Blog
/
Network
/
October 14, 2024

How Triada Affects Banking and Communication Apps

Explore the intricacies of the Triada Trojan and its targeting of communication and banking apps. Learn how to safeguard against this threat.
Written by
Justin Torres
Cyber Analyst
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Justin Torres
Cyber Analyst
Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
14
Oct 2024

The rise of android malware

Recently, there has been a significant increase in malware strains targeting mobile devices, with a growing number of Android-based malware families, such as banking trojans, which aim to steal sensitive banking information from organizations and individuals worldwide.

These malware families attempt to access users’ accounts to steal online banking credentials and cookies, bypass multi-factor authentication (MFA), and conduct automatic transactions to steal funds [1]. They often masquerade as legitimate software or communications from social media platforms to compromise devices. Once installed, they use tactics such as keylogging, dumping cached credentials, and searching the file system for stored passwords to steal credentials, take over accounts, and potentially perform identity theft [1].

One recent example is the Antidot Trojan, which infects devices by disguising itself as an update page for Google Play. It establishes a command-and-control (C2) channel with a server, allowing malicious actors to execute commands and collect sensitive data [2].

Despite these malware’s ability to evade detection by standard security software, for example, by changing their code [3], Darktrace recently detected another Android malware family, Triada, communicating with a C2 server and exfiltrating data.

Triada: Background and tactics

First surfacing in 2016, Triada is a modular mobile trojan known to target banking and financial applications, as well as popular communication applications like WhatsApp, Facebook, and Google Mail [4]. It has been deployed as a backdoor on devices such as CTV boxes, smartphones, and tablets during the supply chain process [5]. Triada can also be delivered via drive-by downloads, phishing campaigns, smaller trojans like Leech, Ztorg, and Gopro, or more recently, as a malicious module in applications such as unofficial versions of WhatsApp, YoWhatsApp, and FM WhatsApp [6] [7].

How does Triada work?

Once downloaded onto a user’s device, Triada collects information about the system, such as the device’s model, OS version, SD card space, and list of installed applications, and sends this information to a C2 server. The server then responds with a configuration file containing the device’s personal identification number and settings, including the list of modules to be installed.

After a device has been successfully infected by Triada, malicious actors can monitor and intercept incoming and outgoing texts (including two-factor authentication messages), steal login credentials and credit card information from financial applications, divert in-application purchases to themselves, create fake messaging and email accounts, install additional malicious applications, infect devices with ransomware, and take control of the camera and microphone [4] [7].

For devices infected by unofficial versions of WhatsApp, which are downloaded from third-party app stores [9] and from mobile applications such as Snaptube and Vidmate , Triada collects unique device identifiers, information, and keys required for legitimate WhatsApp to work and sends them to a remote server to register the device [7] [12]. The server then responds by sending a link to the Triada payload, which is downloaded and launched. This payload will also download additional malicious modules, sign into WhatsApp accounts on the target’s phone, and request the same permissions as the legitimate WhatsApp application, such as access to SMS messages. If granted, a malicious actor can sign the user up for paid subscriptions without their knowledge. Triada then collects information about the user’s device and mobile operator and sends it to the C2 server [9] [12].

How does Triada avoid detection?

Triada evades detection by modifying the Zygote process, which serves as a template for every application in the Android OS. This enables the malware to become part of every application launched on a device [3]. It also substitutes system functions and conceals modules from the list of running processes and installed apps, ensuring that the system does not raise the alarm [3]. Additionally, as Triada connects to a C2 server on the first boot, infected devices remain compromised even after a factory reset [4].

Triada attack overview

Across multiple customer deployments, devices were observed making a large number of connections to a range of hostnames, primarily over encrypted SSL and HTTPS protocols. These hostnames had never previously been observed on the customers’ networks and appear to be algorithmically generated. Examples include “68u91.66foh90o[.]com”, “92n7au[.]uhabq9[.]com”, “9yrh7.mea5ms[.]com”, and “is5jg.3zweuj[.]com”.

External Sites Summary Graph showing the rarity of the hostname “92n7au[.]uhabq9[.]com” on a customer network.
Figure 1: External Sites Summary Graph showing the rarity of the hostname “92n7au[.]uhabq9[.]com” on a customer network.

