Notes

Sec22 - Cloud Attacks

4 min read

Identity and Access Management (IAM) Misconfigurations

  • IAM: Framework of policies/technologies controlling resource access
  • Misconfigurations: Improper permission settings leading to unauthorized access
  • Examples: - Overly Permissive Policies: Granting more permissions than necessary
    - Default Credentials: Using defaults (e.g., admin/admin)
    - Broad IAM Roles: Roles with “all actions on all resources
    - Mishandled Access Keys: Exposed keys in public repos (e.g., AWS keys in GitHub)
  • Tools:
    • AWS IAM Access Analyzer: Finds overly permissive roles
    • TruffleHog: Scans public repos for exposed secrets

Resource Misconfigurations

  • Definition: Incorrect security settings on network segments, storage buckets, services
    • Network Segmentation: Isolate segments to limit lateral movement
    • Network Controls: Firewalls, ACLs, IDS & Overly permissive rules (open SSH port)
    • Exposed Storage Buckets: AWS S3 etc. & Publicly accessible buckets
    • Public Access to Services: Services intended for authenticated users set to public
  • Key Concepts:
    • Lateral Movement: Attacker moves within network due to poor segmentation
    • Permissive Firewall Rules: Too much allowed traffic → unauthorized entry
    • Public Storage Buckets/Services: Open to anyone → data exposure

Logging Information Exposures

  • Definition: Sensitive data leakage via logs
  • Types of Exposed Data: Usernames, passwords, API keys, session tokens, PII
  • Where saved: local storage, centralized servers, cloud storage
    • Risks: Data breach
    • Vulnerable Scenarios: public directories, unencrypted logs, log retention policy
    • Mitigations: restrict log access, encrypt transit, configure retention policies
    • Avoid: Minimize sensitive data in logs

Metadata Service Attacks

  • Metadata Service: Provides cloud instance info (hostnames, events, IAM credentials)
  • Importance: Used by cloud providers (e.g., AWS) to manage instances
  • Exploit Example: SSRF to access metadata
  https://example.com/proxy?target=http://169.254.169.254/latest/meta-data/iam/security-credentials/Admin-Role/
  • Mitigations: sanitize URLs for SSRF, restrict metadata access VPC IAM policy

Image and Artifact Tampering

  • Def: Manipulating VM/container images or software artifacts to inject malicious code
    • VM Images: Tampered images can include rootkits or backdoors
    • Container Images: Stored in registries (Docker Hub, etc.)
    • Software Artifacts: Libraries/packages (npm, PyPI, Maven)
  • PenTester Focus: verify image integrity (checksum), audit libraries, trusted sources

Supply Chain Attacks

  • Definition: Target trusted vendor or third-party to compromise end users
  • Types:
    • Compromised Software Updates: Inject malicious code into legitimate updates
    • Compromised Libraries/Dependencies: Malicious code in popular packages
    • Hardware Supply Chain: Malicious firmware during manufacturing/shipping
    • Compromised Cloud Services/Providers: exploits cloud provider vulns
    • Malicious Insiders: Third-party employees introduce backdoors or leak dat
  • Best Practices:
    • Strong authentication/integrity checks for updates/dependencies
    • Regular audits & Role Based Access Control (RBAC) of third-parties
    • Encrypt data in transit and at rest

Container Exploits and Attacks

  • Workload Runtime Attacks:
    • Target apps inside containers (e.g., SQL injection in a containerized web app)
    • PenTest Technique: Dynamic analysis, fuzz testing during runtime
  • Container Escapes:
    • Attacker breaks out of container to host or other containers
    • Example: Exploiting Docker/Kubernetes flaw; container running as root
  • Tools:
    • Kube-Hunter: Scans Kubernetes clusters for vulnerabilities
    • Docker Bench: Audits Docker configs against best practices
  • Best Practices:
    • Principle of Least Privilege: Run containers with min prevs & regular patches

Trust Relationship Abuse

  • Trust Relationships: Secure connections/permissions between systems or domains
  • Abuse Types:
    • Compromised AD Domains: failed domain trust to access other domain w/o auth
    • Kerberos Delegation Abuse: misconfigs allows service to impersonate prevs users
    • Federated Identity Abuse: Compromised IP → forged tokens to access
    • Misconfigured Application Permissions: OAuth apps with broad permissions
    • Inter-Domain Trust Exploitation: Poorly configured trusts between AD forests allow lateral movement across domains
    • SPNs & Kerberoasting:
      • SPN: Unique identifier for services in AD
      • Kerberoasting: Request service ticket for SPN, crack it offline
  • Best Practices:
    • Constrained delegation instead of unconstrained
    • Secure federated identity configurations (token signing)
    • Apply least privilege to app permissions
    • Strict inter-domain trust controls (selective authentication)

Third-Party Integration Exploits

  • Definition: Exploits via external systems/services within business infrastructure
  • APIs:
    • Act as messengers b/w apps. Unsecured = data access
    • Mitigation: Enforce authentication/authorization (API keys, OAuth)
  • Third-Party Libraries/Components:
    • External libraries speed development but can introduce vulnerabilities. Keep vulns updated
  • Webhooks:
    • Send real-time data between apps. Unsecured = send malicious payloads
    • Mitigation: Validate payloads, implement authentication (tokens, signatures)
  • Data Leakage:
    • Data shared via integrations can be exposed if not secured
    • Mitigation: Encrypt data (HTTPS), enforce access controls (token validation)

Cloud Security Testing Tools

  • ScoutSuite (cross-platform for AWS, Azure, GCP)
    • Function: Audits cloud security posture, identifies misconfigurations
    • Capabilities:
      • Detect overly permissive IAM roles
      • Flag misconfigured network security groups
      • Identify public storage accounts
  • Pacu (AWS exploitation framework)
    • Role: Simulate real-world AWS attacks (prev esc, data exfiltration, lateral)
  • Prowler (AWS security assessment, CIS-based)
    • Function: Checklist for AWS best practices (IAM, logging, networking)
  • Cloud-Native Vendor Tools:
    • AWS Trusted Advisor: Real-time recommendations (encrypt S3, secure EC2)
    • AWS Config: Tracks resource changes, evaluates against security rules
    • Azure Security Center: Unified security management/monitoring (alerts for unpatched VMs)
    • Azure Policy: Enforces compliance (ensure encryption, tagging standards)
    • Google Cloud Security Command Center (SCC): Central dashboard for GCP security/threat visibility
    • Forseti Security: Open-source compliance checks (detect permissive IAM roles, exposed buckets)

Graph View