Adversaries Have Their Heads in Your Cloud

cloud adversary

The rapid proliferation of cloud technology has empowered organizations to meet complex challenges with innovative solutions. This flexibility, however, is the antithesis of security — each new cloud solution that an organization adopts expands their attack surface.

CrowdStrike Falcon® OverWatch™ is already uncovering interactive intrusions in which adversaries are deftly pivoting from traditional IT assets to applications, systems and/or data processed in the cloud. With the introduction of Falcon OverWatch Cloud Threat Hunting, hunters will be able to uncover hidden and advanced threats originating, operating and persisting in cloud environments. This introduces a much needed proactive security solution for the cloud, and affords organizations the freedom to expand into the cloud, backed by Falcon OverWatch’s unparalleled visibility into cloud environments to observe and disrupt the most sophisticated cloud threats.

Two of the following case studies are borrowed from the recently released Nowhere to Hide: 2022 Falcon OverWatch Threat Hunting Report. To read more about these intrusion attempts and the major themes OverWatch observed over the past year, download the full report.

Adversaries Are Weaponizing the Cloud

Experts from across CrowdStrike’s managed services and incident response offerings are uncovering increasing evidence of adversaries’ comfort operating in cloud environments. The selection of case studies that follow offer insight into how adversaries of all motivations are leveraging the cloud to fulfill their distinct missions. Notably, this intrusion activity spans different cloud providers, emphasizing the importance of comprehensive coverage and visibility across all environments.

Adversary Pivots from Traditional Endpoint to AWS Cloud Resources

In late 2021, OverWatch discovered an unknown PANDA (China-nexus) adversary operating on multiple Linux hosts in the environment of a gaming organization. As is common, the adversary’s initial activity was focused on exploring and understanding the victim’s environment. The adversary discovered that one of the compromised hosts had access to the victim organization’s Amazon Web Services (AWS) console environment. This discovery led the adversary to begin extensive discovery using the AWS command line interface and EC2 Instance Connect.

A Bit About Securing AWS 

The AWS command line interface was developed by Amazon to enable customers to automate the management of AWS services. Access to use the AWS command line interface requires that accounts be configured with an access key in identity and access management (IAM), and have a key ID and secret access key assigned to it. This is set in the user’s home directory in the .aws/credentials file.

This file is a simple text file and can be viewed by anyone with access to an account’s home directory. The ID and key are set as shown below:

To keep AWS services secure, it is critical to only grant AWS accounts the privileges they need and not grant overly permissive access. Anyone who accesses the account can steal this information for use on adversary infrastructure or can use it directly on a compromised host.

The adversary used the aws command to query for metadata on all EC2 instances in the environment, which included information about security groups, network configuration, and identifiers associated with each host. They also queried for the password security policy that had been configured in IAM for the victim’s AWS environment.

This intrusion clearly highlights how an adversary can use the tools and credentials available on an endpoint to begin their reconnaissance of the objects under the control of the AWS control panel and APIs. The adversary in this instance reviewed the contents of configuration files for AWS, Jenkins, Docker, Ansible and other applications used to manage and scale the cloud and container environments.

This telemetry has long been a part of OverWatch’s hunting leads. The launch of OverWatch’s cloud hunting capabilities extends the power of threat hunting to include control panel applications and APIs.

Adversary Abuses Ease of Use Configurations to Infiltrate Azure Cloud Infrastructure

In early 2022, the CrowdStrike Incident Response team was contacted by a victim organization who had discovered a compromise of their Microsoft 365 (M365) environment. The victim organization sought help to eradicate the adversary from their environment and understand how the intrusion took place.

The CrowdStrike investigation revealed that the adversary exploited an internet-facing service to access the environment. They then enumerated hosts and accounts associated with the management of the on-premises single sign-on (SSO) application. The adversary also explored members of Active Directory groups that had privileged access to the organization’s Azure tenant — specifically members and systems with elevated access within M365. Ultimately, this led to the discovery of on-premises domain accounts that also had the Global Administrator role assigned within the organization’s Azure tenant.

The organization had configured its SSO solution with Integrated Windows Authentication (IWA) that would allow a domain authenticated user to automatically access SSO-managed applications through an opened web browser without being prompted for re-authentication or multifactor authentication in select cases. By performing cookie theft of an established SSO session, the adversary was able to abuse this design to bypass configured conditional access policies that would normally prevent direct access from external IP addresses. They were also able to replay the session from their own infrastructure to gain access to the victim M365 environment.

