Unmasking Adversary Cloud Defense Evasion Strategies: Modify Cloud Compute Infrastructure Part 1
Hear Ye, Hear Ye
Subscribe to Cloud Chronicles for the latest in cloud security!
The MITRE ATT&CK (Adversarial Tactics, Techniques and Common Knowledge) Framework is a globally-accessible knowledge base of adversary tactics and techniques and procedures (TTPs) which are constantly updated to reflect real-world observations of evolving landscape of cyber threats. The MITRE ATT&CK can be described as a comprehensive cybersecurity framework, a threat modeling framework, a taxonomy for cyber threats, and a cyber threat intelligence framework, all rolled into one. This Framework provides a detailed taxonomy-guide in tracking cyber adversaries over the years and a structured approach to identifying, understanding, and defending against cyber adversary behaviors and techniques.
This framework plays a crucial role in helping organizations and cyber defenders comprehend the behaviors of threat actors and facilitate the development of robust defense strategies to mitigate these known cyber threats effectively.
Overview of the Technique
The MITRE ATT&CK Cloud Matrix for Enterprise includes a broad spectrum of tactics and techniques that adversaries use in cloud computing environments. This blog post focuses on techniques related to adversary attempt to modify cloud account's compute service infrastructure to evade defenses in cloud environments. This techniques is commonly referred to as Modify Cloud Compute Infrastructure and also belongs to the 'Defense Evasion‘ tactic within the framework. It is essential to check the latest version of the MITRE ATT&CK framework for the most up-to-date technique identifiers and descriptions, as the framework is constantly updated to reflect the evolving cyber threat landscape.
Image showing technique (T1578) under Defense Evasion tactics
The Modify Cloud Compute Infrastructure technique (T1578) focuses on adversary goal to manipulate the compute service infrastructure in a way that helps them bypass existing security measures. This technique, T1578, comprises five (5) sub-techniques that adversaries can utilize to accomplish their objectives: Create Snapshot, Create Cloud Instance, Delete Cloud Instance, Revert Cloud Instance and Modify Cloud Compute Configurations.
Advanced Persistent Threat (APT) actor can leverage this technique to alter infrastructure components such as compute instances, virtual machines, and snapshots for their malicious purposes. This is achieved through the creation, deletion, or modification of these compute services. The ultimate goal of adversaries using this technique is to maintain stealthy persistence within the target's environment, evade detection, escalate privileges, and remove any evidence to cover their tracks.
Here are application examples of what an adversary or APT actor can do to evade detections:
- An adversary can delete logs or alter logging settings that blend in with legitimate logs
- An adversary can create new virtual machines that are not accounted for in the original security setup to install malicious software or use as a pivot point for lateral movement. The adversary can also remove virtual machines to cover evidence of their presence.
- An adversary can create snapshots or backups of compromised virtual machines to ensure their access is not lost even if the original machine is discovered.
- An adversary can restore virtual machine (VM) or data storage snapshots through the cloud management dashboard or cloud APIs to maintain a stealthy presence within the cloud environment.
- An adversary can take advantage of overly permissive roles within the cloud environment to gain higher privileges by assigning specific permissions to new or existing cloud Infrastructure components.
Real-world Applications
Having established a foothold with the five sub-techniques of Modifying Cloud Compute Infrastructure as mentioned previously, we will review each of these sub-techniques and their detection methods across AWS, Azure, and GCP cloud environments.
1. Modify Cloud Compute Infrastructure: Create Snapshot
Adversaries takes advantage of cloud environment capabilities, specifically snapshot creation, to evade defenses and potentially bypass restrictions. In cloud computing, snapshots are point-in-time copy of a cloud compute component such as virtual machine (VM), a virtual hard drive, or any volume of data stored in the cloud. An adversary with the permission to create snapshots can leverage this cloud feature to evade defenses by manipulating snapshots and bypassing access controls to create and access snapshots of sensitive or restricted data. For Example, an adversary, possibly an insider with limited administrative privileges, has the permission to create snapshots within a cloud environment. The adversary leverages this permission to creates snapshots of volumes that contain sensitive information without triggering any immediate alerts because snapshot creation is a legitimate activity within the cloud platform.
Cloud Attack Example One
According to Mandiant M-Trends 2020 special report, an incident response case involving a cloud breach was reviewed. In this cloud breach case, an attacker compromised an Amazon Web Services (AWS) environment by targeting the GitHub code repository of a corporation’s cloud or on-premise environment to gather pertinent information such as AWS access keys credentials.
There are three stages to this attack lifecycle
At the First Stage, the attacker was able to compromise and obtain credentials from the corporation’s GitHub code repository with no MFA enabled by searching the commit history. These credentials retrieved by the attacker includes set of IAM user long-lived access keys used by applications that interact with (API request) the AWS services in the corporation AWS environment.