Most of the IP addresses associated with these hostnames belong to an ASN associated with the cloud provider Alibaba (i.e., AS45102 Alibaba US Technology Co., Ltd). These connections were made over a range of high number ports over 1000, most commonly over 30000 such as 32091, which Darktrace recognized as extremely unusual for the SSL and HTTPS protocols.

Screenshot of a Model Alert Event log showing a device connecting to the endpoint “is5jg[.]3zweuj[.]com” over port 32091.
Figure 2: Screenshot of a Model Alert Event log showing a device connecting to the endpoint “is5jg[.]3zweuj[.]com” over port 32091.

On several customer deployments, devices were seen exfiltrating data to hostnames which also appeared to be algorithmically generated. This occurred via HTTP POST requests containing unusual URI strings that were made without a prior GET request, indicating that the infected device was using a hardcoded list of C2 servers.

Screenshot of a Model Alert Event Log showing the device posting the string “i8xps1” to the hostname “72zf6.rxqfd[.]com.
Figure 3: Screenshot of a Model Alert Event Log showing the device posting the string “i8xps1” to the hostname “72zf6.rxqfd[.]com.
Screenshot of a Model Alert Event Log showing the device posting the string “sqyjyadwwq” to the hostname “9yrh7.mea5ms[.]com”.
Figure 4: Screenshot of a Model Alert Event Log showing the device posting the string “sqyjyadwwq” to the hostname “9yrh7.mea5ms[.]com”.

These connections correspond with reports that devices affected by Triada communicate with the C2 server to transmit their information and receive instructions for installing the payload.

A number of these endpoints have communicating files associated with the unofficial WhatsApp versions YoWhatsApp and FM WhatsApp [11] [12] [13] . This could indicate that the devices connecting to these endpoints were infected via malicious modules in the unofficial versions of WhatsApp, as reported by open-source intelligence (OSINT) [10] [12]. It could also mean that the infected devices are using these connections to download additional files from the C2 server, which could infect systems with additional malicious modules related to Triada.

Moreover, on certain customer deployments, shortly before or after connecting to algorithmically generated hostnames with communicating files linked to YoWhatsApp and FM WhatsApp, devices were also seen connecting to multiple endpoints associated with WhatsApp and Facebook.

Figure 5: Screenshot from a device’s event log showing connections to endpoints associated with WhatsApp shortly after it connected to “9yrh7.mea5ms[.]com”.

These surrounding connections indicate that Triada is attempting to sign in to the users’ WhatsApp accounts on their mobile devices to request permissions such as access to text messages. Additionally, Triada sends information about users’ devices and mobile operators to the C2 server.

The connections made to the algorithmically generated hostnames over SSL and HTTPS protocols, along with the HTTP POST requests, triggered multiple Darktrace models to alert. These models include those that detect connections to potentially algorithmically generated hostnames, connections over ports that are highly unusual for the protocol used, unusual connectivity over the SSL protocol, and HTTP POSTs to endpoints that Darktrace has determined to be rare for the network.

Conclusion

Recently, the use of Android-based malware families, aimed at stealing banking and login credentials, has become a popular trend among threat actors. They use this information to perform identity theft and steal funds from victims worldwide.

Across affected customers, multiple devices were observed connecting to a range of likely algorithmically generated hostnames over SSL and HTTPS protocols. These devices were also seen sending data out of the network to various hostnames via HTTP POST requests without first making a GET request. The URIs in these requests appeared to be algorithmically generated, suggesting the exfiltration of sensitive network data to multiple Triada C2 servers.

This activity highlights the sophisticated methods used by malware like Triada to evade detection and exfiltrate data. It underscores the importance of advanced security measures and anomaly-based detection systems to identify and mitigate such mobile threats, protecting sensitive information and maintaining network integrity.

Credit to: Justin Torres (Senior Cyber Security Analyst) and Anna Gilbertson (Cyber Security Analyst).

