Data protection and migration, cost efficiencies, and improved performance are just a few incentives driving many organizations to move their operations to the cloud. The remote working conditions resulting from the COVID-19 pandemic are accelerating this move across all industries. Criminals, in turn, are targeting organizations lacking the appropriate cloud security measures while also using the cloud to facilitate their own nefarious enterprises to become more agile, anonymous, or scalable.

This blog draws on threat intelligence from underground forums and marketplaces to look at some of the primary attack vectors used by threat actors targeting cloud environments, and provides mitigation recommendations that organisations can implement to help protect their cloud assets.

Attack vectors

Login credential theft and account takeover

To gain access to corporate network environments hosted in the cloud, threat actors are targeting login credentials in the same way they steal other credentials—using social engineering, phishing, smishing, social media scams, and various types of malware, such as information stealers. The actors use the stolen credentials, sell or auction them to other actors on specialist marketplaces, or give them away freely to accrue forum reputation points. Credentials for any corporate platform have become especially attractive as the ecosystem between network access sellers and ransomware gangs began to prosper in 2020.

Using Accenture Cyber Threat Intelligence (ACTI) dark web monitoring capabilities, one popular dark web marketplace found to be selling compromised cloud credentials is Russian Market. The marketplace has a “Stealer Logs” section containing “logs” (sets of login credentials) sorted by the malware used to steal them, the geographic location of the victim, and the list of affected domains. The vast majority of logs sold on Russian Market are stolen using the Vidar and Taurus stealers, with a smaller percentage from AZORult. Based on data from SixGill, ACTI ascertained that Russian Market members uploaded to the forum nearly 7,000 logs containing login data belonging to any of the three biggest cloud service providers between 01 December 2020 and 31 January 2021.

ACTI searched the Russian Market site and quickly found one log dated 19 January 2021 for a victim based in Maryland, USA. This log contained login credentials for a variety of services –  analysis of the URLs contained within the log indicated that the victim likely worked for a local IT service management company. In the same log there were multiple sets of credentials with cookies for the following sites:

  • “console.aws.amazon.com”
  • “account.activedirectory.windowsazure.com”
  • “accounts.google.com”
  • “remotedesktop.google.com”.

ACTI therefore assesses that any purchaser of this log with knowledge of how to evade fraud detection measures and of how to use these credentials could likely access the corporate cloud environment of the IT service management company.

The associated cookie in these logs assists the buyer in replicating the victim's behavior when logging into the cloud service. A 13 January 2021 CISA Alert mentions incidents where threat actors have bypassed multi-factor authentication (MFA) using stolen cookies to compromise cloud service accounts. ACTI assess that Russian Market, and several other similar dark web marketplaces, offer actors a way into a corporation's cloud environment.

How to protect against account takeover

ACTI suggests organizations:

  • Secure networks from malware through best practices for patching, configuring firewalls, maintaining up-to-date antivirus signatures, running regular scans, retaining backups separate from the network, and using application allow lists.
  • Use MFA wherever possible for corporate network access.
Access key theft

Stolen access keys (access key IDs and secret access keys) offer actors an alternative to login credentials when breaching corporate systems, providing actors with authentication if used correctly. The high-profile August 2019 Imperva data breach was the result of a stolen API key to one of Imperva's AWS accounts. A hacker stole the key from an exposed internal server and then used the key to steal data including email addresses, hashed and salted passwords, and API and TLS keys.

Several threat actors are discussing cloud service access keys on the deep and dark web:

  • On 29 September 2020 on reputable Russian-language forum XSS, actor pewpewpew requested API keys “for cloud hosting ucloud.cn, qcloud.com, AWS.”
  • On 31 August 2020, actor tabac published an in-depth article on reputable dark web forum XSS titled “How I hacked a $20 billion corporation with a free service.” The actor details how searching for .priv and .key files belonging to a large global travel company led to the discovery of the AWS secret token and private SSH key of a web application used by a start-up company previously acquired by the larger company. From there, the actor used open-source tools to perform reconnaissance, move laterally and escalate privileges, and eventually connect to the main production server as root using the private SSH key.
  • On 10 February 2021, a threat actor advertised access to “10,000+ companies” via stolen “AWS root keys”. The actor called upon ransomware groups to get in touch to discuss the sale, implying this would facilitate widespread ransomware infections.

