Almost all cloud users, roles, services, and resources grant excessive permissions leaving organisations vulnerable to attack expansion in the event of compromise, a new report from Palo Alto’s Unit 42 has revealed.
The security vendor’s research discovered that misconfigured identity and access management (IAM) is opening the door to malicious actors that are targeting cloud infrastructure and credentials in attacks.
The findings indicate that when it comes to IAM in the cloud, organisations are struggling to put good governance in place. The report also identifies five attack groups that have been detected targeting cloud environments and reveals their attack methods.
99 per cent of cloud identifies are too permissive
In Identity and Access Management: The First Line of Defense, Unit 42 researchers analysed more than 680,000 identities across 18,000 cloud accounts and over 200 different organisations to understand their configurations and usage patterns.
It revealed that 99 per cent of the cloud users, roles, services, and resources granted “excessive permissions” that were left unused for 60 days. Adversaries who compromise these identities can leverage such permissions to move laterally or vertically and expand the attack radius, the report read.
Unit 42’s data showed that there were two times more unused or excessive permissions within built-in Content Security Policies (CSPs) compared to customer-created policies.
“Removing these permissions can significantly reduce the risk each cloud resource exposes and minimise the attack surface of the entire cloud environment.” However, cloud security is being hampered by poorly implemented IAM and credential management, the report stated.
Unit 42 said that misconfigurations are behind 65 per cent of detected cloud security incidents, while 53 per cent of analysed cloud accounts allowed weak password usage and 44 per cent allowed password reuse, the report read. What’s more, almost two-thirds (62 per cent) of organisations had cloud resources publicly exposed.
“Misconfigurations within the identity user, role, or group policies within a cloud platform can significantly increase the threat landscape of an organisation’s cloud architecture,” and these are vectors adversaries constantly seek to exploit, Unit 42 said.
“All the cloud threat actors that we identified attempted to harvest cloud credentials when compromising a server, container, or laptop. A leaked credential with excessive permissions could give attackers a key to the kingdom.”
Unit 42 identifies five attacks groups targeting cloud infrastructure
Unit 42 detected and identified five threat actors leveraging unique escalation techniques and collecting credentials to directly target cloud service platforms.
Of them, three performed container specific operations including permission discovery and container resource discovery, two performed container escape operations, and all five collected cloud service or container platform credentials as part of their operating procedures. They are:
TeamTNT: Considered the most sophisticated cloud threat actor in terms of cloud identity enumeration techniques, this group’s operations include lateral movement within Kubernetes clusters, establishment of IRC botnets, and the hijacking of compromised cloud workload resources to mine the Monero cryptocurrency.
WatchDog: While technically adept, this group is willing to sacrifice skill for easy access, Unit 42 said. It uses custom-built Go scripts as well as repurposed cryptojacking scripts from other groups (including TeamTNT) and are an opportunistic threat group that targets exposed cloud instances and applications.
Kinsing: Another opportunistic cloud threat actor with heavy potential for cloud credential collection, this group targets exposed Docker Daemon APIs using GoLang based malicious processes running on Ubuntu containers and has begun to expand their operations outside of Docker containers, specifically targeting container and cloud credential files contained on compromised cloud workloads.
Rocke: An “old-timer” group ramping up cloud endpoint enumeration techniques, Rocke specialises in ransomware and cryptojacking operations within cloud environments and is known for using the computing power of compromised Linux-based systems, typically hosted within cloud infrastructure.
8220: Rocke’s cousin, this group is adopting containers into its target set. Tools commonly employed during their operations are PwnRig or DBUsed, which are customised variants of the XMRig Monero mining software. The group is believed to have originated from a GitHub fork of the Rocke group’s software.