Section 22: Cloud Attacks

Cloud Attacks: Tools and Techniques

  • Focus on tools and techniques for attacking cloud environments (AWS, Azure, GCP).
  • Cloud attacks target vulnerabilities specific to cloud computing.
  • Vulnerabilities can lead to unauthorized access and data breaches.
  • Understanding these methods is crucial due to the increasing adoption of cloud services (60% of businesses).
  • Focus will be centered around domain four, attacks and exploits.

Objective 4.6: Cloud-Based Attacks

  • Perform cloud-based attacks using appropriate tools based on given scenarios.
  • Key Areas:
    • Identity and Access Management (IAM) Misconfigurations
    • Resource Misconfigurations
    • Logging Information Exposures
    • Metadata Service Attacks
    • Image and Artifact Tampering
    • Supply Chain Attacks
    • Container Exploits and Attacks
    • Trust Relationship Abuse
    • Third-Party Integration Exploits
    • Cloud Security Testing

IAM Misconfigurations

  • Common Flaws:
    • System permissions and improper access controls.
    • Misconfigured roles allowing privilege escalation or access to sensitive information.

Resource Misconfigurations

  • Incorrect settings of resources can lead to data exposure or unauthorized access.
  • Examples:
    • Storage buckets
    • Network Access Control Lists (ACLs)
    • Virtual Machines (VMs)

Logging Information Exposures

  • Importance of secure and private log management.
  • Prevent leaks of sensitive operational or customer data through logs.

Metadata Service Attacks

  • Exploiting the cloud services metadata service.
  • Gaining unauthorized data access by exploiting metadata used for configuring and managing instances.

Image and Artifact Tampering

  • Attackers manipulate cloud images and artifacts.
  • Inserting malicious code or exploiting software dependencies.

Supply Chain Attacks

  • Highlighting the risks involved with third-party services and software dependencies.
  • Compromising third-party components to affect a broader system.

Container Exploits and Attacks

  • Vulnerabilities specific to containerized environments.
  • Examples:
    • Docker
    • Kubernetes
  • Tools: Kuehunter and Docker Bench.

Trust Relationship Abuse

  • Exploiting trust relationships between cloud services and components.
  • Bypassing security measures.

Third-Party Integration Exploits

  • Vulnerabilities introduced by adding third-party services into cloud platforms.
  • Examples: APIs and service exploits.

Cloud Security Testing

  • Methods and cross-platform tools used for systematic assessment of cloud infrastructure security.
  • Tools:
    • ScoutSuite
    • Packle (for AWS)

Hands-On Demo and Quiz

  • Practical experience in evaluating cloud configurations.
  • Identifying misconfigurations.
  • Understanding how to adapt best security practices.
  • Quiz to reinforce learning with review of questions and answers.

Identity and Access Management (IAM)

  • IAM is a framework of policies and technologies ensuring the right individuals have the appropriate access to technology resources.
  • Like a digital security guard ensuring only authorized personnel can access specific areas.

IAM as a Control System

  • Analogy: A high-end security building with various rooms requiring different clearance levels.
  • IAM works similarly in a digital environment.
  • Users need appropriate permissions before accessing applications, data, or systems.

IAM Credential Misconfigurations

  • Significant Concern: Can lead to unauthorized access to critical systems and data.
  • Increases ease for attackers to exploit weaknesses.
  • Analogy: Security guard handing out master keys to everyone.

Overly Permissive Policies

  • Example: Employee needing read-only access mistakenly given write and execute permissions.
  • Attacker compromising the user's credentials can modify or delete data.
  • Penetration testing identifies users with permissions exceeding job requirements.

Default Credentials

  • Systems come with default usernames and passwords (e.g., admin/admin, guest/guest).
  • If not changed, attackers can easily gain access.
  • Analogy: Leaving a master key on the doormat.
  • Penetration testing scans for systems using default credentials.

IAM Roles in Cloud Environments (AWS, Azure)

  • Roles define actions users and services can perform.
  • Overly broad permissions make roles attractive targets.
  • Example: IAM role with full administrative rights.
  • Attacker gaining access can delete resources, access system data, or launch malicious instances.

Access Keys

  • Digital equivalent of keys to security gates.
  • Mishandling can bypass security measures.
  • Example: Employee accidentally uploads AWS access key to a public code repository (GitHub).
  • Attackers scan for exposed keys to access organization's AWS resources.

IAM and VIP List Analogy

  • IAM policies and roles manage access like a VIP list at a club.
  • Poorly managed IAM leads to unauthorized access and potential breaches.

Identifying IAM Misconfigurations

  • Use tools like AWS IAM Access Analyzer to review permissions.
  • Simulate attacks to demonstrate impact.
  • Use tools like Triple Haul to scan for AWS secret keys and public passwords.
  • Finding and using exposed access keys highlights risks associated with poor key management practices.