Appendices

Darktrace Model Detections

Model Alert Coverage

Anomalous Connection / Application Protocol on Uncommon Port

Anomalous Connection / Multiple Connections to New External TCP Port

Anomalous Connection / Multiple HTTP POSTS to Rare Hostname

Anomalous Connections / Multiple Failed Connections to Rare Endpoint

Anomalous Connection / Suspicious Expired SSL

Compromise / DGA Beacon

Compromise / Domain Fluxing

Compromise / Fast Beaconing to DGA

Compromise / Sustained SSL or HTTP Increase

Compromise / Unusual Connections to Rare Lets Encrypt

Unusual Activity / Unusual External Activity

AI Analyst Incident Coverage

Unusual Repeated Connections to Multiple Endpoints

Possible SSL Command and Control

Unusual Repeated Connections

List of Indicators of Compromise (IoCs)

Ioc – Type - Description

  • is5jg[.]3zweuj[.]com - Hostname - Triada C2 Endpoint
  • 68u91[.]66foh90o[.]com - Hostname - Triada C2 Endpoint
  • 9yrh7[.]mea5ms[.]com - Hostname - Triada C2 Endpoint
  • 92n7au[.]uhabq9[.]com - Hostname - Triada C2 Endpoint
  • 4a5x2[.]fs4ah[.]com - Hostname - Triada C2 Endpoint
  • jmll4[.]66foh90o[.]com - Hostname - Triada C2 Endpoint
  • mrswd[.]wo87sf[.]com - Hostname - Triada C2 Endpoint
  • lptkw[.]s4xx6[.]com - Hostname - Triada C2 Endpoint
  • ya27fw[.]k6zix6[.]com - Hostname - Triada C2 Endpoint
  • w0g25[.]66foh90o[.]com - Hostname - Triada C2 Endpoint
  • kivr8[.]wd6vy[.]com - Hostname - Triada C2 Endpoint
  • iuwe64[.]ct8pc6[.]com - Hostname - Triada C2 Endpoint
  • qefgn[.]8z0le[.]com - Hostname - Triada C2 Endpoint
  • a6y0x[.]xu0h7[.]com - Hostname - Triada C2 Endpoint
  • wewjyw[.]qb6ges[.]com - Hostname - Triada C2 Endpoint
  • vx9dle[.]n0qq3z[.]com - Hostname - Triada C2 Endpoint
  • 72zf6[.]rxqfd[.]com - Hostname - Triada C2 Endpoint
  • dwq[.]fsdw4f[.]com - Hostname - Triada C2 Endpoint
  • tqq6g[.]66foh90o[.]com - Hostname - Triada C2 Endpoint
  • 1rma1[.]4f8uq[.]com - Hostname - Triada C2 Endpoint
  • 0fdwa[.]7j3gj[.]com - Hostname - Triada C2 Endpoint
  • 5a7en[.]1e42t[.]com - Hostname - Triada C2 Endpoint
  • gmcp4[.]1e42t[.]com - Hostname - Triada C2 Endpoint
  • g7190[.]rt14v[.]com - Hostname - Triada C2 Endpoint
  • goyvi[.]2l2wa[.]com - Hostname - Triada C2 Endpoint
  • zq6kk[.]ca0qf[.]com - Hostname - Triada C2 Endpoint
  • sv83k[.]bn3avv[.]com - Hostname - Triada C2 Endpoint
  • 9sae7h[.]ct8pc6[.]com - Hostname - Triada C2 Endpoint
  • jpygmk[.]qt7tqr[.]com - Hostname - Triada C2 Endpoint
  • av2wg[.]rt14v[.]com - Hostname - Triada C2 Endpoint
  • ugbrg[.]osz1p[.]com - Hostname - Triada C2 Endpoint
  • hw2dm[.]wtws9k[.]com - Hostname - Triada C2 Endpoint
  • kj9atb[.]hai8j1[.]com - Hostname - Triada C2 Endpoint
  • pls9b[.]b0vb3[.]com - Hostname - Triada C2 Endpoint
  • 8rweau[.]j7e7r[.]com - Hostname - Triada C2 Endpoint
  • wkc5kn[.]j7e7r[.]com - Hostname - Triada C2 Endpoint
  • v58pq[.]mpvflv[.]com - Hostname - Triada C2 Endpoint
  • zmai4k[.]huqp3e[.]com - Hostname - Triada C2 Endpoint
  • eajgum[.]huqp3e[.]com - Hostname - Triada C2 Endpoint
  • mxl9zg[.]kv0pzv[.]com - Hostname - Triada C2 Endpoint
  • ad1x7[.]mea5ms[.]com - Hostname - Triada C2 Endpoint
  • ixhtb[.]s9gxw8[.]com - Hostname - Triada C2 Endpoint
  • vg1ne[.]uhabq9[.]com - Hostname - Triada C2 Endpoint
  • q5gd0[.]birxpk[.]com - Hostname - Triada C2 Endpoint
  • dycsw[.]h99n6[.]com - Hostname - Triada C2 Endpoint
  • a3miu[.]h99n6[.]com - Hostname - Triada C2 Endpoint
  • qru62[.]5qwu8b5[.]com - Hostname - Triada C2 Endpoint
  • 3eox8[.]abxkoop[.]com - Hostname - Triada C2 Endpoint
  • 0kttj[.]bddld[.]com - Hostname - Triada C2 Endpoint
  • gjhdr[.]xikuj[.]com - Hostname - Triada C2 Endpoint
  • zq6kk[.]wm0hd[.]com - Hostname - Triada C2 Endpoint
  • 8.222.219[.]234 - IP Address - Triada C2 Endpoint
  • 8.222.244[.]205 - IP Address - Triada C2 Endpoint
  • 8.222.243[.]182 - IP Address - Triada C2 Endpoint
  • 8.222.240[.]127 - IP Address - Triada C2 Endpoint
  • 8.219.123[.]139 - IP Address - Triada C2 Endpoint
  • 8.219.196[.]124 - IP Address - Triada C2 Endpoint
  • 8.222.217[.]73 - IP Address - Triada C2 Endpoint
  • 8.222.251[.]253 - IP Address - Triada C2 Endpoint
  • 8.222.194[.]254 - IP Address - Triada C2 Endpoint
  • 8.222.251[.]34 - IP Address - Triada C2 Endpoint
  • 8.222.216[.]105 - IP Address - Triada C2 Endpoint
  • 47.245.83[.]167 - IP Address - Triada C2 Endpoint
  • 198.200.54[.]56 - IP Address - Triada C2 Endpoint
  • 47.236.113[.]126 - IP Address - Triada C2 Endpoint
  • 47.241.47[.]128 - IP Address - Triada C2 Endpoint
  • /iyuljwdhxk - URI - Triada C2 URI
  • /gvuhlbzknh - URI - Triada C2 URI
  • /sqyjyadwwq - URI - Triada C2 URI
  • /cncyz3 - URI - Triada C2 URI
  • /42k0zk - URI - Triada C2 URI
  • /75kdl5 - URI - Triada C2 URI
  • /i8xps1 - URI - Triada C2 URI
  • /84gcjmo - URI - Triada C2 URI
  • /fkhiwf - URI - Triada C2 URI