During the Second Stage, the attacker was able to sign-in via AWS CLI (Command Line Interface) and performed some reconnaissance commands such as list content of S3 buckets and EC2 instances, list public EC2 snapshots owned and those shared with the corporation AWS account, list all or specific EBS volumes for the current region and lastly list all or specific DB instances.
At the Third stage, the attacker created a new IAM user with both Console and Programmatic access on the corporation AWS account. In order to maintain persistence and escalate privileges, the attacker took snapshots of nine of the largest Elastic Block Store (EBS) volumes within the AWS account and proceeded to creating an new EC2 instance then mounted the snapshots, and attached an existing security policy to the EC2 instance that hat allows SSH traffic on port 22. The attacker performed lateral movement by accessing and creating snapshots of EBS volumes, provisioning an EC2 instance, and then moving onto targeting the AWS RDS instances to access MySQL databases containing sensitive information. The mission of the attacker was completed through the high-volume data exfiltration via SSH to a server in the Netherlands, both from the EBS volumes and the RDS database. Finally, the attacker then terminates the EC2 instance to erase forensic evidence, covering their tracks.
Cloud Attack Example Two
An open source cloud-based offensive tool specifically designed for exploiting Amazon Web Services (AWS) environments called pacu can be used by adversaries to create snapshots of EBS volumes and RDS instances. Pacu provides modules that allow enumeration of Amazon Elastic Block Store (EBS) volumes and Relational Database Service (RDS) instances within a target's AWS account. Once the adversaries has identified any volume and instance resources, they proceed to use Pacu to bypass the access control configured on the original EBS volumes and RDS instances by creating snapshots of these resources.
The adversary can run the follow Pacu module to enumerate EBS Volumes and RDS Instances snapshots in every region of the target AWS Account.
# EBS volume enumeration
$run ebs_ _enum_volumes_snapshots
# RDS instance enumeration
$run rds_ _enum_snapshots
The ebs__explore_snapshots
module in Pacu can be used by the adversary to create snapshots of existing EBS volumes and mount to new EC2 Instance.
The adversary can execute the Pacu modules as:
# This module downloads specific EBS volumes
$run ebs__download_snapshots
# This module ceates a snapshot of all database instances, restores new database instances from those snapshots,
# and then changes the master password to allow access to the copied database
$run rds__explore_snapshots
2. Modify Cloud Compute Infrastructure: Create Cloud Instance
In similar manner with create snapshot feature, adversaries exploit the Create Cloud Instance feature as well to launch new instance or virtual machine (VM) within the compute service of a cloud account to evade defenses. This technique allow the adversary to bypass firewall rules and permissions to carry out malicious activity without affecting the existing running instances.
As illustrated in the image, adversaries employs the create cloud instance feature in a cloud environment to set up a new virtual machine or instance. Adversaries can leverage this cloud feature to bypass firewall rules and permissions that exist on instances (VMs) currently residing within an account. For example, an adversary who has gained privileged permissions can create snapshots of one or more volumes within a cloud account and launch a new instance to which these snapshots are then attached. The adversary can then implement a less restrictive security policy on the new instance to achieve the objective of consolidating data from the local system or for remote data staging, in preparation for exfiltration. Essentially, this technique is a strategic manipulation of cloud instances (VMs) by adversaries to gather, centralize, and potentially exfiltrate sensitive data. The goal of the adversary is to evade detection while ensuring that the execution of currently running instances remains unaffected.
Attack Example One
As observed by the CrowdStrike Intelligence team, a cybercriminal group called the Scattered Spider active since at least 2022. This Advanced Persistent Threat (APT) group leveraged the financially-motivated C0027 campaign from at least June through December of 2022 to target customer relationship management and business-process outsourcing (BPO) firms, as well as telecommunications and technology companies. The activities of the C0027 campaign, carried out by Scattered Spider, include various forms of social engineering, SIM swapping, and attempts to leverage access from victim environments to mobile carrier networks.
During the investigation of the C0027 campaign carried out by Scattered Spider group, the CrowdStrike Intelligence team observed that the APT group employed various techniques to gain and maintain access, as well as evade detection and response. In relation to this blog post, the sub-technique Create Cloud Instance, which the adversary leveraged to evade detection, is of major concern.
The Scattered Spider group compromised the credentials of a victim user and authenticated to the organization's Azure tenant to gain access. Upon gaining access, the adversary instantiated Azure VMs (utilize the sub-technique Create Cloud Instance) within the Azure tenant to conduct credential theft activities and facilitate lateral movement to on-premises systems.
Attack Example Two
According to the Microsoft Threat Intelligence team report dated March 22, 2022, activities related to a large-scale social engineering and extortion campaign targeting multiple organizations, some of which exhibited evidence of destructive elements was observed . These activities were linked to DEV-0537, also known as the LAPSUS$ threat group. This Advanced Persistent Threat (APT) group has been active since at least mid-2021 and are known for employing a pure extortion and destruction model, without using ransomware payloads. They target organizations globally across various sectors, including government, manufacturing, higher education, energy, healthcare, technology, telecommunications, and media. Additionally, they are known for announcing their attacks on social media or advertising their intent to buy credentials from employees of targeted organizations.