Once the adversary gained access to the organization’s M365 environment, they modified existing content searches within Microsoft Purview (formerly known as Microsoft 365 Compliance) to perform discovery for data of interest. 

By default, accounts with global administrator roles are not provided with the necessary permissions to perform compliance related functions, such as creation of new eDiscovery content searches. However, users with global administrator roles are able to add any new roles to any accounts. In this case, the adversary added the account they leveraged to the eDiscovery administrator group. With the necessary access in place, they created and executed content searches for data of interest that included mailbox contents of executives within the organization. The adversary exported the search results directly from M365 to their own infrastructure, thus bypassing traditional method of exfiltration detection based on egress network telemetry as the data never directly traversed the victim organization’s network.

Finally, the adversary attempted to cover their tracks by removing created content searches from the Microsoft Purview console. This intrusion is another example of how proficient adversaries are in operating in hybrid environments to accomplish their objectives.

PANDA Explores Linux and Cloud Workload Following Exploit of CVE

In April 2022, OverWatch uncovered multiple intrusions exploiting the CVE-2022-29464 vulnerability that allowed unrestricted file upload and remote code execution. These campaigns were consistent with China-nexus targeted intrusion activity. In one particular intrusion against multiple Linux hosts at a technology organization, OverWatch uncovered the adversary exploring the victim organization’s cloud environment.

After gaining access to the environment, the adversary began by downloading a selection of tools. This included a network scanning utility, cryptojacking tools, and several webshells including the Godzilla webshell and other basic JSP webshells commonly available on Chinese-language GitHub repositories. The adversary timestomped the webshell files in a likely attempt to evade detection.

After conducting discovery of the host and network, the adversary used the Package Installer for Python (PIP) to install cloud discovery tooling for the enumeration of cloud credential stores and configurations. The adversary proceeded to inspect sensitive files in an attempt to access credentials.

In this intrusion the adversary was able to quickly and effectively pivot from navigating the victim’s Linux environment to exploring their cloud workloads for potentially valuable credentials and configurations demonstrating just how agile adversaries can be.

Address the Adversary Head-On with Falcon OverWatch Cloud Threat Hunting

Falcon OverWatch Cloud Threat Hunting provides a unique combination of people, process and technology to combat advanced and interactive threats in the cloud. OverWatch’s expert threat hunters apply the SEARCH methodology in combination with the massive scale and visibility of the CrowdStrike Security Cloud to continuously search, investigate and advise on sophisticated cloud threat activity. Armed with the industry’s only cloud-oriented indicators of attack (IOAs) and detailed adversary tradecraft, Falcon OverWatch Cloud Threat Hunting delivers unparalleled visibility into cloud environments to observe and disrupt the most sophisticated cloud threats.

Unearth Advanced Breaches in the Cloud

It is increasingly clear that adversaries are following the move to the cloud in pursuit of their objectives. In some cases adversaries come across victims’ cloud workloads by chance, but demonstrate aptitude in navigating victims’ cloud environments in pursuit of valuable data. The Falcon OverWatch Cloud Threat Hunting team hunts relentlessly 24/7 on your behalf to detect and disrupt the stealthiest and most sophisticated threats operating in cloud environments. Hunting across your critical cloud infrastructure — including AWS, Azure and Google Cloud Platform — OverWatch unearths every form of cloud threat from unique cloud attack paths with complex trails of cloud IOAs and indicators of misconfiguration (IOMs) to well-concealed adversary activity.

Hunt for Threats Everywhere, at All Times

The above intrusions illustrate that the cloud threat is not limited to just one provider. Adversaries are capable of navigating diverse operating systems and cloud workloads to achieve their objectives. As organizations build out a patchwork of different IT solutions to meet their business needs, it is crucial that they also expand the scope of their threat hunting to cover the entire attack surface end-to-end. Falcon OverWatch Cloud Threat Hunting can help uncover complex attack paths that first exploit traditional IT assets to gain initial entry and rapidly pivot to modern applications, systems and data processed in the cloud.

Gain Cloud Threat Hunting Expertise Without the Overhead

Expert threat hunters are hard to find and retain at any price point — especially threat hunting of new in-demand domains, like cloud. OverWatch has unparalleled global reach, visibility and scale enabled by CrowdStrike telemetry and advanced tooling. This gives OverWatch a front-row seat as cloud-based threats grow and evolve ensuring that hunters can stay ahead of the threat.

Additional Resources

Related Content