Cloud Attacks in AWS and GCP from Compromised Credentials
Category: Cloud Security | Industry: Global | Level: Tactical | Source: Palo Alto Unit 42
Compromised credentials are one of the leading causes of security breaches in the cloud. Researchers from Palo Alto Unit42 shared examples of attacks in Amazon Web Service (AWS) and Google Cloud Platform (GCP). Threat actors are capable of launching phishing attacks in AWS with compromised Lambda credentials and launching cryptomining from compromised Google Cloud app service accounts. Both attacks can be initiated very quickly with threat actors accomplishing the bulk of their objectives in just a little over an hour. Steps taken in the attacks include enumerating the environment, tampering with identity and access (IAM) configurations by adding new accounts, modifying firewall rules, and deploying new cloud instances.
Unit42 stresses the need to secure cloud environments as "A growing trend of attacks specifically targets cloud compute services to steal associated credentials and illicitly gain access to cloud infrastructure. These attacks could cost targeted organizations both in terms of unexpected charges for extra cloud resources added by the threat actor, as well as time required to remediate the damage." Monitoring the cloud environment is crucial to discover threat activity not only during initial access but also during post-exploitation. Sequences of suspicious behavior should be investigated to identify signs of misuse to cloud resources.
- AWS Enumeration and Backdoor User Creation
- GCP Cloud App Manipulation Leads to Cryptomining
Anvilogic Use Cases:
- AWS Account Discovery
- AWS Backdoor User Creation
- GCP: Many Compute Instances created