Highlights from the Unit 42 Cloud Threat Report, 2H 2020

This post is also available in: 日本語 (Japanese)

Introduction

Identity and access are intrinsically connected when providing security to cloud platforms. But security is only effective when environments are properly configured and maintained. In the 2H 2020 edition of the biannual Unit 42 Cloud Threat Report, researchers conducted Red Team exercises, scanned public cloud data and pulled proprietary Palo Alto Networks data to explore the threat landscape of identity and access management (IAM) and identify where organizations can improve their IAM configurations.

During a Red Team exercise, Unit 42 researchers were able to discover and leverage IAM misconfigurations to obtain admin access to a customer's entire Amazon Web Services (AWS) cloud environment – a potentially multi-million dollar data breach in the real-world. These examples highlight just how serious the failure to secure IAM can be for an organization.

Key Findings

The following highlights dive into specific data points that reinforce the research and recommendations outlined in the report.

Unauthorized External Access

During a Red Team exercise, researchers successfully exploited the misconfigured IAM role trust policy “AssumeRole” to gain temporary access to sensitive resources. The Unit 42 team was able to accomplish this using an anonymous AWS account. It is key to point out that an AWS CloudTrail event is generated for each attempt to assume an AWS role. It is critical that organizations monitor their CloudTrail logs for AssumeRole events and ensure that only approved AWS accounts are performing these actions against the organization’s environment. The root cause that allowed this unauthenticated access was an overly permissive IAM role trust policy. The misconfigured policy allowed any AWS user who is not in the account to assume the role and obtain an access token. This could result in any number of attacks against an organization, including denial-of-service (DoS) and ransomware, or even open a door for an advanced persistent threat (APT) adversary.

Lateral Movement and Privileged Escalation

In the same Red Team exercise, Unit 42 researchers were able to successfully move laterally with non-administrator access by leveraging a misconfigured IAM role related to flow-log management. They then successfully escalated their privileges from a restricted developer account to gain persistence, accomplished by hijacking an administrator account. By leveraging this overly permissive IAM role related to flow-logs, Unit 42 researchers gained administrative access to the entire cloud environment, allowing for the unrestricted manipulation of cloud resources. They were then able to create new Amazon Elastic Compute Cloud (EC2) and Relational Database Service (RDS) instances, as well as modify user and policy permissions. Attackers could use this technique to steal sensitive data, wipe out infrastructure, or lockdown an operation with ransomware.

JAPAC and EMEA Organizations Display Poor Cloud Identity Hygiene

Unit 42 researchers found that 75% of organizations in Japan and Asia-Pacific (JAPAC), as well as 74% of organizations in Europe, the Middle East and Africa (EMEA), are using Google Cloud to run workloads with admin privileges. By contrast, only 54% of organizations in the Americas run with the same type of privileges. It is a best practice to run workloads with the principle of least privilege – limiting permissions for users to the bare minimum they need. If an attacker is able to compromise a workload with admin privileges, the attacker would gain the same level of elevated access. This provides an easy path for attackers to use cloud resources to perform attacks, like cryptojacking operations, at the expense of the organization.

Many Organizations Experience Cryptojacking

In addition to the IAM research, the Unit 42 team provided an update to its ongoing examination of the overall security posture of cloud infrastructure around the world. Unit 42 research shows cryptojacking to affect at least 23% of organizations globally that maintain cloud infrastructure. The team found that cloud environments are being targeted by cybercrime groups focused on malicious cryptomining operations, which remain one of the highest-profile attacks against cloud infrastructure.

Three Distinct Goals to Empower Your Business

Protecting your cloud infrastructure from the exploitation of misconfigured IAM roles and policies can improve and strengthen the defense of cloud infrastructure. Methods gleaned from the Unit 42 Cloud Threat Report can help your organization stay secure in the cloud in three distinct ways:

• Provide situational awareness of the latest adversary tactics regarding targeting IAM roles and policies, which can lead to serious security incidents unique to the cloud.
• Empower DevOps and security teams to stay ahead of the threat curve and better protect their cloud environments.
• Instill the mindset that a secure cloud is only possible when organizations take meaningful steps to harden their IAM roles and policies.

Get the full Unit 42 Cloud Threat Report, 2H 2020 for more research and best practices to implement in your organization.

Additional Resources

• Unit 42 Cloud Threat Report: CSP Findings on Logging, Encryption and Exposed Services
• Unit 42 Cloud Threat Report: Misconfigured IAM Roles Lead to Thousands of Compromised Cloud Workloads
• Attend a Unit 42 Cloud Threat Report Briefing Session