By Elías Cedillo Hernández
CEO & Founder of Grupo BeIT, BuróMC and Elit Infrastructure Services
The migration to cloud services such as AWS, Microsoft Azure, and Google Cloud has transformed business operations, delivering scalability, flexibility, and cost efficiency. However, this evolution has also introduced a silent risk that many organizations underestimate: attacker persistence in cloud environments. Cybercriminals, beyond stealing data, aim to establish a permanent foothold within the infrastructure to maintain control and exploit resources for months without detection.
When an attacker compromises a cloud account, data exfiltration is often the first step—but sophisticated attacks go further. The real objective is to remain hidden even after the initial breach appears to have been resolved. This persistence is achieved through advanced tactics that exploit the complexity and lack of visibility in multi-cloud environments. Gartner warns that identity and access management (IAM) and continuous monitoring are essential to prevent these threats from taking hold, as the cloud introduces a shared responsibility model where the provider secures the physical infrastructure, but configuration and access management responsibility rests with he enterprise.
Common methods for achieving persistence include creating ghost users with hidden privileges that evade superficial audits, installing backdoors in serverless functions such as AWS Lambda or Azure Functions to execute malicious code without raising suspicion, and generating malicious API keys that allow remote access even after password changes. Manipulating IAM roles is also frequent—assigning excessive permissions or creating policies that enable lateral movement within the cloud environment. These techniques are particularly dangerous because they integrate into the internal logic of the infrastructure, where traditional tools lack visibility.
This brings us to a critical reality: traditional perimeter-based security is insufficient. In the cloud, the perimeter disappears. Applications, data, and users are globally distributed, and connections occur through APIs and internal services that bypass firewalls. Even the most advanced firewalls cannot inspect the internal logic of serverless functions or detect malicious IAM credentials. Fortinet and other cybersecurity leaders agree that the solution lies in adopting a Zero Trust approach, which assumes no connection is secure by default and demands continuous identity and context verification.
Alarming trends compound this threat: according to Tenable’s 2025 report, 9% of public cloud storage contains sensitive data, and 97% of that data is confidential, which shows severe gaps in access management and configuration. Additionally, more than 50% of organizations store secrets (keys, tokens) in AWS ECS task definitions and similar services, creating direct attack vectors. Tenable also warns of the “toxic trilogy”: publicly exposed workloads that are vulnerable and highly privileged, present in 29% of organizations, facilitating persistence and privilege escalation.
Meanwhile, cloud security alerts have quintupled over the past year, with a 116% increase in IAM-related events such as impossible logins and token misuse in serverless functions. This confirms that attackers are prioritizing credentials and exfiltration as primary tactics. In fact, one in four companies suffered at least one cloud data exfiltration in the past year, and 36% experienced multiple breaches driven by misconfigurations and lack of encryption.
Digital supply chains and cloud environments are also emerging as critical risk zones in 2025. A single compromised provider can open the door to multiple organizations, amplifying the impact of an attack. Global cybercrime costs will exceed $10 trillion this year, fueled by the use of AI for faster, more sophisticated attacks.
Finally, Veeam’s 2025 report reveals that nearly 70% of organizations continue to suffer cyberattacks despite improved defenses. The most concerning is that only 10% manage to recover more than 90% of their data after an incident, while 57% recover less than 50%. Moreover, attacks focused exclusively on exfiltration—stealing sensitive information without encrypting or locking it—are growing, making detection even harder.
Key actions to mitigate this risk include adopting a Zero Trust model, conducting regular IAM and role audits to eliminate excessive privileges, implementing advanced monitoring with tools like AWS GuardDuty, Microsoft Sentinel, and Sophos CSPM (Cloud Security Posture Management) solutions to detect anomalies and backdoors, and ensuring multi-cloud automation and visibility through platforms that correlate events and alerts in real time. The cloud is not inherently insecure, but its complexity demands a mindset shift. Attacker persistence is a silent threat that can compromise business continuity, and for business leaders, investing in adaptive security, visibility, and governance is not optional—it is the only way to ensure that cloud innovation does not become an existential risk.
Reference
Post comments (0)