A new body of evidence indicates threat actors are using increasingly advanced techniques to target cloud providers and leveraging cloud-specific traits to hide their activity as they breach and persist in target networks.
Data comes from the Threat Stack security team, which spotted the pattern over multiple years of observing behavior on client networks. It was in 2016 when they noticed attacks leveraging Amazon Web Services (AWS) were becoming more sophisticated, says CSO Sam Bisbee. The trend picked up in 2017.
The problem, the team notes, is not with AWS but with the way attackers are maliciously using it.
“These are not exploits or vulnerabilities in the AWS services and software,” Bisbee explains. “This is about the features and attributes of AWS leveraged by attackers in more sophisticated ways.”
In simpler attacks, actors typically steal AWS keys and seek direct paths to resources stored in open S3 buckets, or they launch a new Amazon Elastic Compute Cloud (EC2) to mine cryptocurrency. Sometimes they don’t have to look far: Misconfigured S3 buckets made a number of headlines in the past couple of years; Amazon, to its credit, launched Macie to protect AWS S3 data.
While these less advanced techniques are still problematic, Bisbee says threats leveraging AWS are becoming more complex and targeted, with attacks launched on AWS features and combined with network-based intrusion attacks.
“In any industry and any platform, you’re constantly playing cat and mouse,” he says. “As blue teams and defenders become more sophisticated, the red team has to level up.”
How It Works
Most of these attacks start with credential theft, which Bisbee says is the most common initial entry point. An attacker can steal access keys or credentials via phishing attacks, deploying malware that picks up usernames and passwords, and snatching data from a Github repository where a developer may have accidentally uploaded his information.
Credentials secured, the next step is to figure out what level of permissions can be attained. If an actor realizes he doesn’t have what he needs, he may attempt to create additional roles or credentials in AWS and then launch a new EC2 instance inside the target environment.
“Typically, the way most AWS accounts are configured, I can deploy that AWS instance anywhere in your network that I want,” Bisbee says. It could go at the network’s edge or at its center, where an organization’s more interesting infrastructure and databases are located.
At this point, the attacker has established a beachhead in the network from which the target can be scanned. The attacker can move laterally from his EC2 instance in a traditional network attack chain, Bisbee explains, exploiting different hosts on the network. EC2 instances are granted IAM permissions when they launch, which grants access to AWS services such as RDS and S3.
Upon landing on a new host, the attacker checks its AWS permissions. When he discovers a host with the permission he needs, he performs the RDS API calls to access a database with the information he’s looking for. If the attacker is only looking for a small amount of data, he can exfiltrate through the terminal or chain of compromised hosts, bypassing DLP tools.
Who, Where, and Why
This behavioral pattern is typically seen in more targeted, persistent attack patterns, Bisbee says. Most actors are attempting to achieve access to specific pieces of data, and they’re generally hitting targets in popular industries, such as manufacturing, financial, and tech.
The amount of data sought depends on the target, he adds. If a company is storing healthcare information or voter records, the attacker is looking for data in bulk. If the attacker is targeting a media company, he may only want prereleased content or something more specific. Because data can be extracted by copying and pasting or snapping a screenshot, it’s hard to detect theft.
One reason the lateral movement in this scenario was hard to detect was because most security monitoring techniques assume an attacker will want to dive deep into the host and escalate privileges. In this case, the actors were trying to move off the host layer and back into the AWS control plane, which most blue teams aren’t on the lookout for.
AWS “is just as critical as underlying servers,” Bisbee says. “You need to be monitoring all aspects of your environment.”
Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early bird rate ends August 31. Click for more info.
Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial … View Full Bio