Introduction

The rapid evolution of Cloud Computing over the years has transformed traditional IT infrastructure by providing flexibility, affordability, and broader accessibility to various industries worldwide. This shift has enabled organizations to innovate, streamline operations, and deliver better services to their customers with increased efficiency and reliability.

One outstanding feature that cloud service providers offer is geographic service regions, which enable professionals like DevOps Engineers, Cloud Architects, and Cloud Security Engineers to deploy resources and services closer to their target audience. This geographic global infrastructure reduces latency and improves the overall user experience by ensuring faster access to applications and data.

However, this extensive infrastructure comes with its challenges. While cloud providers offer a global network of data centers to enhance performance, ensure redundancy, and assist customers in meeting compliance requirements, some cloud customers may only use a subset of the available regions and neglect active monitoring of other regions. This oversight can lead to blind spots in security monitoring. If an adversary exploits these unused or less-monitored regions to create unauthorized resources, they could potentially operate undetected. This blog will explore how unused cloud regions can be abused, the tools that enable such exploits, and strategies to mitigate these risks.

Overview of the Technique

In this blog, we will explore how adversaries abuse unused or unsupported cloud regions to carry out malicious activities and evade detection. In addition, this blog expands on the MITRE ATT&CK Cloud Matrix for Enterprise by examining the Defense Evasion (TA0005) tactic. The primary focus will be on the Unused/Unsupported Cloud Regions (T1535) sub-technique.

It is important to highlight that the MITRE ATT&CK framework is consistently updated to keep pace with the ever-changing cybersecurity threat landscape. Cyber defenders and organizations must routinely review the latest version to ensure they are utilizing the most current techniques and descriptions to build and maintain effective defense strategies.

Real-world Applications

In the MITRE ATT&CK framework, the Unused/Unsupported Cloud Regions Technique (T1535) describes a common method used by adversaries. This technique involves exploiting cloud regions that lack advanced detection services to evade detection of their malicious activities.

The risks of unused cloud regions were further highlighted in the Medium article "The Danger of Unused AWS Regions," which explored how adversaries exploit unmonitored regions to deploy malicious resources. One prominent tactic involves using these regions to launch cryptojacking operations, where attackers create compute resources like virtual machines to mine cryptocurrency. Since unused regions are often overlooked during security audits or monitoring configurations, malicious activity in these regions can go undetected for extended periods, leading to substantial financial losses and compromised infrastructure.

This technique has been observed in real-world scenarios. In a threat research report by Unit 42 titled "Leaked Environment Variables Allow Large-Scale Extortion Operation in Cloud Environments," researchers revealed that threat actors exploited multiple cloud regions to deploy malicious resources, effectively evading detection mechanisms that are typically focused on active regions. The report highlights the importance of disabling all unused regions as a critical measure to prevent attackers from concealing their activities.

The three major cloud service providers, Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP), offer a wide array of geographic regions to meet global demand and compliance requirements. However, cloud users such as DevOps engineers, Cloud Architects, and Cloud Security Engineers often use only a subset of these regions and may neglect to actively monitor the other regions. This oversight creates opportunities for threat actors to carry out malicious activities undetected.

Amazon Web Services (AWS)

Amazon Web Services (AWS) spans 34 geographic regions worldwide, encompassing 108 Availability Zones, over 600 CloudFront Points of Presence (POPs), and 13 Regional Edge Caches. This expansive infrastructure supports global scalability, low-latency access, and high availability for users and businesses across the globe.

Threat actors who successfully compromise a victim's AWS account, whether through stolen credentials, exposed access keys, exploited IAM misconfigurations, vulnerabilities in third-party applications, or the absence of Multi-Factor Authentication (MFA), can exploit unused regions as safe zones for malicious activities. These regions are often overlooked in monitoring and security setups, making them an attractive target for attackers to operate undetected.

