure, which promises agility and scalability for businesses, also offers these benefits to attackers. The speed of attacks — ranging from cryptojacking to DDoS — has become a major concern in recent years. However, with the ease of scalability in cloud environments, some campaigns can rack up $80,000 in victim costs in just a few hours.

Automated resource jacking has evolved. LLMjacking, identified by Sysdig in 2024, involves attackers stealing access to cloud accounts that host large language models (LLMs). These models, such as OpenAI’s GPT or Anthropic Claude, are highly valuable and expensive to operate, making them prime targets. This attack mirrors other resource-based exploits, such as cryptojacking, but comes with a significantly higher price tag.

The dark side of free tech

Sysdig TRT also observed a surge in attackers leveraging open source tools for malicious purposes. The report details a multitude of open source tools used by various actors for nefarious purposes. One notable campaign, CRYSTALRAY, weaponized a penetration testing tool to steal over 1,500 victims. The group’s open source tech stack exemplifies how attackers are blurring the lines between legitimate use and malicious activity, a technique that is becoming increasingly common as attackers seek to blend in with normal network activity.

The reign of botnets

One of the more shocking discoveries in 2024 was the exposure of the Romanian RUBYCARP botnet group. This group evaded detection for over a decade, likely due to its focus on custom tools and advanced persistence techniques. The botnet primarily targeted vulnerabilities in applications like Laravel and GitLab, and was highly effective due to its ability to adapt and stay under the radar. While most botnets are eventually identified and shut down, RUBYCARP’s operations showed how patience and stealth can lead to long-term success. The group’s financial gains from cryptomining, for example, have provided a steady stream of income over the years. One member amassed $22,800 in just two years, the equivalent of a respectable Romanian yearly salary!

This persistence speaks to the sophistication of today’s attackers playing the long game. By flying under the radar, they can continue to exploit systems without drawing too much attention.

Financial strain and rising costs for victims

This year’s report emphasizes the growing financial toll attacks take on cloud-based organizations. Breaches are not just becoming more frequent but also more costly. According to IBM’s Cost of a Data Breach Report 2024, the average cost of a data breach in 2024 was $5.17 million for cloud environments — $1 million more costly than the average on-premises breach.

The combination of rapid attacks, resource exploitation, and persistence means that businesses could face astronomical costs if they are not vigilant. For instance, the report details a new-wave cryptomining attack that racked up $22,000 per day in costs for the victim from the creation of thousands of cryptomining nodes. Meanwhile, an LLMjacking attack leveraging the Anthropic Claude 3 Opus model cost the victim $100,000 per day.

Bring in the defense

Sysdig TRT’s findings this year make it clear that defenders must continue adapting their strategies to match the changing speed and complexity of modern cloud threats. 

One of Sysdig TRT’s main recommendations is the adoption of real-time security. Since many attacks — particularly those targeting resources like LLMs or botnets — don’t leave obvious traces in traditional logs, real-time monitoring and alerting of anomalous runtime behavior is crucial.

Additionally, automation has become key for defenders. Just as attackers use automation to launch large-scale attacks, security teams need to leverage automation to detect anomalies and respond in real time. Security teams must understand and set baselines for typical usage patterns, so that deviations, like a sudden spike in LLM calls or cryptomining activity, can be immediately flagged for investigation.

Another important defense mechanism is cloud misconfiguration management. A significant portion of cloud breaches stem from simple misconfigurations that could be easily fixed with the right tools and practices. Continuous monitoring and auditing of cloud environments can help identify and resolve these vulnerabilities before attackers exploit them.

Conclusion

The Sysdig 2024 Global Threat Year-in-Review report paints a challenging but accurate picture of today’s security landscape. With attacks happening faster than ever, organizations must focus on speed, automation, and advanced threat detection to stay ahead. As attackers continue to leverage open source tools, exploit misconfigurations, and hijack resources, the need for robust, real-time cloud security solutions has never been more critical.

Subscribe and get the latest updates