MITRE ATT&CK Mapping

Technique Name - Tactic - ID - Sub-Technique of

Data Obfuscation - COMMAND AND CONTROL - T1001

Non-Standard Port - COMMAND AND CONTROL - T1571

Standard Application Layer Protocol - COMMAND AND CONTROL ICS - T0869

Non-Application Layer Protocol - COMMAND AND CONTROL - T1095

Masquerading - EVASION ICS - T0849

Man in the Browser - COLLECTION - T1185

Web Protocols - COMMAND AND CONTROL - T1071.001 -T1071

External Proxy - COMMAND AND CONTROL - T1090.002 - T1090

Domain Generation Algorithms - COMMAND AND CONTROL - T1568.002 - T1568

Web Services - RESOURCE DEVELOPMENT - T1583.006 - T1583

DNS - COMMAND AND CONTROL - T1071.004 - T1071

Fast Flux DNS - COMMAND AND CONTROL - T1568.001 - T1568

One-Way Communication - COMMAND AND CONTROL - T1102.003 - T1102

Digital Certificates - RESOURCE DEVELOPMENT - T1587.003 - T1587

References

[1] https://www.checkpoint.com/cyber-hub/cyber-security/what-is-trojan/what-is-a-banking-trojan/

[2] https://cyberfraudcentre.com/the-rise-of-the-antidot-android-banking-trojan-a-comprehensive-guide

[3] https://www.zimperium.com/glossary/banking-trojans/

[4] https://www.geeksforgeeks.org/what-is-triada-malware/

[5] https://www.infosecurity-magazine.com/news/malware-infected-devices-retailers/

[6] https://www.pcrisk.com/removal-guides/24926-triada-trojan-android

[7] https://securelist.com/malicious-whatsapp-mod-distributed-through-legitimate-apps/107690/

[8] https://securityboulevard.com/2024/02/impact-of-badbox-and-peachpit-malware-on-android-devices/

