Additional Cloud Credentials

Information

• Name: Additional Cloud Credentials

• ID: T1098.001

• Tactics: TA0003, TA0004

• Technique: T1098

Introduction

The MITRE ATT&CK sub-technique Additional Cloud Credentials (T1098.001) refers to adversaries obtaining and leveraging extra credentials within cloud environments beyond their initial access point. Attackers frequently utilize these credentials to maintain persistence, escalate privileges, and move laterally across cloud resources. By acquiring additional cloud credentials, adversaries can expand their control and enhance their ability to evade detection and remediation efforts.

Deep Dive Into Technique

Attackers commonly execute this sub-technique by targeting cloud platform features, configurations, or vulnerabilities to obtain additional credentials. The following mechanisms detail typical methods attackers use:

• Credential Theft from Cloud Instances:

  • Attackers access cloud-hosted virtual machines or containers and extract credentials stored within instance metadata services or configuration files.

  • Exploitation of misconfigured instance metadata endpoints (e.g., AWS EC2 metadata endpoint at http://169.254.169.254).

• Compromising Cloud Identity and Access Management (IAM) Roles and Policies:

  • Attackers exploit overly permissive IAM policies or roles to gain elevated privileges or additional credentials.

  • Manipulation or abuse of IAM trust relationships to assume additional roles.

• Cloud Service Misconfigurations:

  • Misconfigured storage buckets, databases, or other cloud services that inadvertently expose credentials or access tokens.

  • Harvesting credentials from improperly secured cloud-based CI/CD pipelines or code repositories.

• Phishing and Social Engineering:

  • Attackers may use targeted phishing campaigns to trick users into revealing cloud credentials or authorizing OAuth applications that grant additional credentials.

• Third-party Integrations and OAuth Tokens:

  • Attackers abuse third-party applications or OAuth tokens with excessive permissions to access additional cloud credentials or escalate privileges.

• Credential Dumping Tools and Scripts:

  • Utilizing specialized tools and scripts designed to extract secrets, tokens, or credentials from cloud instances or services (e.g., Pacu, ScoutSuite, Prowler).

When this Technique is Usually Used

Attackers typically leverage additional cloud credentials during multiple stages of an attack lifecycle, including:

• Initial Access and Persistence:

  • After initial compromise, adversaries obtain additional credentials to maintain persistent access even if initial credentials are revoked or discovered.

• Privilege Escalation:

  • Attackers use additional credentials to escalate privileges, gaining administrative access or broader permissions within cloud environments.

• Lateral Movement:

  • Utilizing additional credentials to move laterally across cloud accounts, resources, or even between cloud providers.

• Defense Evasion:

  • Attackers rotate between multiple credentials to obscure activities, evade detection, and complicate incident response efforts.

• Data Exfiltration and Impact:

  • Attackers leverage additional credentials to access sensitive data, intellectual property, or confidential information stored in cloud environments.

How this Technique is Usually Detected

Detection of additional cloud credential usage typically involves monitoring and auditing cloud environments with various methods and tools:

• Cloud Provider Logging and Monitoring:

  • AWS CloudTrail, Azure Activity Logs, Google Cloud Audit Logs to track suspicious or unauthorized credential usage.

  • Monitoring for unusual API calls, unexpected IAM policy changes, or suspicious role assumptions.

• Cloud Security Posture Management (CSPM) Tools:

  • Tools such as Prisma Cloud, CloudGuard, Aqua Security, or Wiz to detect misconfigurations and suspicious credential activity.

• Behavioral Analytics and Anomaly Detection:

  • Leveraging User and Entity Behavior Analytics (UEBA) tools to identify anomalous credential usage patterns or unusual access attempts.

• Endpoint Detection and Response (EDR) and Cloud Workload Protection Platforms (CWPP):

  • Monitoring cloud instances for credential dumping tools, scripts, or suspicious processes indicative of credential harvesting.

• Specific Indicators of Compromise (IoCs):

  • Unusual or unauthorized IAM role assumption events.

  • Unexpected increase in API requests from unknown or unexpected sources.

  • Detection of credential dumping tools (e.g., Pacu, ScoutSuite) on cloud instances.

  • Identification of unauthorized OAuth application authorizations or tokens within cloud environments.

Why it is Important to Detect This Technique

Early detection of adversaries obtaining additional cloud credentials is critical for several reasons:

• Preventing Privilege Escalation:

  • Early detection helps mitigate attackers' ability to escalate privileges and gain administrative control over cloud resources.

• Reducing Damage and Impact:

  • Quickly identifying compromised credentials limits attackers' opportunities to exfiltrate sensitive data, disrupt operations, or cause financial and reputational damage.

• Stopping Lateral Movement:

  • Prompt detection prevents attackers from moving laterally across cloud environments, containing the attack and reducing the scope of compromise.

• Preserving Trust and Compliance:

  • Timely detection and response ensure compliance with regulatory standards (e.g., GDPR, HIPAA, PCI DSS) and protect organizational reputation and customer trust.

• Improving Incident Response Efficiency:

  • Identifying and remediating compromised credentials early reduces the complexity, time, and costs associated with incident response and recovery efforts.

Examples

Real-world examples of adversaries leveraging additional cloud credentials include:

• Capital One Breach (2019):

  • Attack Scenario:

    • Attacker exploited a misconfigured Web Application Firewall (WAF) to access an AWS EC2 instance.

    • Extracted AWS IAM credentials from the instance metadata service.

  • Tools and Techniques:

    • Accessed AWS EC2 metadata endpoint (http://169.254.169.254) to obtain IAM role credentials.

  • Impact:

    • Exfiltrated sensitive data of over 100 million customers, resulting in significant financial and reputational damage.

• TeamTNT Cloud Attacks (2020-2021):

  • Attack Scenario:

    • Attackers compromised cloud instances and containers to extract AWS credentials from metadata endpoints and configuration files.

  • Tools and Techniques:

    • Used automated scripts and tools to scan and extract AWS credentials from compromised Docker instances and Kubernetes clusters.

  • Impact:

    • Hijacked cloud resources for cryptocurrency mining, resulting in increased operational costs and resource exhaustion.

• Uber Data Breach (2022):

  • Attack Scenario:

    • Attacker performed social engineering against an employee, gaining initial credentials.

    • Leveraged compromised VPN and cloud credentials to access internal cloud resources.

  • Tools and Techniques:

    • Social engineering, credential theft, lateral movement within cloud environments.

  • Impact:

    • Exposure of sensitive internal data, significant public scrutiny, and regulatory investigations.

These examples highlight the critical importance of securing cloud environments and proactively monitoring for unauthorized credential usage to prevent severe impacts.