AWS-Specific Tools

Threat actors can abuse the AWS Command Line Interface (CLI) and AWS SDKs (e.g., custom Python scripts) to enumerate unused AWS regions within a victim's AWS account.

aws ec2 describe-regions --output table

Output: 

Similarly, threat actors with the appropriate credentials and permissions could use this command to identify regions in the process of being enabled (ENABLING) or those that are fully enabled (ENABLED).

Output:

After listing the available regions, the threat actors can identify active regions and unused regions. Next, the threat actors can use the AWS CLI commands to enable an unused region if it is currently disabled and the account permissions allow region activation.

The threat actor must have the required permissions attached to their stolen credentials, either from the organization's management account or the Account Management delegated admin account, to execute the command below:

Image showing permissions required to enable, disable, read and list region opt status via AWS CLI or SDK.

# Commmand  
aws account enable-region --region-name <region-name>

# Command example 
aws account enable-region --region-name ap-southeast-2

NB: When this command is executed, it produces no output if it's successful.

Once the unused region is enabled, threat actors can exploit it for malicious purposes, such as deploying unauthorized resources, conducting activities that evade detection in active regions, or setting up infrastructure for future attacks. This could include:

• Deploying Malicious Resources: Threat actors can launch cloud resources, such as EC2 instances or S3 buckets, to engage in activities like cryptocurrency mining, data exfiltration, or hosting malware, all while avoiding detection due to the lack of monitoring in the unused region.
• Bypassing Budget Alarms: Threat actors can launch high-cost resources in unused regions to inflate AWS bills without triggering budget alarms, which are typically configured for active regions.
• Storing Malicious Artifacts: Threat actors can store compromised snapshots, unauthorized backups, or other artifacts for persistence or preparation for future attacks.
• Establishing Backdoors: Threat actors can deploy backdoors, Lambda functions, or Step Functions to automate ongoing exploitation or maintain long-term access to the compromised account.

Microsoft Azure

Azure has one of the most expansive cloud infrastructures globally, with over 60 regions and more than 300 data centers strategically located worldwide. These regions are designed to provide customers with low-latency access and built-in redundancy for high availability. Each Azure region includes multiple isolated Availability Zones, ensuring enhanced fault tolerance and reliability for mission-critical workloads. All these regions are interconnected through Azure's high-speed, low-latency fiber-optic network, enabling seamless global operations and consistent performance for customers around the world.

Azure-Specific Tools

Any threat actor with the necessary Azure account credentials and the Reader role at the subscription level (with the Microsoft.Resources/subscriptions/locations/read permission) can authenticate and use the Azure CLI command below to list all regions within the victim's environment:

# Az CLI Command
az account list-locations --output table

Or

# PowerShell command to list all Azure regions
Get-AzLocation | Format-Table

Output: This command outputs a table of all available Azure regions in the victim's subscription. Threat actors can leverage this information to identify potential unused or under-monitored regions for exploitation.

While Azure's global infrastructure offers extensive capabilities, threat actors with compromised credentials or misconfigured IAM roles can exploit unused regions within their victim's Azure tenant. Regions are inherently available and generally do not require explicit enabling for use. Once an attacker gains access to compromised credentials with the necessary permissions, such as the Contributor role at the subscription or resource group level, they can deploy resources in these regions without additional approval, potentially evading detection and exploiting gaps in monitoring and security policies.

Although some specialized or restricted regions may require specific permissions or approval processes, the majority of regions are accessible by default. This accessibility provides threat actors an opportunity to perform the following actions:

• Provision resources, such as virtual machines (VMs), storage accounts, or databases, in unused Azure regions that the organization is not actively monitoring.
• Deploy high-performance virtual machines in unused regions to mine cryptocurrency, consuming significant compute resources and driving up costs.
• Store exfiltrated data in storage accounts or databases created in unused regions, evading data loss prevention (DLP) systems configured for active regions.
• Host command-and-control (C2) servers in unused regions to manage malware, ransomware campaigns, or botnets, which are less likely to be flagged by security tools focused on active regions.
• Exploit regions where advanced security services like Azure Defender or Sentinel are unavailable to bypass detection and logging.
• Use unused regions as sandbox environments to test malware, exploits, or attack strategies away from monitored systems.
• Exploit gaps in Azure Policy enforcement, which may not restrict deployments to specific regions or impose compliance requirements across all locations.

