Cado Security Labs Releases Inaugural 2023 Cloud Threat Findings Report 

Cado Security, provider of the first cloud forensics and incident response platform, today announced the release of Cado Security Labs 2023 Cloud Threat Findings Report. The report reveals noteworthy discoveries about the evolving cloud threat landscape, shedding light on the heightened risk of cyberattacks due to the rapid adoption of cloud-focused services.

Cado Security Labs is the internal threat research division within Cado’s engineering team. Responsible for conducting industry-leading threat intelligence and cloud security research, the team proactively monitors the latest cloud attack trends and Tactics, Techniques, and Procedures (TTPs). Since its inception, Cado Security Labs have discovered numerous novel cloud-based malware and threat techniques. One such example being Denonia, the first publicly-known case of malware specifically designed to execute in an AWS Lambda environment.  

Cado Security Labs researchers operate honeypot infrastructure to collect cloud attacker telemetry across services known to be targeted by cloud-focused threat actors. Findings are examined in real time and novel attack patterns are identified, reported on, and distributed to the security community. 

As organizations increasingly embrace cloud technologies and inherently expose themselves to new and evolving risks, understanding emerging cloud trends on a deeper level is critical. In this report, Cado equips the security community with knowledge that will help them better protect against the latest threats. 

Key findings from the report include:

  • Botnet agents are the most common malware category, representing around 40.3% of all traffic. Use of botnets has been especially relevant in the context of the Russia-Ukraine war, where they have been leveraged by hacktivists on both sides to conduct DDoS attacks on strategic targets.
  • SSH is the most commonly targeted service accounting for 68.2% of the samples seen, followed by Redis at 27.6%, and low Log4Shell traffic at a mere 4.3%, indicating a shift in threat actor strategy no longer prioritizing the vulnerability as a means of initial access.
  • Further, in an overwhelming majority, nearly all (97.5%) opportunistic threat actors scan for vulnerabilities in only one “single” specific service to identify vulnerable instances deployed in the wild. This could be due to the fact that attackers are aware of a specific vulnerability in a particular service or they have development experience in that area. 

From the attacker telemetry analyzed, Cado Security Labs has derived several projections and recommendations. The team anticipates attacks leveraging serverless functions will increase in severity and sophistication, ransomware groups will develop more non-Windows ransomware, and threat actors will continue to exploit cloud services to aid in phishing and spam campaigns. 

In light of these predictions, Cado Security experts advise organizations to understand the AWS shared responsibility model, ensure access to relevant evidence, limit the exposure of services like Docker and Redis, check public repositories for cloud credentials, and apply the principle of least privilege.

To download the full report, please visit:

Leave a Reply

%d bloggers like this: