Cloudy with a chance of mischief: How cybercriminals are accessing cloud resources
March 10, 2021
March 10, 2021
Data protection and migration, cost efficiencies, and improved performance are just a few incentives driving many organizations to move their operations to the cloud. The remote working conditions resulting from the COVID-19 pandemic are accelerating this move across all industries. Criminals, in turn, are targeting organizations lacking the appropriate cloud security measures while also using the cloud to facilitate their own nefarious enterprises to become more agile, anonymous, or scalable.
This blog draws on threat intelligence from underground forums and marketplaces to look at some of the primary attack vectors used by threat actors targeting cloud environments, and provides mitigation recommendations that organisations can implement to help protect their cloud assets.
To gain access to corporate network environments hosted in the cloud, threat actors are targeting login credentials in the same way they steal other credentials—using social engineering, phishing, smishing, social media scams, and various types of malware, such as information stealers. The actors use the stolen credentials, sell or auction them to other actors on specialist marketplaces, or give them away freely to accrue forum reputation points. Credentials for any corporate platform have become especially attractive as the ecosystem between network access sellers and ransomware gangs began to prosper in 2020.
Using Accenture Cyber Threat Intelligence (ACTI) dark web monitoring capabilities, one popular dark web marketplace found to be selling compromised cloud credentials is Russian Market. The marketplace has a “Stealer Logs” section containing “logs” (sets of login credentials) sorted by the malware used to steal them, the geographic location of the victim, and the list of affected domains. The vast majority of logs sold on Russian Market are stolen using the Vidar and Taurus stealers, with a smaller percentage from AZORult. Based on data from SixGill, ACTI ascertained that Russian Market members uploaded to the forum nearly 7,000 logs containing login data belonging to any of the three biggest cloud service providers between 01 December 2020 and 31 January 2021.
ACTI searched the Russian Market site and quickly found one log dated 19 January 2021 for a victim based in Maryland, USA. This log contained login credentials for a variety of services – analysis of the URLs contained within the log indicated that the victim likely worked for a local IT service management company. In the same log there were multiple sets of credentials with cookies for the following sites:
ACTI therefore assesses that any purchaser of this log with knowledge of how to evade fraud detection measures and of how to use these credentials could likely access the corporate cloud environment of the IT service management company.
The associated cookie in these logs assists the buyer in replicating the victim's behavior when logging into the cloud service. A 13 January 2021 CISA Alert mentions incidents where threat actors have bypassed multi-factor authentication (MFA) using stolen cookies to compromise cloud service accounts. ACTI assess that Russian Market, and several other similar dark web marketplaces, offer actors a way into a corporation's cloud environment.
How to protect against account takeover
ACTI suggests organizations:
Stolen access keys (access key IDs and secret access keys) offer actors an alternative to login credentials when breaching corporate systems, providing actors with authentication if used correctly. The high-profile August 2019 Imperva data breach was the result of a stolen API key to one of Imperva's AWS accounts. A hacker stole the key from an exposed internal server and then used the key to steal data including email addresses, hashed and salted passwords, and API and TLS keys.
Several threat actors are discussing cloud service access keys on the deep and dark web:
Access keys are often accidentally exposed on services such as Pastebin or software development platform GitHub, making them easy to find if the repository is accessible to the public. They can also be stolen using malware deployed on compromised devices. They may not provide the more widespread and longer-term access provided by user account credentials, as keys tend to be changed or discarded more regularly, but poor cyber hygiene practices result in key theft being a persistent problem for cloud environments.
How to protect against access key theft
ACTI suggests organizations:
In late December 2020, Microsoft released a blog asserting the goal of the SolarWinds supply-chain compromise was to target the victims’ cloud resources. After gaining access to the victims' networks, the attackers then attempted to move from on-premises access to cloud resources by abusing trust in federated authentication environments, particularly through the use of security assertion markup language (SAML), and then access protected data. This highly organised and sophisticated approach shows the value these actors put on accessing sensitive data stored on the cloud. This method, although not new, is likely to have piqued the interest of other threat actors who aim to target cloud environments.
Ransomware gangs, in particular, are known to target sensitive data stored in the cloud for data theft and extortion purposes. Many ransomware gangs have had a very successful 2020, which has afforded them the time and resources to move to supply-chain attacks to breach their victims, rather than using compromised RDP or VPN sessions. Ransomware gangs have targeted cloud service providers themselves in a supply-chain attack – in May 2020 cloud service provider Blackbaud was breached. Threat actors stole data and deployed ransomware affecting at least 125 Blackbaud clients in the US, UK, Netherlands, and Canada. Blackbaud paid the ransom and criminals confirmed they would delete the stolen data. As of November 2020 there were 23 proposed consumer class action lawsuits in the US and Canada against Blackbaud. The widespread and long-lasting damage of attacks like Blackbaud and SolarWinds will only encourage advanced cyber-criminals to further target cloud service environments and providers.
How to protect against supply chain compromise
ACTI suggests organizations:
Cloud service providers usually rapidly patch known vulnerabilities without requiring customer interaction. However, when cloud services do involve the customer in managing the software, oversight can be challenging due to the complexity of cloud environments and the rapid rate of change of cloud technology. Security researchers have discovered and responsibly disclosed serious vulnerabilities affecting cloud services, for example:
Threat actors are keen to share and discuss such reports with a view to taking advantage of unpatched vulnerabilities. Security researchers at Cisco Talos published an interview with a self-described Lockbit ransomware operator, whom Cisco assessed to be credible. The actor was quoted as saying about their victims: “We use white hat research against them. As soon as a CVE is published, we take advantage of it because it takes a long time for people to patch”.
