Cloud identity is too loose, opening the door for attackers

 

Palo Alto A new report Unit 42 Show , Almost all cloud users , role , Services and resources are granted too many permissions , Make the organization vulnerable to attack expansion when attacked . The security provider's research found that , Misconfigured identity and access management （IAM） Opening the door for malicious actors , These actors mainly target cloud infrastructure and credentials in the attack .

The results show that , When it comes to... In the cloud IAM when , The organization is trying to implement good governance . The report also identified five attack groups detected against the cloud environment , And reveals their attack methods .

stay 《 Identity and access management ： First line of Defense 》 In a Book ,Unit 42 The researchers analyzed 18,000 Cloud accounts and 200 In many different organizations 680,000 Multiple identities , To understand its configuration and usage mode . It shows ,99% Our cloud users , role , Services and resources are granted to “ Too many permissions ”, These permissions are not used 60 God . According to the report , Opponents who destroy these identities can use these permissions to move horizontally or vertically and expand the attack radius .

Unit 42 Data show that , Compared with the strategy created by the customer , Built in content security policy （CSP） Double the unused or excessive permissions in . Deleting these permissions can significantly reduce the exposure risk of each cloud resource , And minimize the attack surface of the whole cloud environment . However , According to the report , Cloud security is being affected by poor implementation IAM And voucher management .

In the report Unit 42 Express , detected 65% There is a configuration error behind the cloud security event , and 53% Password analysis of weak accounts is allowed ,44% Allow password reuse . what's more , Nearly two-thirds （62%） Our organization exposes cloud resources .

Identity users in the cloud platform , Misconfiguration in roles or group policies may significantly increase the threat pattern of the organization's Cloud Architecture , These are the carriers that opponents are constantly seeking to use .

All cloud threat participants we identified are destroying servers 、 Containers or laptops are trying to collect cloud credentials . Leaking credentials with too many privileges can provide an attacker with “ The key of the Kingdom ”.

Unit 42 Identify five attack groups for cloud infrastructure

Unit 42 Five threat participants were detected and identified , They use unique upgrade technology to collect credentials and directly face the cloud service platform . among , Three perform container specific operations , Including permission discovery and container resource discovery , Two carried out the container escape operation , And all five collect cloud service or container platform credentials as part of their operation process . They are ：

The team TNT： In terms of cloud identity enumeration Technology , The group is considered to be the most complex cloud threat participant , Its operations include Kubernetes Lateral movement within the cluster ,IRC The establishment of botnets and hijacking of infected cloud workload resources to mine Monroe currency cryptocurrency .

watchdog ： Although skilled , But this group is willing to sacrifice their skills to improve the rate of visits ,Unit 42 say . It uses custom Go Scripts and from other groups （ Include TeamTNT） Reused encryption hijacking script , Is an opportunistic threat group for exposed cloud instances and Applications .

Jin Xin ： Another opportunistic cloud threat participant has great potential for cloud credential collection , The team focused on the exposed Docker Daemon API, Use in Ubuntu Based on GoLang Malicious processes , And has begun to extend its operation to Docker Outside the container , Specifically for containers and cloud credential files contained in infected cloud workloads .

Rock ：Rocke It's a “ Senior ” organization , Committed to improving cloud endpoint enumeration Technology , Specializing in blackmail software and encryption hijacking in cloud environment , And based on Linux Known for the computing power of damaged systems , These systems are typically hosted in a cloud infrastructure .

8220：Rocke Of “ Close relatives ”, The organization is incorporating containers into its goals . The tools commonly used in the operation are PwnRig or DBUSed, They are XMRig Monero Customized variants of mining software . It is believed that , The organization originated in Rocke Group software GitHub Branch .

IAM Configuration errors are a common entry point

Unit 42 It is suggested that the organization solve IAM Loophole , To protect its cloud infrastructure . Correctly configured IAM Can prevent accidental access , Provide visibility into cloud activities , And reduce the impact of safety events .“ however , Due to its dynamic nature and complexity , take IAM It's challenging to stay in the safest state . historically ,IAM Configuration errors have always been the entry point and hub most often used by cyber criminals .

To help protect the cloud environment from threats ,Unit 42 Express , Organizations should implement cloud native application protection platforms （CNAPP）, Focus on strengthening IAM jurisdiction , And improve the degree of safety automation .（ This article from the SCA Secure Communications Alliance , Reprint please indicate the source .）