[9] https://threatpost.com/custom-whatsapp-build-malware/168892/

[10] https://securelist.com/triada-trojan-in-whatsapp-mod/103679/

[11] https://www.virustotal.com/gui/domain/is5jg.3zweuj.com/relations

[12] https://www.virustotal.com/gui/domain/92n7au.uhabq9.com/relations

[13] https://www.virustotal.com/gui/domain/68u91.66foh90o.com/relations

Written by
Justin Torres
Cyber Analyst
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Justin Torres
Cyber Analyst

Anomaly-based threat hunting: Darktrace's approach in action

May 8, 2025
Nathaniel Jones
VP, Security & AI Strategy, Field CISO
Watch the NIS2 Webinar
Trending blogs
1
Our Annual Survey Reveals How Security Teams Are Adapting to AI-Powered Threats
Mar 4, 2025
2
Darktrace Releases Annual 2024 Threat Insights
Feb 19, 2025
3
From Hype to Reality: How AI is Transforming Cybersecurity Practices
Feb 10, 2025
4
From Containment to Remediation: Darktrace / CLOUD & Cado Reducing MTTR
Mar 6, 2025
5
RansomHub Ransomware: Darktrace’s Investigation of the Newest Tool in ShadowSyndicate's Arsenal
Jan 14, 2025

More in this series

No items found.
Continue reading
Network
May 8, 2025

Anomaly-based threat hunting: Darktrace's approach in action

This blog outlines Darktrace's model-based anomaly detection and how security teams can leverage custom models for targeted threat hunts. Recently, Darktrace's Threat Research team applied this method in their report, "AI & Cybersecurity: The State of Cyber in UK and US Energy Sectors."
Nathaniel Jones
VP, Security & AI Strategy, Field CISO
Read more
Network
May 1, 2025

SocGholish: From loader and C2 activity to RansomHub deployment

In early 2025, Darktrace uncovered SocGholish-to-RansomHub intrusion chains, including loader and C2 activity, alongside credential harvesting via WebDAV and SCF abuse. Learn more about SocGholish and its kill chain here!
Christina Kreza
Cyber Analyst
Read more
Network
May 1, 2025

Your Vendors, Your Risk: Rethinking Third-Party Security in the Age of Supply Chain Attacks

Protecting against supply chain cyber-attacks means safeguarding not just your network, but your customers’ trust. Learn why securing vendor relationships is essential in today’s threat landscape.
Tony Jarvis
VP, Field CISO | Darktrace
Read more

Blog

/

/

May 7, 2025

Anomaly-based threat hunting: Darktrace's approach in action

person working on laptopDefault blog imageDefault blog image

What is threat hunting?

Threat hunting in cybersecurity involves proactively and iteratively searching through networks and datasets to detect threats that evade existing automated security solutions. It is an important component of a strong cybersecurity posture.

There are several frameworks that Darktrace analysts use to guide how threat hunting is carried out, some of which are:

  • MITRE Attack
  • Tactics, Techniques, Procedures (TTPs)
  • Diamond Model for Intrusion Analysis
  • Adversary, Infrastructure, Victims, Capabilities
  • Threat Hunt Model – Six Steps
  • Purpose, Scope, Equip, Plan, Execute, Feedback
  • Pyramid of Pain

These frameworks are important in baselining how to run a threat hunt. There are also a combination of different methods that allow defenders diversity– regardless of whether it is a proactive or reactive threat hunt. Some of these are:

  • Hypothesis-based threat hunting
  • Analytics-driven threat hunting
  • Automated/machine learning hunting
  • Indicator of Compromise (IoC) hunting
  • Victim-based threat hunting

Threat hunting with Darktrace

At its core, Darktrace is an anomaly-based detection tool. It combines various machine learning types that allows it to characterize what constitutes ‘normal’, based on the analysis of many different measures of a device or actor’s behavior. Those types of learning are then curated into what are called models.

Darktrace models leverage anomaly detection and integrate outputs from Darktrace Deep Packet Inspection, telemetry inputs, and additional modules, creating tailored activity detection.

This dynamic understanding allows Darktrace to identify, with a high degree of precision, events or behaviors that are both anomalous and unlikely to be benign.  On top of machine learning models for detection, there is also the ability to change and create models showcasing the tool’s diversity. The Model Editor allows security teams to specify values, priorities, thresholds, and actions they want to detect. That means a team can create custom detection models based on specific use cases or business requirements. Teams can also increase the priority of existing detections based on their own risk assessments to their environment.

