Get Started
Platform
Why SentinelOne?
Services
Partners
Resources
About
Pricing
Get Started

Primary Attack Vectors Persist

by SentinelOne

The speed and innovation of our cloud and AI age is undeniable. However, opportunity comes paired with responsibility and risk. The duality of the cloud security challenge is that these two opposing forces are markedly different. To keep cloud environments safe and secure, we need to introspectively examine how we can improve our internal people, processes and technology charged with cloud defense. We also need to understand the external threat landscape, including new and persistent threat actor capabilities and innovations.

To this end, SentinelOne has published two reports highlighting each side of the cloud security challenge coin:

  • The Cloud Security Survey Report presents insights from 400 cybersecurity managers and practitioners covering current cloud security operations, responsibilities, perceptions of technologies, and future investment plans.
  • The Cloud Security Risk Report details five emerging risk themes for 2025 with in-depth examples of attacks leveraging risks like cloud credential theft, lateral movement, vulnerable cloud storage, supply chain risks, and cloud AI services.

This is the first of three blogs that highlight key points of alignment and of contrast between the two reports: Primary Attack Vectors Persist, AI as a Novel Attack Surface & Novel Tool for Defenders, and Supply Chain Attacks Are the Hidden Threat in Your Cloud Pipeline.

A feature of both reports is the need to get the basics of cloud security right – specifically managing and reducing cloud misconfigurations and limiting the compromise of cloud credentials. They remain the most common initial access points for threat actors, and a daily struggle for security teams.

Leaving The Door Unlocked | Cloud Misconfigurations

Cloud misconfigurations have been in the spotlight for security teams ever since Gartner opined in 2019 that “through 2025, 99% of cloud security failures will be the customer’s fault.” Despite cloud security technology innovation and multiple generations of Cloud Security Posture Management (CSPM) solutions, the challenge remains, and high profile breaches are still occurring due to basic misconfigurations.

The classic (almost clichéd) cloud misconfiguration seen time and time again in headlines is cloud storage left public and unencrypted. Yet, despite the fair warning and prevalence of CSPMs, these breaches continue. Examples of these provided by the Risk Report include a December 2024 breach when a Volkswagen software subsidiary’s misconfigured S3 bucket leaked sensitive details of over 800,000 car owners. Another example from December of last year was when the threat actor Nemesis, specialized in credential theft and targeting cloud storage, was found to have misconfigured their own S3 buckets.

When surveyed, the misconfiguration topic provides some conflicting answers in the Cloud Security Survey. If ranking the importance of cloud security capabilities, CSPM ranked second most important (the first was Cloud Detection and Response, CDR). Focusing on capability efficacy, CSPM also ranked highly, tying for third place when responders were asked to rank their organization’s satisfaction with their CSPM of choice, scoring a 4.22 out of 5.

So, our chief weapon against cloud misconfigurations is widely seen as both vital and effective. This contrasts with the responders’ faith in their organization’s ability of “misconfiguration assessment”. Unfortunately, this ranks last of the 8 of the cloud security functions listed, with a score of 3.98 out of 5.

A potential clue to the discrepancy here might be in prioritization and noise management. After all, CSPMs are notoriously noisy, and the repeated structure of many cloud environments can often result in cascading alerts for the same issue seen in multiple areas. A massive 86.9% of responders confirm they face challenges validating and prioritizing alerts and cloud events. Additionally, two-thirds of organizations (67.7%) agree they generate so much cloud security data that their teams struggle to reach actionable insights.

Looking forward, the nature of sophisticated cloud attacks is going to exacerbate the noise and prioritization issue. We see a rise in threat actors targeting and abusing misconfigurations in new ways, chains of misconfigurations, and attacker-driven misconfigurations in particular.

Chains of Misconfigurations

As defenders become more adept at closing the door on obvious cloud breach opportunities, attackers are increasingly chaining minor, less significant misconfigurations together to enable deeper compromise and lateral movement within cloud environments. To see an example of chained misconfigurations, refer to the fictional case study revolving around an e-commerce store leveraging Lambda functions detailed in the Risk Report.

Threat actors adapting presents a new challenge for defenders. Security teams leveraging CSPMs that are starting with critical severity misconfigurations and working their way down are at risk of missing chains that present more significant risk when considered in context with each other.

Attacker-Driven Misconfigurations

Complex cloud attack campaigns of late have all included adversaries causing cloud misconfigurations as they modify or disable cloud services. For example, ScarletEel automates the disabling of cloud security services into its cryptomining campaigns. More commonly, threat actors are creating overly permissive roles (a common cloud misconfiguration) to enable easier lateral movement and discovery. Examples of this in action include the large-scale extortion campaign (potentially by Nemesis with their poor cloud storage habits), where they deploy a series of Lambda functions to automate the creation of these misconfigured identities.

