Orca Security released the results of the 2023 Honeypotting in the Cloud Report, detailing what attackers look for when scanning cloud environments and how efficient and effective they are in identifying and exploiting exposed cloud assets. The results of more than six months of research, The 2023 Honeypotting in the Cloud Report reveals that attackers typically find exposed "secrets" - pieces of sensitive information that allow access to an enterprise cloud environment -- in as little as two minutes and, in many cases, begin exploiting them almost instantly, highlighting the urgent need for comprehensive cloud security.

Orca's research was conducted between January and May 2023, beginning with the creation of "honeypots" on nine different cloud environments that simulated misconfigured resources in the cloud to entice attackers. Each contained a secret AWS key. Next, Orca monitored each honeypot to see if and when attackers would take the bait in order to learn what cloud services are targeted most frequently, how long it takes for attackers to access public or easily accessible resources, and how long it takes for attackers to find and use leaked secrets. The research was conducted by the Orca Research Pod, a group of expert cloud security researchers that discovers and analyzes cloud risks and vulnerabilities to strengthen the Orca platform and promote cloud security best practices.

"While tactics vary per resource, our research makes one thing clear - if a secret is exposed it will be exploited," said Bar Kaduri, Cloud Threat Research Team Lead at Orca Security. "Our research shows that attackers find exposed secrets incredibly quickly and it doesn't take them long to weaponize them. In this environment, defenders must ensure that their assets are not publicly accessible unless absolutely necessary, and that secrets are properly managed."

While Orca expected attackers to find the honeypots quickly, the research team was still surprised just how quickly some were found and exploited. Key findings of the report include;

• Vulnerable assets are discovered almost immediately: Misconfigured and vulnerable assets are literally discovered within minutes. Exposed secrets on GitHub, HTTP, and SSH were all discovered in under five minutes. The AWS S3 Buckets were discovered in under one hour.
• Time to key usage varies significantly per asset type: Orca observed key usage on GitHub within two minutes, which means that exposed keys were compromised virtually instantly. The process was slower for other assets; for S3 Buckets, key compromise took approximately eight hours and for Elastic Container Registry the process was nearly four months.
• Not all assets are treated equally: The more popular the resource, the easier it is to access, and the more likely it is to contain sensitive information, the more attackers are inclined to do reconnaissance. Certain assets, such as SSH, are highly targeted for malware and cryptomining.
• Defenders shouldn't rely on automated key protection: Apart from GitHub, where the exposed AWS key permissions were immediately locked down, Orca did not detect any automated protection for the other resources tested.
• No region is safe: Although 50% of all observed exposed AWS key usage took place in the United States, usage occurred in almost every other region as well, including Canada, APAC, Europe, and South America.

"The differences in attacker tactics depending on resource illustrates the need for defenders to employ tailored defenses for each instance," said Tohar Braun, Research Technical Lead at Orca Security. "The 2023 Honeypotting in the Cloud Report breaks down attack techniques and includes recommended best practices for mitigating the risk of exposed secrets."

The full report is available for download here.