This level of dexterity is particularly useful when conducting a threat hunt. As described above, and in previous ‘Inside the SOC’ blogs such a threat hunt can be on a specific threat actor, specific sector, or a  hypothesis-based threat hunt combined with ‘experimenting’ with some of Darktrace’s models.

Conducting a threat hunt in the energy sector with experimental models

In Darktrace’s recent Threat Research report “AI & Cybersecurity: The state of cyber in UK and US energy sectors” Darktrace’s Threat Research team crafted hypothesis-driven threat hunts, building experimental models and investigating existing models to test them and detect malicious activity across Darktrace customers in the energy sector.

For one of the hunts, which hypothesised utilization of PerfectData software and multi-factor authentication (MFA) bypass to compromise user accounts and destruct data, an experimental model was created to detect a Software-as-a-Service (SaaS) user performing activity relating to 'PerfectData Software’, known to allow a threat actor to exfiltrate whole mailboxes as a PST file. Experimental model alerts caused by this anomalous activity were analyzed, in conjunction with existing SaaS and email-related models that would indicate a multi-stage attack in line with the hypothesis.

Whilst hunting, Darktrace researchers found multiple model alerts for this experimental model associated with PerfectData software usage, within energy sector customers, including an oil and gas investment company, as well as other sectors. Upon further investigation, it was also found that in June 2024, a malicious actor had targeted a renewable energy infrastructure provider via a PerfectData Software attack and demonstrated intent to conduct an Operational Technology (OT) attack.

The actor  logged into Azure AD from a rare US IP address. They then granted Consent to ‘eM Client’ from the same IP. Shortly after, the actor granted ‘AddServicePrincipal’ via Azure  to PerfectData Software. Two days later, the actor created a  new email rule from a London IP to move emails to an RSS Feed Folder, stop processing rules, and mark emails as read. They then accessed mail items in the “\Sent” folder from a malicious IP belonging to anonymization network,  Private Internet Access Virtual Private Network (PIA VPN). The actor then conducted mass email deletions , deleting multiple instances of emails with subject “[Name] shared "[Company Name] Proposal" With You” from the  “\Sent folder”. The emails’ subject suggests the email likely contains a link to file storage for phishing purposes. The mass deletion likely represented an attempt to obfuscate a potential outbound phishing email campaign.

The Darktrace Model Alert that triggered for the mass deletes of the likely phishing email containing a file storage link.
Figure 1: The Darktrace Model Alert that triggered for the mass deletes of the likely phishing email containing a file storage link.

A month later, the same user was observed downloading mass mLog CSV files related to proprietary and Operational Technology information. In September, three months after the initial attack, another mass download of operational files occurred by this actor, pertaining to operating instructions and measurements, The observed patience and specific file downloads seemingly demonstrated an intent to conduct or research possible OT attack vectors. An attack on OT could have significant impacts including operational downtime, reputational damage, and harm to everyday operations. Darktrace alerted the impacted customer once findings were verified, and subsequent actions were taken by the internal security team to prevent further malicious activity.

Conclusion

Harnessing the power of different tools in a security stack is a key element to cyber defense. The above hypothesis-based threat hunt and custom demonstrated intent to conduct an experimental model creation demonstrates different threat hunting approaches, how Darktrace’s approach can be operationalized, and that proactive threat hunting can be a valuable complement to traditional security controls and is essential for organizations facing increasingly complex threat landscapes.

Credit to Nathaniel Jones (VP, Security & AI Strategy, Field CISO at Darktrace) and Zoe Tilsiter (EMEA Consultancy Lead)

Continue reading
About the author
Nathaniel Jones
VP, Security & AI Strategy, Field CISO

Blog

/

/

May 6, 2025

Combatting the Top Three Sources of Risk in the Cloud

woman working on laptopDefault blog imageDefault blog image

With cloud computing, organizations are storing data like intellectual property, trade secrets, Personally Identifiable Information (PII), proprietary code and statistics, and other sensitive information in the cloud. If this data were to be accessed by malicious actors, it could incur financial loss, reputational damage, legal liabilities, and business disruption.

Last year data breaches in solely public cloud deployments were the most expensive type of data breach, with an average of $5.17 million USD, a 13.1% increase from the year before.

So, as cloud usage continues to grow, the teams in charge of protecting these deployments must understand the associated cybersecurity risks.

What are cloud risks?

Cloud threats come in many forms, with one of the key types consisting of cloud risks. These arise from challenges in implementing and maintaining cloud infrastructure, which can expose the organization to potential damage, loss, and attacks.