The Microsoft Threat Intelligence team observed that during the exfiltration, destruction, and extortion stages of the LAPSUS$ attack, the group leveraged the sub-technique Create Cloud Instance to create new virtual machines within the target’s cloud environment. These VMs were then used as actor-controlled infrastructure to conduct further attacks across the target organization.
3. Modify Cloud Compute Infrastructure: Delete Cloud Instance
The Delete Cloud Instance feature is another technique increasingly adopted by adversaries after conducting malicious activities in a victim’s cloud environment. This tactic is used in an attempt to evade detection and remove evidence of their presence. Adversaries may initially use the technique Create Cloud Instance, as discussed previously, and later employ the Delete Cloud Instance feature to terminate the instance after achieving their objectives. This technique allows adversaries to delete cloud instances or virtual machines that contain valuable forensic artifacts and other evidence of suspicious behavior.
Attack Example
The cybercrime activities associated with DEV-0537, also known as the LAPSUS$ APT group, were observed by Microsoft Threat Intelligence team. This group utilized the cloud feature Create Cloud Instance to launch virtual machines and conduct further attacks within the targets' cloud environments. After data exfiltration stage of their attack, it was observed that the LAPSUS$ APT group frequently used the Delete Cloud Instance feature to remove the targets’ systems and resources, affecting both on-premises environments (such as VMware vSphere/ESXi) and cloud infrastructures. This sub-technique was used to trigger the organizations’ incident and crisis response process.
The LAPSUS$ APT group was also observed infiltrating incident response communications within targeted organizations. After triggering the organizations’ incident and crisis response processes by using the Delete Cloud Instance technique, they exploited this opportunity to join the organizations' crisis communication calls and internal discussion boards, such as Slack, Teams, and conference calls. This allowed them to gain insights into the victims' state of mind and understand the incident response workflows and corresponding responses.
4. Modify Cloud Compute Infrastructure: Revert Cloud Instance
Adversaries exploit the cloud feature Revert Cloud Instance, which cloud administrators typically use for legitimate purposes such as recovering from errors or undoing unwanted changes. This feature can be abused by adversaries to erase traces of unauthorized activity, revert to a prior configuration, or restore security features to a vulnerable state. For example, a threat actor who has gained unauthorized access can use this technique to revert changes made to a cloud instance after conducting malicious activities. This helps them evade detection and remove evidence of their presence through the cloud management dashboard or API access.
A major tactic for adversaries using this technique involves utilizing temporary (ephemeral) storage attached to cloud instances to store malicious payloads or scripts. Most cloud providers offer several types of storage options such as persistent, local, and ephemeral. Adversaries leverage the ephemeral storage because it is typically reset or wiped clean once the virtual machine (VM) is stopped or restarted.
Attack Example
The Revert Cloud Instance feature could be exploited by an adversary by storing malicious payloads or scripts in the ephemeral storage of a compute instance. With the understanding that this storage is reset upon the restarting of the VM, the adversary can perform malicious activities without leaving a permanent record in the organization's cloud environment. As a result of doing so, the risk of detection is minimized and the availability of evidence for forensic investigation is reduced, as any traces of the activities disappear once the VM is rebooted.
5. Modify Cloud Compute Infrastructure: Modify Cloud Compute Configurations
Upon compromising an organization's cloud environment, adversaries can abuse the Modify Cloud Compute Configurations feature, which is intended for legitimate use by cloud admins and engineers. These configuration settings may include service quotas, subscription associations, tenant-wide policies, or other configurations that impact the availability of compute resources. Adversaries may modify these settings to affect the size, location, and resources available to an organization’s cloud compute infrastructure, thereby evading defenses. For example, cloud service providers (CSPs) often limit customer usage of compute resources via quotas. Cloud customers can request adjustments to these quotas to support increased computing needs for their deployments. On the other hand, adversaries with access to an organization's cloud account might request quota adjustments to support their malicious activities, such as enabling additional Resource Hijacking without raising suspicion by exhausting the victim’s entire quota. Similarly, adversaries may increase the allowed resource usage by modifying tenant-wide policies that limit the sizes of deployed virtual machines or by changing settings that affect where cloud resources can be deployed, such as enabling deployment in Unused/Unsupported Cloud Regions.
Attack Example
In an Azure environment, a significant security threat arises when an adversary gains access to a Global Administrator account, as outlined in the Microsoft Defender XDR Blog titled Hunt for compromised Azure subscriptions using Microsoft Defender for Cloud Apps. With such access, the adversary can either create new subscriptions to deploy malicious resources or engage in subscription hijacking by transferring an existing pay-as-you-go subscription from a victim tenant to an adversary-controlled tenant. This deceptive maneuver enables the adversary to utilize the victim’s compute resources discreetly, without generating logs on the victim tenant, thereby obscuring any trace of unauthorized activity and complicating efforts to detect and mitigate the intrusion.