Access keys are often accidentally exposed on services such as Pastebin or software development platform GitHub, making them easy to find if the repository is accessible to the public. They can also be stolen using malware deployed on compromised devices. They may not provide the more widespread and longer-term access provided by user account credentials, as keys tend to be changed or discarded more regularly, but poor cyber hygiene practices result in key theft being a persistent problem for cloud environments.

How to protect against access key theft

ACTI suggests organizations:

  • Follow access key security best practices, such as regular key regeneration, not embedding keys in code, ensuring unencrypted keys are not accessible in public source code management systems, such as GitHub, and deleting unneeded keys.
  • Where possible utilize existing key management solutions such as Amazon’s AWS Secrets Manager and Microsoft Azure’s Key Vault
Supply-chain compromise

In late December 2020, Microsoft released a blog asserting the goal of the SolarWinds supply-chain compromise was to target the victims’ cloud resources. After gaining access to the victims' networks, the attackers then attempted to move from on-premises access to cloud resources by abusing trust in federated authentication environments, particularly through the use of security assertion markup language (SAML), and then access protected data. This highly organised and sophisticated approach shows the value these actors put on accessing sensitive data stored on the cloud. This method, although not new, is likely to have piqued the interest of other threat actors who aim to target cloud environments.

Ransomware gangs, in particular, are known to target sensitive data stored in the cloud for data theft and extortion purposes. Many ransomware gangs have had a very successful 2020, which has afforded them the time and resources to move to supply-chain attacks to breach their victims, rather than using compromised RDP or VPN sessions. Ransomware gangs have targeted cloud service providers themselves in a supply-chain attack – in May 2020 cloud service provider Blackbaud was breached. Threat actors stole data and deployed ransomware affecting at least 125 Blackbaud clients in the US, UK, Netherlands, and Canada. Blackbaud paid the ransom and criminals confirmed they would delete the stolen data. As of November 2020 there were 23 proposed consumer class action lawsuits in the US and Canada against Blackbaud. The widespread and long-lasting damage of attacks like Blackbaud and SolarWinds will only encourage advanced cyber-criminals to further target cloud service environments and providers.

How to protect against supply chain compromise

ACTI suggests organizations:

  • Implement multi-factor authentication to bolster user access control
  • Implement hardware-based authentication controls on critical assets
  • Implement zero-trust or similar hyper-segmentation controls to increase visibility across a network and block unauthorized users and devices; such controls include intrusion detection and prevention systems, firewalls, deep packet inspection, traffic analysis tools, and demilitarized zones.
  • Implement user and entity behavior analytics (UEBA) to understand and identify anomalous or suspicious login attempts by actors leveraging legitimate credentials.
  • Aggressively pursue internet-level data analytics that illuminate compromise of your organization’s third-party supply chain partners.
Vulnerabilities

Cloud service providers usually rapidly patch known vulnerabilities without requiring customer interaction. However, when cloud services do involve the customer in managing the software, oversight can be challenging due to the complexity of cloud environments and the rapid rate of change of cloud technology. Security researchers have discovered and responsibly disclosed serious vulnerabilities affecting cloud services, for example:

Threat actors are keen to share and discuss such reports with a view to taking advantage of unpatched vulnerabilities. Security researchers at Cisco Talos published an interview with a self-described Lockbit ransomware operator, whom Cisco assessed to be credible. The actor was quoted as saying about their victims: “We use white hat research against them. As soon as a CVE is published, we take advantage of it because it takes a long time for people to patch”.

