Hackers use public cloud features to breach, persist in business networks
A new body of evidence indicates threat actors are using increasingly advanced techniques to target unsecured cloud users and leveraging features common to public cloud platforms to conceal activity as they breach and persist in target networks.
Data comes from the Threat Stack security team, which spotted the pattern over multiple years of observing behavior on client networks. It was in 2016 when they noticed attacks leveraging Amazon Web Services (AWS) were becoming more sophisticated, says CSO Sam Bisbee. The trend picked up in 2017.
The problem, the team notes, is not with AWS but with the way attackers are maliciously using it.
“These are not exploits or vulnerabilities in the AWS services and software,” Bisbee explains. “This is about the features and attributes of AWS leveraged by attackers in more sophisticated ways.”
In simpler attacks, actors typically steal AWS keys and seek direct paths to resources stored in open S3 buckets, or they launch a new Amazon Elastic Compute Cloud (EC2) to mine cryptocurrency. Sometimes they don’t have to look far: Misconfigured S3 buckets made a number of headlines in the past couple of years. Amazon emphasizes S3 buckets are secured by default; it also launched Macie to protect AWS S3 data and provides free bucket checks via Trusted Advisor.
While these less advanced techniques are still problematic, Bisbee says threats leveraging AWS are becoming more complex and targeted, with attacks launched on AWS features and combined with network-based intrusion attacks.
Most of these attacks start with credential theft, which Bisbee says is the most common initial entry point. An attacker can steal access keys or credentials via phishing attacks, deploying malware that picks up usernames and passwords, and snatching data from a Github repository where a developer may have accidentally uploaded his information.
Credentials secured, the next step is to figure out what level of permissions can be attained. If an actor realizes he doesn’t have what he needs, he may attempt to create additional roles or credentials in AWS and then launch a new EC2 instance inside the target environment. However, the stolen credentials must have access to IAM to create new roles, which AWS does not allow by default.
At this point, the attacker has established a beachhead in the network from which the target can be scanned. The attacker can move laterally from his EC2 instance in a traditional network attack chain, Bisbee explains, exploiting different hosts on the network.
Upon landing on a new host, the attacker checks its AWS permissions. If the attacker is only looking for a small amount of data, he can exfiltrate through the terminal or chain of compromised hosts, bypassing DLP tools. However, the desired amount of data depends on the actor and their motivation.
This behavioral pattern is typically seen in more targeted, persistent attack patterns, Bisbee says. Most actors are attempting to achieve access to specific pieces of data, and they’re generally hitting targets in popular industries, such as manufacturing, financial, and tech.
The amount of data sought depends on the target, he adds. If a company is storing healthcare information or voter records, the attacker is looking for data in bulk. If the attacker is targeting a media company, he may only want prereleased content or something more specific. Because data can be extracted by copying and pasting or snapping a screenshot, it’s hard to detect theft.
One reason the lateral movement in the AWS scenario was hard to detect was because most security monitoring techniques assume an attacker will want to dive deep into the host and escalate privileges. In this case, the actors were trying to move off the host layer and back into the AWS control plane, which most blue teams aren’t on the lookout for.
AWS “is just as critical as underlying servers,” Bisbee says. “You need to be monitoring all aspects of your environment.”
