Cloud credentials, an old problem resurfaces
Credential theft and abuse has been a problem for local network administrators. The threat ranges from pretexting scams to insiders who abuse network privileges in order to grant themselves higher permissions than otherwise assigned. At the RSA Conference, CyberArk researchers Asaf Hecht and Lavi Lazarovitz outlined a new attack surface for this age-old problem - the cloud.
In a session on Thursday researchers discussed a dozen scenarios where an inside-attacker can silently persist and abuse cloud platforms to escalate user privileges to alter or access protected company data. Cloud shadow administrators can undermine the security of the cloud infrastructure and allow malicious code to persist silently within it. Cloud shadow administrators can be used to compromise the entire cloud infrastructure. This newly method is similar to shadow administrators in traditional network environments. Shadow administrators are network accounts with sensitive privileges, typically overlooked because they are not members of the highly privileged Active Directory group. Instead, shadow administrator accounts are granted their privileges through the direct assignment of permissions using access control lists on AD objects. These same network risks now exist in the cloud infrastructure either accidentally or through malicious intent by a rogue user. When organizations migrate their infrastructure to the cloud, new cloud users are created or federated and assigned specific permissions to perform specific tasks. That's when a user might erroneously be given too many privileges and become a cloud shadow administrator. They can start a new machine, connect to the machine and assign the machine permissions. They can use those permissions to shut down cloud instances, steal data from databases or run crypto mining code. They can also be very difficult to spot especially if there are thousands of entities' user machine services, each with its own permission combination.
In an attack by a cloud shadow administrator with malicious intent, they can maliciously terminate Amazon Elastic Compute Cloud instances running within a targeted company. This involves the hacker compromising a low-level Dev-Ops user's computer with limited permissions. The Dev-Ops' limited credentials prevented the hacker from deleting EC2 machine instances since they require privileged credentials for terminating the instance. But to get privileged access, the hacker is able to escalate the privileges of the low-level Dev-Ops user. To do this takes multiple steps. First, the hacker uses the limited access to request an EC2 list of instance-profile names tied to the company. One of them is AdminRole, which implies that this is a privileged AWS role. The goal is to get the credentials of the AdminRole in order to terminate the privileged EC2 machine instances. To retrieve AdminRole credentials, the hacker uses Dev-Ops privileges to create AWS EC2 Key Pairs, which are used to connect to all EC2 instances within a network. Using that access, the hacker can create a new EC2 instance. The keys are then used to connect to the newly launched EC2 instance. Now using a tool such as PuTTY the hacker can gain access to that new EC2 instance.
To guard against shadow admininistrators, you can use a scanning tool such as, ACLight. To get a list these accounts, you can run the scan using any standard, non-privileged account, as the tool only reads ACLs from AD. Make sure that the scanning tool doesn't modify anything. Next, you need to investigate the discovered accounts and take action as appropriate. Check that the privileged accounts are not part of an on-going attack. Check for the legitimacy of the accounts. Check that the legitimate accounts really need the permissions that are assigned to them. Divide personal user accounts from their administrative accounts. Finally, use complex and long passwords, storing them in a secure location and rotating them often.