In June 2020, ACTI observed a threat actor publishing an RCE (Remote Code Execution) exploit for CVE-2020-3956 on a Russian-language dark web forum. This vulnerability affected VMWare Cloud Director, and if exploited could enable a full cloud infrastructure takeover. The code was copied and shared from the Github page associated with an article published by cyber security company Citadelo on 1 June titled “FULL INFRASTRUCTURE TAKEOVER OF VMWARE CLOUD DIRECTOR (CVE-2020-3956)”. There are many other examples of threat actors actively seeking out and sharing white hat research targeting cloud environment vulnerabilities, in order to exploit them. One actor in particular shared the following articles on the dark web forum XSS in September 2020:

  • 21 September 2020: “Attack on the Clouds. A Guide to Hacking Applications in Azure and AWS”
  • 25 September 2020: “Escalating Privileges in AWS Elastic Kubernetes Service (EKS) by Compromising the Role of a Worker Node Instance”
  • 27 September 2020: “Capturing AWS Metadata Service Using SSRF”
  • 29 September 2020: “From Azure AD to Active Directory (via Azure)”

Despite warnings in some articles stating they are “for educational purposes only,” it is highly likely that threat actors—especially on forums populated with technically skilled and well-resourced members such as XSS—are using these techniques for nefarious purposes.

How to protect against vulnerabilities

ACTI suggests organizations:

  • Prioritize regular scanning and patching of known vulnerabilities with the latest version of the software
  • Maintain an up-to-date inventory of assets to ensure visibility of all endpoints that require patching
  • Ensure a consistent approach to patching across hybrid cloud environments
Misconfiguration

Misconfigured cloud infrastructure can expose data or resources to the public Internet, and failure to implement encryption or MFA can allow actors access to cloud-related tools, data, assets, or systems. According to the 2020 Verizon Data Breach Investigation Report, attacks as a result of misconfigurations in general—not only for the cloud—have been increasing since 2017. An assortment of free tools available on sites such as GitHub (for example AWS Recon Tool, CloudScraper, S3 Bucket Tester), services like Shodan, or even simply the use of Google Dorks, not to mention a huge assortment of bespoke hacking tools available on the dark web, make it easy to scan the Internet for misconfigured systems.

Stories of data breaches resulting from misconfigured cloud environments regularly appear in the media. ACTI has observed further examples of threat actors advertising data for sale on dark web marketplaces where they have specified the data was obtained from unprotected cloud environments. One such example is prolific compromised data trader ShinyHunters, who in January 2021 released stolen data from a number of new victim organisations, specifying for one that they gained access through an unsecured AWS S3 bucket. ShinyHunters is known to prefer this method. Another actor posted on dark web data breach forum Raidforum in January 2021 an offer to sell data of over 3 million users of a well-known car dealership website, also taken from an S3 bucket.

Threat actors usually exploit cloud infrastructure misconfigurations for data theft but also use them for  cryptojacking. Mining for cryptocurrency can be expensive, often drastically increasing data use and electricity bills and degrading hardware performance. A threat actor can reduce operational investment costs by using a victim's infrastructure for free, which becomes especially attractive when the price of cryptocurrency is inflated. Threat actor group “TeamTNT” have been particularly active in this field, scanning the internet for exposed AWS credentials and misconfigured Docker platforms in order to use compromised cloud infrastructure to mine for cryptocurrency.