Resource Misconfiguration

  • Resource misconfiguration can be an attack vector in interest test.
  • Key focus on:
    • Network segmentation
    • Network controls
    • Exposed storage buckets
    • Public access to services
      Understanding these concepts and how they can be misconfigured leads to better defense of networks and effective interests tests.

Network Segmentation

  • Network segmentation can be seen as a series of locked doors within a building.

  • Each door restricts access and ensures only authorized personnel are allowed in specific areas.

  • Segmentation involves dividing the network into smaller segments each with its own security controls. Poor implementation can lead to unauthorized access across the network.

  • If an attacker gains access to a less secure segment, there is a chance that they may be able to move laterally to a more sensitive segment that should have been isolated. Look for poorly segmented networks where sensitive systems are on the same segment as less critical systems and attempt to exploit this lack of isolation during the penetration test.

Network Controls

  • Network controls are the rules and policies that govern the flow of traffic within a network. Much like traffic lights and signs regulate movement in a city. These controls can include firewalls, access control lists or ATLs, intrusion detection systems or IDS.

  • If network controls are misconfigured, it can lead to security gaps attackers can exploit. For instance, firewalls that are too permissive, allowing any traffic to pass through, allows attackers to access systems that should be protected.

  • During the pentest, misconfigured firewalls that allow unrestricted access to sensitive ports for services can be exploited to gain deeper access to a network.

Exposed Storage Buckets

  • In cloud environments, storage buckets used to store data like poly cabinets to store documents. These buckets can be configured to be private or public.

  • If a storage bucket is mistakenly configured as public, anyone on the Internet can access the contents.

  • Imagine leaving a file cabinet full of sensitive documents out on the street for anyone to see. During a penetration test, search for exposed storage buckets and attempt to access them to demonstrate potential impact of such a misconfiguration.

Public Access to Services

  • Public access to services is a critical area of concern. Imaging a restricted access area within the building like a vault or control room.

  • These areas should only be accessible to authorized individuals. If a service is configured to be publicly accessible, anyone can access it without authentication as if one was leaving the door to a vault wide open.

  • During Penetration tests, identify services that should be restricted but are accessible to the public. How could an attacker exploit this to gain control over the service or share access to information can be demonstrated. Improper security settings often lead to highly sensitive information being accessed because the database is set to allow public access.

  • Resource misconfigurations like board network segmentation, inadequate network controls, exposed stores buckets, and public access to services are significant attack vectors.

Logging Information Exposures

  • Logging information exposures server as a key attack vector in pentests. Secured logs become useful, but log mismanagement becomes gold for hackers.
  • Logs are detailed diary the records happenings within a system or network. Properly configured log is a central for monitoring an instant response, but when logs containing system information are exposed inappropriately, could become a goldmine for attackers.

Exposed Log Information Types

  • Sensitive data such as usernames, passwords, API keys, session tokens, or PII like email addresses or phone numbers appear as detailed receipts from a store

  • Conduct a pen test where an application logs login attempts including usernames and passwords, that if accessible to unauthorized users, an attacker can use to gain access.

  • During a penetration test, search for log files and examine their contents to identify any sensitive information that shouldn't be there.

Log Storage

  • Logs can be stored locally, on centralized logging servers, or in cloud storage where improper security can lead to information exposure. Test the permissions and accessibility of log storage locations to ensure secure log storage.

  • An exposed web server directory where log files are stored with directory listing enabled allows attackers to easily navigate to the directory and download log files. The logs might contain system data such as user activity and error messages that can provide valuable insights into the system's vulnerabilities.

Log Transmission

  • Logs are often sent over the network to centralized logging servers or SIEM systems, where if transmissions are not encrypted means an attacker can easily retrieve such data. Examine this through the network to see the risk.

Log Retention Policies

  • Required for auditing and compliance purposes. But retaining them too long or not properly managing them could lead to exposure, especially if they are old and obsolete as well as retained too long for business operation.
    Highlighting this during a penetration test demonstrates better log management practices.

Excessive Logging

  • Capturing too much can result in logs which contain sensitive data being recorded unnecessarily such as full HTTP request headers containing information such as session tokens or API keys.

  • Analyze the logging configuration and identify instances where excessive logging might expose sensitive data.

Metadata Exploitation

  • Metadata service provides configuration/management for cloud instance runtime.
  • Metadata contains info:
    • Hostname.
    • Events.
    • Security Groups.
  • Breaches are traced to metadata service attacks.

SSRF

  • Server Side Request Forgery (SSRF) exploits trust between the server and accessible resources.
  • SSRF happens if web application fetches remote resource that hasn't had it's URL validated by the user.
  • An attacker sends crafted request to an unexpected destination.

The Attack

  1. Pin tester must identify an SSRF Vulnerability.
  2. Exploit vulnerable applications, extracting credentials, and pivot to an organization's cloud account.
  • For the exam, remember that metadata service attack is a form of SSRF attack.