Google Cloud Platform (GCP)

Google Cloud Platform (GCP) operates in 41 regions and 124 zones, with ongoing expansion plans to bring services closer to its customers. Each region consists of multiple zones, designed to ensure high availability and redundancy for deployed workloads. GCP utilizes one of the largest and most advanced software-defined networks globally, offering low-latency connectivity and high throughput across all regions. Additionally, over 187 edge locations enable the rapid delivery of services and content to end users. GCP's multi-regional configurations further enhance resilience by supporting globally distributed applications, ensuring continuity during regional outages and optimizing performance for a global user base.

GCP-Specific Tools

Any threat actor with the necessary GCP account credentials and the Compute Viewer (roles/compute.viewer) IAM role at the project level can authenticate and use the gcloud CLI command below to list all regions within the victim's environment:

$gcloud compute regions list

Output: The above command retrieves a list of all available GCP regions for the authenticated account.

All regions are accessible by default in GCP once the Compute Engine API is enabled. A threat actor with sufficient permissions can deploy resources in any region supported by the project without requiring explicit enabling for specific regions.

If a threat actor compromises credentials with IAM roles such as roles/owner, roles/editor, or roles/compute.instanceAdmin, they can exploit unused regions and deploy resources freely across the project.

Threat actors can also execute the describe region command below to retrieves detailed information about a specific region in GCP.

$gcloud compute regions describe REGION

This command is useful to threat actors for:

• Checking the availability and operational status of a specific region.
• Viewing quotas and limits for resources in a region.
• Identifying zones within a region for deploying resources.

GCP's extensive global geographic infrastructure, similar to AWS and Azure, can be exploited by threat actors to evade detection through the following tactics:

• Deploy high-compute resources, such as GPUs, in unused regions to mine cryptocurrency, resulting in significant financial costs to the organization.
• Exploit regions that lack advanced detection tools, such as Cloud Armor or Chronicle Security Operations, to bypass monitoring and avoid detection.
• Create Compute Engine instances, Cloud Storage buckets, or Kubernetes clusters in regions that are not actively monitored by the organization, enabling them to operate without being noticed.
• Store exfiltrated data in Cloud Storage buckets located in unmonitored regions, bypassing data loss prevention (DLP) or other security systems focused on active regions.
• Use unmonitored regions as a sandbox to test and refine malware, exploits, or attack strategies without triggering alerts or drawing attention from security teams.

Generic Tools and Techniques Used by Threat Actors

The following tools and techniques are used by threat actors to exploit unused cloud regions

• Cloud Management Interfaces and APIs: Tools like AWS CLI, Azure CLI, and Google Cloud SDK allow attackers to programmatically deploy resources in unmonitored regions.
• Misconfigured IAM Policies: Improperly configured IAM roles or excessive permissions enable unauthorized access to cloud resources across all regions.
• Infrastructure Automation Tools: Deployment tools like AWS CloudFormation, Azure Resource Manager, Google Cloud Deployment Manager or Terraform can be abused to create infrastructure in unused regions quickly.
• Cryptomining Software: Softwares like XMRig or NiceHash are often installed on cloud instances in hidden regions to mine cryptocurrencies.
• Stolen Credentials: Compromised account credentials are used to access cloud consoles or APIs and provision resources in unmonitored regions.
• Exploitation Frameworks: Frameworks like Metasploit or Cobalt Strike can be used to exploit cloud environments and deploy payloads in specific regions.