Cloud

8/21/2018
10:05 AM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Hackers Use Public Cloud Features to Breach, Persist In Business Networks

Attackers are abusing the characteristics of cloud services to launch and hide their activity as they traverse target networks.

A new body of evidence indicates threat actors are using increasingly advanced techniques to target unsecured cloud users and leveraging features common to public cloud platforms to conceal activity as they breach and persist in target networks.

Data comes from the Threat Stack security team, which spotted the pattern over multiple years of observing behavior on client networks. It was in 2016 when they noticed attacks leveraging Amazon Web Services (AWS) were becoming more sophisticated, says CSO Sam Bisbee. The trend picked up in 2017.

The problem, the team notes, is not with AWS but with the way attackers are maliciously using it.

"These are not exploits or vulnerabilities in the AWS services and software," Bisbee explains. "This is about the features and attributes of AWS leveraged by attackers in more sophisticated ways."

In simpler attacks, actors typically steal AWS keys and seek direct paths to resources stored in open S3 buckets, or they launch a new Amazon Elastic Compute Cloud (EC2) to mine cryptocurrency. Sometimes they don't have to look far: Misconfigured S3 buckets made a number of headlines in the past couple of years. Amazon emphasizes S3 buckets are secured by default; it also launched Macie to protect AWS S3 data and provides free bucket checks via Trusted Advisor.

While these less advanced techniques are still problematic, Bisbee says threats leveraging AWS are becoming more complex and targeted, with attacks launched on AWS features and combined with network-based intrusion attacks.

"In any industry and any platform, you're constantly playing cat and mouse," he says. "As blue teams and defenders become more sophisticated, the red team has to level up."

How It Works
Most of these attacks start with credential theft, which Bisbee says is the most common initial entry point. An attacker can steal access keys or credentials via phishing attacks, deploying malware that picks up usernames and passwords, and snatching data from a Github repository where a developer may have accidentally uploaded his information.

Credentials secured, the next step is to figure out what level of permissions can be attained. If an actor realizes he doesn't have what he needs, he may attempt to create additional roles or credentials in AWS and then launch a new EC2 instance inside the target environment. However, the stolen credentials must have access to IAM to create new roles, which AWS does not allow by default.

"Typically, the way most AWS accounts are configured, I can deploy that AWS instance anywhere in your network that I want," Bisbee says. It could go at the network's edge or at its center, where an organization's more interesting infrastructure and databases are located.

At this point, the attacker has established a beachhead in the network from which the target can be scanned. The attacker can move laterally from his EC2 instance in a traditional network attack chain, Bisbee explains, exploiting different hosts on the network.

Upon landing on a new host, the attacker checks its AWS permissions. If the attacker is only looking for a small amount of data, he can exfiltrate through the terminal or chain of compromised hosts, bypassing DLP tools. However, the desired amount of data depends on the actor and their motivation.

Who, Where, and Why
This behavioral pattern is typically seen in more targeted, persistent attack patterns, Bisbee says. Most actors are attempting to achieve access to specific pieces of data, and they're generally hitting targets in popular industries, such as manufacturing, financial, and tech.

The amount of data sought depends on the target, he adds. If a company is storing healthcare information or voter records, the attacker is looking for data in bulk. If the attacker is targeting a media company, he may only want prereleased content or something more specific. Because data can be extracted by copying and pasting or snapping a screenshot, it's hard to detect theft.

One reason the lateral movement in the AWS scenario was hard to detect was because most security monitoring techniques assume an attacker will want to dive deep into the host and escalate privileges. In this case, the actors were trying to move off the host layer and back into the AWS control plane, which most blue teams aren't on the lookout for.

AWS "is just as critical as underlying servers," Bisbee says. "You need to be monitoring all aspects of your environment."

Amazon has deployed multiple services to boost AWS security. GuardDuty, a managed threat detection service, is designed to monitor for malicious or unauthorized behavior (unusual API calls, potentially unauthorized deployments) and help AWS users protect their accounts and workloads. Amazon Inspector, a separate service, automates security assessments to ensure security and compliance for applications deployed on AWS.

Related Content:

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early bird rate ends August 31. Click for more info

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
New Cold Boot Attack Gives Hackers the Keys to PCs, Macs
Kelly Sheridan, Staff Editor, Dark Reading,  9/13/2018
Yahoo Class-Action Suits Set for Settlement
Dark Reading Staff 9/17/2018
RDP Ports Prove Hot Commodities on the Dark Web
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: In Russia, application hangs YOU!
Current Issue
Flash Poll
How Data Breaches Affect the Enterprise
How Data Breaches Affect the Enterprise
This report, offers new data on the frequency of data breaches, the losses they cause, and the steps that organizations are taking to prevent them in the future. Read the report today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-16958
PUBLISHED: 2018-09-18
An issue was discovered in Oracle WebCenter Interaction Portal 10.3.3. The ASP.NET_SessionID primary session cookie, when Internet Information Services (IIS) with ASP.NET is used, is not protected with the HttpOnly attribute. The attribute cannot be enabled by customers. Consequently, this cookie is...
CVE-2018-16959
PUBLISHED: 2018-09-18
An issue was discovered in Oracle WebCenter Interaction Portal 10.3.3. The portal component is delivered with an insecure default User Profile community configuration that allows anonymous users to retrieve the account names of all portal users via /portal/server.pt/user/user/ requests. When WCI is ...
CVE-2018-16952
PUBLISHED: 2018-09-18
The Oracle WebCenter Interaction Portal 10.3.3 does not implement protection against Cross-site Request Forgery in its design. The impact is sensitive actions in the portal (such as changing a portal user's password).
CVE-2018-16953
PUBLISHED: 2018-09-18
The AjaxView::DisplayResponse() function of the portalpages.dll assembly in Oracle WebCenter Interaction Portal 10.3.3 is vulnerable to reflected cross-site scripting (XSS). User input from the name parameter is unsafely reflected in the server response.
CVE-2018-16954
PUBLISHED: 2018-09-18
An issue was discovered in Oracle WebCenter Interaction Portal 10.3.3. The login function of the portal is vulnerable to insecure redirection (also called an open redirect). The in_hi_redirect parameter is not validated by the application after a successful login.