Image and Artifact Tampering

  • Image and artifact tampering involves manipulating virtual machine images, container images, and software artifacts to introduce vulnerabilities or malicious code.

Images and Artifacts

  • Thinking of images as blueprints for building a cloud instance where Artifacts on the other hand are the softwares and other things needed to make the instance operational.

  • Attacker injects malicious code into a legitimate image so when a new build is based on infected images, it will introduce vulnerabilities into the environment.

  • Verify the source and integrity of images being used.

  • Docker hub image tampering can allow hackers to compromise containers.

Impact

  • Inject malicious code and steal sensitive data from the affected systems leading to the potential theft of data.

  • It's always important to review the third party libraries and dependencies used in the target's code base.

  • Integrity and source of these libraries need to be verified to ensure that they come with them. Tools like NPM audit, Yarn audit, and the like should be used to identify any vulnerabilities

  • During a pentest, you should maintain a strict dependency management policy, regularly updating libraries, and using tools to monitor for suspicious changes or vulnerabilities in third party code.

  • Exporting image and artifact tampering can also involve inserting vulnerabilities that facilitate future attacks. For instance, adding a weak default password or disable security features in a VM image can make it easier for attackers to compromise systems later.

Supply Chain Attacks

  • Supply chain attacks compromise trusted vendor/service provider to infiltrate systems/data.
  • Analogies to tainted raw materials.

Attack Vectors

Software Updates

  • If there's a vulnerability in a widely used software packages it can inject code from the compromised vendor and attack downstream users.

  • One must examine the verification process and verify the integrity check. If there are absence, highlight how attackers can exploit the mechanism.

Third-Party Libraries

  • Compromise open source libraries injects vulns in the app.
  • Verify dependencies and update accordingly.

Hardware Supply Chain

  • Compromise hardware during supply chain. Install malicious firmware on devices which provides a backdoor to the network.
  • Here, you would examine the procurement process and verify the integrity of hardware components used within the organization.

Cloud Service and Third-Party Providers

  • Exploiting and compromising the attack on data and systems to all providers affects end-users. The company must verify security practices.

Pen Test Considerations

  • Strict control and monitoring practices must be emphasized

Remember to identify the issues while providing a more secure environment

Container Exploits & Attacks

  • Container exploitation happens via workload runtime attacks, container escapes, and tools like KubeHunter & DockerBench. Containers are great, but have new security challenges.

Runtime Attacks

  • Attack while running inside container. Exploit containerized app vulns to run more code.

  • Access customer data and attack a containerized web app.

  • Penetration test will look for vulnerabilities to dynamic analysis through fuzz testing

Container Escapes

  • Break out of the container to the host & other containers.

  • Flaws in container software and config.

  • Too many permissions can allow the attacker to use a flaw in docker/kubernets and run commands on system to take over other container's data.

  • Pen testers need to find configurations that are able to facilitate escapes such as running containers in the root.

  • KubeHunter checks security in Kubernetes clusters looking for exposed databases and misconfigured kubernetes dashboards

  • Docker bench tools are used to find/fix issues that check a docker configuration to ensure security following the recommnedations to make the system more secure.

Trust Relationship Abuse

  1. Trust relationships need secured communication protocols, or lateral attacks happen.

  2. Abusing Kerberos allows escalation privileges, but strict monitoring ensures compliance.

  3. Misconfigured application permissions must be revised such as the usage of federation trust to promote security.

  4. Examine inter domain trust as well as service principal names to analyze security within the environment.

Third Party Integration Exploits

  • Secure integrations necessary for cooperation between systems. Compromised integrations can breach systems to lead to total takeovers.

Security Risks

  • APIs allow attackers in from the outside. Insecure APIs can allow requests between systems.

  • 3rd party solutions can push updates which must verify update mechisms.

  • External code causes code injection which allows vulns from third party code to be triggered. Ensure third party code is free of vulns.

Impact

  • Data leakage from insecure Webhooks in real time can hijack a truck delivery and insert into the environment causing critical breaches

  • Integrating third parties must protect sensitive info.

Cloud Security Tools

  • Cloud environments are supported by secure cloud platforms such as scoutsuite, haku, prowler and vendor tools.
    Cloud platforms have multiple security challenges that cloud platforms should address.

Tools

Scoutsuite

  • Cross-platform and supports multiple cloud providers while assessing their security. The scans are comprehensive to allow highlighting security risk.

Pacu

  • Open source aws exploitation to designed for testing various actions that can mimic real world attacks and escalation tests and test weak configurations.

Prowler

  • Security assessment tool that checks a wide range of things such as IAM logging etc. Used to identify areas to improve based on benchmarks and enable MFA to ensure AWS is secure.

Cloud Native Vendor Tools

  • Aws trusted advisor, azure security center, google cloud security command center are all valuable and provide invaluable information in maintaining a strong infrastructure.

Cloud Audit Reports

  • Cloud audit happens at this point