This raises an interesting challenge for cloud defenders in how they differentiate the cloud misconfigurations stemming from their organization’s deployment choices versus the misconfigurations that external or internal threat actors may have caused. If your view of cloud misconfigurations is static, as in, what exists and not when or how, then this differentiation will be very difficult, if not impossible.

A Final Note on Misconfigurations

As organizations adopt newer cloud services to build and leverage AI capabilities, new areas for misconfiguration risk are emerging. We investigate AI as a novel attack surface and as a novel tool for defenders in more detail in our second blog in this three part series.

Keys to the Kingdom | Compromised Credentials

With a history of bug bounty hunting and whitehat hacking, our Sr. Director Product Management for Cloud Native Security, Anand Prakash, knows the power compromised credentials give attackers.

“Cloud platforms host vast amounts of interconnected data and services, meaning a single compromised credential can grant attackers access to multiple systems simultaneously– even if your application is otherwise secure.” – Anand Prakash, Sr. Director Product Management for Cloud Native Security at SentinelOne

Despite their criticality, our Cloud Security Survey found that of core cloud security capabilities, secret scanning, which helps defenders hunt for leaked credentials, was ranked last. Less than 13% of responders included secret scanning within a list of top five most important cloud security capabilities out of a list that included cloud detection and response, cloud workload protection platforms (CWPPs), Infrastructure-as-Code (IaC) scanning, and more.

Further, secret scanning was second to last in a ranking of the effectiveness of cloud security tools and capabilities. So, our defenders are viewing the capability of scanning for compromised credentials as both non-critical and non-effective relative to other capabilities. Perhaps most drastic, is the high percentage of respondents who do not currently possess secret scanning capabilities. Nearly 30% of respondents have either not begun implementing secret scanning capabilities or have no plans to do so.

The survey does predict however, that the relative importance of secret scanning will rise in the near future, as DevSecOps and shifting security left into the development pipeline becomes an increasing focus for security teams. This shift in importance cannot come too soon. While secret scanning may not rank highly within the security ecosystem, the importance of credentials and access across an enterprise organization cannot be overstated. Elsewhere in the survey, respondents rate highly their concerns for data breaches while underplaying this clear potential of secrets to enable these attacks.

Real World Examples

As Anand Prakash noted, a single compromised credential can grant attackers access to multiple systems simultaneously, making lateral movement after getting credential access an expected escalation.

Organizations are unwittingly hardcoding credentials or leaking them in publicly accessible code-sharing services. One example highlighted by the Risk Report is a finding of over 1.1 million secrets found leaked across just 58,000 web applications with accessible environment files. Another example was last year’s high-profile ShinyHunters campaign, involving credential harvesting on endpoints and websites that resulted in numerous Snowflake breaches. Where successful, attackers directly targeted cloud-based Snowflake instances for massive data exfiltration, leading to initial presumptions that Snowflake itself had been breached.

A further high-profile example involves an xAI employee who leaked a private API key on GitHub, providing access to unreleased large language models and sensitive information from associated organizations like SpaceX – a single leak causing impacts along a supply chain. Threat actors know the power of compromised credentials and are evolving their use of infostealers and creative lateral movement across increasingly connected systems to further exploit this attack vector.

Evolution of Infostealers

Infostealers are increasingly hunting cloud and container credentials, and are being built into larger attack campaigns to increase their compromise capabilities. Examples of this includes TeamTNT’s SilentBob resource theft campaign that leverages an infostealer after the impact of cryptominers is established, to broaden the scope of what the attacker can do next.

Conclusion | A Need for Foundational Vigilance 

The persistence of misconfigurations and compromised credentials as primary attack vectors is a stark reminder that foundational security remains paramount. While confidence in cloud security capabilities grows, true resilience requires continuous vigilance, integrated solutions, and a proactive stance against an ever-adapting adversary. It’s time to bridge the perception gap and ensure that basic cloud security hygiene is not just a checkbox, but a dynamic, AI-driven defense against the inevitable.

Join us at an upcoming webinar on Thursday, July 24, 2025 to learn more about addressing these primary attack vectors and other insights from the Cloud Risk Report and the 2025 Cloud Security Survey. Save your spot here!

Further Reading

The Cloud Security Challenge: Risk Intelligence & Leadership Perspectives
Sign up for this webinar happening July 24, 2025
Save Your Seat

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Read More

Get a demo

Defeat every attack, at every stage of the threat lifecycle with SentinelOne

Book a demo and see the world’s most advanced cybersecurity platform in action.

Get Demo

SentinelLabs

SentinelLabs: Threat Intel & Malware Analysis

We are hunters, reversers, exploit developers, & tinkerers shedding light on the vast world of malware, exploits, APTs, & cybercrime across all platforms.

VISIT SITE