How to protect against misconfigurations

There are many ways to misconfigure a cloud environment, but the following suggestions address some of the most common mistakes:

  • Recording changes made to resources, if logging is available from the cloud vendor, and identifying causes of misconfiguration to help identify attacker activities.
  • Encrypting data.
  • Ensuring users only have access to required accounts and services and controlling access through permissions.
  • Testing code and configurations before and after deployments to avoid configuration drift.
  • Perform regular security reviews of the cloud configurations used within your organization.
Insider threat

Cloud service providers are like any other organization in their susceptibility to insider threats. It is a serious concern considering the volumes and sensitivity of the data processed and stored on the cloud. Although rare, actors occasionally attempt to recruit insiders for cybercrime operations. On 12 December 2020 on the Russian language Exploit forum, a threat actor sought insiders at large companies and included “SaaS” (Software-as-a-Service) and “hosting” in the preferred list of company types. High-profile examples of malicious insiders causing widespread damage to their former employers has also been reported in the media—for example, in July 2019, a former Amazon employee was arrested on suspicion of downloading Capital One credit application data of over 100 million people from a rented cloud data server.

Insider threats can also occur due to untrained or neglectful cloud administrators; many of the misconfigurations described above most likely resulted from unintentional exposure of sensitive data or cloud resources.

 How to protect against insider threat

 ACTI suggests organizations:

  • Implement identity access management to ensure access to sensitive data can be attributed to specific employees for monitoring purposes, such as to track how the data is being used and where data is being transferred. Specific tools are available to remotely log users off, or to lock and reset sessions while alerting administrators of potential breaches.
  • Use the concept of least-privileges for user accounts and data access, such as by creating one-time passwords for users who do not require consistent access to sensitive data, reviewing permissions regularly and revoking departed employee access immediately.
  • Provide frequent employee training to prevent malicious insider threats; topics should include data protection, phishing prevention, password policies and more.
  • Implement and enforce digital and physical security policies and procedures that assist in identifying negligent employee actions to avoid repeating these in the future.
Conclusion

As companies continue to migrate their operations to the cloud, criminals will increasingly view the cloud as an attractive target for criminal and espionage operations. Proactive reconnaissance of the Dark Web can shine a light on many of these active threats, allowing organisations to get in front of a potential compromise. Implementing security programs specific to cloud protection and integrating threat intelligence feeds designed to provide indications and warnings of cyber threat activity is imperative to help ensure a secure cloud presence. Accenture’s Cloud First provides end-to-end cloud services aimed at helping clients achieve greater cloud value including introducing security at speed and scale to move cloud security from being a barrier to cloud adoption to being an asset in accelerating business operations.

 

Accenture Security helps organizations build resilience from the inside out, so they can confidently focus on innovation and growth. Leveraging its global network of cybersecurity labs, deep industry understanding across client value chains and services that span the security lifecycle, Accenture helps organizations protect their valuable assets, end-to-end. With services that include strategy and risk management, cyber defence, digital identity, application security and managed security, Accenture enables businesses around the world to defend against known sophisticated threats, and the unknown. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.

Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. All materials are intended for the original recipient only. The reproduction and distribution of this material is forbidden without express written permission from Accenture. The opinions, statements, and assessments in this report are solely those of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates. Given the inherent nature of threat intelligence, the content contained in this report is based on information gathered and understood at the time of its creation. It is subject to change. Accenture provides the information on an “as-is” basis without representation or warranty and accepts no liability for any action or failure to act taken in response to the information contained or referenced in this report.

The information in this blog post is general in nature and does not take into account the specific needs of your IT ecosystem and network, which may vary and require unique action. You should independently assess your specific needs in deciding to use any of the tools mentioned. The AWS Recon tool, CloudScraper, S3 Bucket tester, etc. tools are not an Accenture tool.  Accenture makes no representation that it has vetted or otherwise endorse these tools and Accenture disclaims any liability for their use, effectiveness or any disruption or loss arising from use of these tool

This document makes reference to marks owned by third parties. All such third-party marks are the property of their respective owners. No sponsorship, endorsement or approval of this content by the owners of such marks is intended, expressed or implied.

Copyright © 2021 Accenture. All rights reserved.

Paul Mansfield

Cyber Threat Intelligence Analyst

Subscribe to Accenture's Cyber Defense Blog Subscribe to Accenture's Cyber Defense Blog
Subscribe