There are three major types of cloud risks:

1. Misconfigurations

As organizations struggle with complex cloud environments, misconfiguration is one of the leading causes of cloud security incidents. These risks occur when cloud settings leave gaps between cloud security solutions and expose data and services to unauthorized access. If discovered by a threat actor, a misconfiguration can be exploited to allow infiltration, lateral movement, escalation, and damage.

With the scale and dynamism of cloud infrastructure and the complexity of hybrid and multi-cloud deployments, security teams face a major challenge in exerting the required visibility and control to identify misconfigurations before they are exploited.

Common causes of misconfiguration come from skill shortages, outdated practices, and manual workflows. For example, potential misconfigurations can occur around firewall zones, isolated file systems, and mount systems, which all require specialized skill to set up and diligent monitoring to maintain

2. Identity and Access Management (IAM) failures

IAM has only increased in importance with the rise of cloud computing and remote working. It allows security teams to control which users can and cannot access sensitive data, applications, and other resources.

Cybersecurity professionals ranked IAM skills as the second most important security skill to have, just behind general cloud and application security.

There are four parts to IAM: authentication, authorization, administration, and auditing and reporting. Within these, there are a lot of subcomponents as well, including but not limited to Single Sign-On (SSO), Two-Factor Authentication (2FA), Multi-Factor Authentication (MFA), and Role-Based Access Control (RBAC).

Security teams are faced with the challenge of allowing enough access for employees, contractors, vendors, and partners to complete their jobs while restricting enough to maintain security. They may struggle to track what users are doing across the cloud, apps, and on-premises servers.

When IAM is misconfigured, it increases the attack surface and can leave accounts with access to resources they do not need to perform their intended roles. This type of risk creates the possibility for threat actors or compromised accounts to gain access to sensitive company data and escalate privileges in cloud environments. It can also allow malicious insiders and users who accidentally violate data protection regulations to cause greater damage.

3. Cross-domain threats

The complexity of hybrid and cloud environments can be exploited by attacks that cross multiple domains, such as traditional network environments, identity systems, SaaS platforms, and cloud environments. These attacks are difficult to detect and mitigate, especially when a security posture is siloed or fragmented.  

Some attack types inherently involve multiple domains, like lateral movement and supply chain attacks, which target both on-premises and cloud networks.  

Challenges in securing against cross-domain threats often come from a lack of unified visibility. If a security team does not have unified visibility across the organization’s domains, gaps between various infrastructures and the teams that manage them can leave organizations vulnerable.

Adopting AI cybersecurity tools to reduce cloud risk

For security teams to defend against misconfigurations, IAM failures, and insecure APIs, they require a combination of enhanced visibility into cloud assets and architectures, better automation, and more advanced analytics. These capabilities can be achieved with AI-powered cybersecurity tools.

Such tools use AI and automation to help teams maintain a clear view of all their assets and activities and consistently enforce security policies.

Darktrace / CLOUD is a Cloud Detection and Response (CDR) solution that makes cloud security accessible to all security teams and SOCs by using AI to identify and correct misconfigurations and other cloud risks in public, hybrid, and multi-cloud environments.

It provides real-time, dynamic architectural modeling, which gives SecOps and DevOps teams a unified view of cloud infrastructures to enhance collaboration and reveal possible misconfigurations and other cloud risks. It continuously evaluates architecture changes and monitors real-time activity, providing audit-ready traceability and proactive risk management.

Real-time visibility into cloud assets and architectures built from network, configuration, and identity and access roles. In this unified view, Darktrace / CLOUD reveals possible misconfigurations and risk paths.
Figure 1: Real-time visibility into cloud assets and architectures built from network, configuration, and identity and access roles. In this unified view, Darktrace / CLOUD reveals possible misconfigurations and risk paths.

Darktrace / CLOUD also offers attack path modeling for the cloud. It can identify exposed assets and highlight internal attack paths to get a dynamic view of the riskiest paths across cloud environments, network environments, and between – enabling security teams to prioritize based on unique business risk and address gaps to prevent future attacks.  

Darktrace’s Self-Learning AI ensures continuous cloud resilience, helping teams move from reactive to proactive defense.

[related-resource]

Continue reading
About the author
Pallavi Singh
Product Marketing Manager, OT Security & Compliance
Your data. Our AI.
Elevate your network security with Darktrace AI