In June 2020, ACTI observed a threat actor publishing an RCE (Remote Code Execution) exploit for CVE-2020-3956 on a Russian-language dark web forum. This vulnerability affected VMWare Cloud Director, and if exploited could enable a full cloud infrastructure takeover. The code was copied and shared from the Github page associated with an article published by cyber security company Citadelo on 1 June titled “FULL INFRASTRUCTURE TAKEOVER OF VMWARE CLOUD DIRECTOR (CVE-2020-3956)”. There are many other examples of threat actors actively seeking out and sharing white hat research targeting cloud environment vulnerabilities, in order to exploit them. One actor in particular shared the following articles on the dark web forum XSS in September 2020:
Despite warnings in some articles stating they are “for educational purposes only,” it is highly likely that threat actors—especially on forums populated with technically skilled and well-resourced members such as XSS—are using these techniques for nefarious purposes.
How to protect against vulnerabilities
ACTI suggests organizations:
Misconfigured cloud infrastructure can expose data or resources to the public Internet, and failure to implement encryption or MFA can allow actors access to cloud-related tools, data, assets, or systems. According to the 2020 Verizon Data Breach Investigation Report, attacks as a result of misconfigurations in general—not only for the cloud—have been increasing since 2017. An assortment of free tools available on sites such as GitHub (for example AWS Recon Tool, CloudScraper, S3 Bucket Tester), services like Shodan, or even simply the use of Google Dorks, not to mention a huge assortment of bespoke hacking tools available on the dark web, make it easy to scan the Internet for misconfigured systems.
Stories of data breaches resulting from misconfigured cloud environments regularly appear in the media. ACTI has observed further examples of threat actors advertising data for sale on dark web marketplaces where they have specified the data was obtained from unprotected cloud environments. One such example is prolific compromised data trader ShinyHunters, who in January 2021 released stolen data from a number of new victim organisations, specifying for one that they gained access through an unsecured AWS S3 bucket. ShinyHunters is known to prefer this method. Another actor posted on dark web data breach forum Raidforum in January 2021 an offer to sell data of over 3 million users of a well-known car dealership website, also taken from an S3 bucket.
Threat actors usually exploit cloud infrastructure misconfigurations for data theft but also use them for cryptojacking. Mining for cryptocurrency can be expensive, often drastically increasing data use and electricity bills and degrading hardware performance. A threat actor can reduce operational investment costs by using a victim's infrastructure for free, which becomes especially attractive when the price of cryptocurrency is inflated. Threat actor group “TeamTNT” have been particularly active in this field, scanning the internet for exposed AWS credentials and misconfigured Docker platforms in order to use compromised cloud infrastructure to mine for cryptocurrency.
How to protect against misconfigurations
There are many ways to misconfigure a cloud environment, but the following suggestions address some of the most common mistakes:
Cloud service providers are like any other organization in their susceptibility to insider threats. It is a serious concern considering the volumes and sensitivity of the data processed and stored on the cloud. Although rare, actors occasionally attempt to recruit insiders for cybercrime operations. On 12 December 2020 on the Russian language Exploit forum, a threat actor sought insiders at large companies and included “SaaS” (Software-as-a-Service) and “hosting” in the preferred list of company types. High-profile examples of malicious insiders causing widespread damage to their former employers has also been reported in the media—for example, in July 2019, a former Amazon employee was arrested on suspicion of downloading Capital One credit application data of over 100 million people from a rented cloud data server.
Insider threats can also occur due to untrained or neglectful cloud administrators; many of the misconfigurations described above most likely resulted from unintentional exposure of sensitive data or cloud resources.
How to protect against insider threat
ACTI suggests organizations:
As companies continue to migrate their operations to the cloud, criminals will increasingly view the cloud as an attractive target for criminal and espionage operations. Proactive reconnaissance of the Dark Web can shine a light on many of these active threats, allowing organisations to get in front of a potential compromise. Implementing security programs specific to cloud protection and integrating threat intelligence feeds designed to provide indications and warnings of cyber threat activity is imperative to help ensure a secure cloud presence. Accenture’s Cloud First provides end-to-end cloud services aimed at helping clients achieve greater cloud value including introducing security at speed and scale to move cloud security from being a barrier to cloud adoption to being an asset in accelerating business operations.
Accenture Security helps organizations build resilience from the inside out, so they can confidently focus on innovation and growth. Leveraging its global network of cybersecurity labs, deep industry understanding across client value chains and services that span the security lifecycle, Accenture helps organizations protect their valuable assets, end-to-end. With services that include strategy and risk management, cyber defence, digital identity, application security and managed security, Accenture enables businesses around the world to defend against known sophisticated threats, and the unknown. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.
Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. All materials are intended for the original recipient only. The reproduction and distribution of this material is forbidden without express written permission from Accenture. The opinions, statements, and assessments in this report are solely those of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates. Given the inherent nature of threat intelligence, the content contained in this report is based on information gathered and understood at the time of its creation. It is subject to change. Accenture provides the information on an “as-is” basis without representation or warranty and accepts no liability for any action or failure to act taken in response to the information contained or referenced in this report.
The information in this blog post is general in nature and does not take into account the specific needs of your IT ecosystem and network, which may vary and require unique action. You should independently assess your specific needs in deciding to use any of the tools mentioned. The AWS Recon tool, CloudScraper, S3 Bucket tester, etc. tools are not an Accenture tool. Accenture makes no representation that it has vetted or otherwise endorse these tools and Accenture disclaims any liability for their use, effectiveness or any disruption or loss arising from use of these tool
This document makes reference to marks owned by third parties. All such third-party marks are the property of their respective owners. No sponsorship, endorsement or approval of this content by the owners of such marks is intended, expressed or implied.
Copyright © 2021 Accenture. All rights reserved.