Additional Cloud Roles

Information

• Name: Additional Cloud Roles

• ID: T1098.003

• Tactics: TA0003, TA0004

• Technique: T1098

Introduction

The MITRE ATT&CK sub-technique Additional Cloud Roles (T1098.003) falls under the broader technique of Account Manipulation (T1098). This sub-technique specifically addresses scenarios where adversaries create, modify, or assume additional roles within cloud environments to maintain persistence, escalate privileges, or evade detection. Cloud roles define sets of permissions that grant access to resources and services. By manipulating roles, attackers can establish persistent access, facilitate lateral movement, and reduce their risk of detection.

Deep Dive Into Technique

Additional Cloud Roles (T1098.003) involves adversaries leveraging cloud identity and access management (IAM) systems to create or modify roles with specific permissions. These roles can then be assigned to compromised accounts or resources, enabling attackers to maintain persistence, escalate privileges, or perform lateral movement across the cloud infrastructure.

Technical execution methods include:

• Creating New IAM Roles:

  • Attackers may create new roles with elevated or specific permissions tailored to their objectives.

  • Roles can be designed to blend in with legitimate naming conventions to evade suspicion.

• Modifying Existing Roles:

  • Attackers may alter existing roles by adding permissions or policies that grant additional access.

  • Existing roles are often targeted due to their legitimate presence, thus minimizing detection risk.

• Assuming Roles via STS (Security Token Service):

  • Attackers leverage the cloud provider's STS to assume roles temporarily, obtaining temporary security credentials for privileged actions.

  • Temporary credentials reduce the likelihood of detection, as they are ephemeral and may not be closely monitored.

• Cross-Account Role Assumption:

  • Attackers may exploit trust relationships between cloud accounts to assume roles in other accounts, broadening their access scope across organizational boundaries.

Real-world procedures attackers employ include:

• Leveraging compromised cloud administrator accounts or API keys to create or modify roles.

• Exploiting overly permissive IAM policies or misconfigured trust relationships.

• Using automation scripts or cloud-native CLI tools (such as AWS CLI, Azure CLI, or Google Cloud SDK) to programmatically manage roles.

When this Technique is Usually Used

Attackers typically utilize Additional Cloud Roles (T1098.003) during various stages of the cyber kill chain, including:

• Persistence:

  • Creating roles with persistent access ensures attackers retain long-term access even if initial compromised accounts are detected or mitigated.

• Privilege Escalation:

  • Modifying existing roles or creating new roles with elevated privileges allows attackers to escalate their access within the cloud environment.

• Lateral Movement:

  • Assuming cross-account roles facilitates lateral movement between cloud accounts or environments within an organization.

• Defense Evasion:

  • Utilizing ephemeral role assumptions and temporary credentials makes detection and attribution more challenging.

Common attack scenarios include:

• Post-compromise activities after initial cloud credential theft or phishing attacks.

• Exploitation of misconfigured IAM policies or trust relationships between cloud accounts.

• Advanced persistent threat (APT) actors seeking long-term and stealthy persistence in cloud environments.

How this Technique is Usually Detected

Detecting Additional Cloud Roles (T1098.003) typically involves monitoring and analyzing cloud IAM activity and logs. Effective detection methods include:

• Cloud Audit Logging:

  • Regular monitoring of cloud provider audit logs (AWS CloudTrail, Azure Activity Logs, Google Cloud Audit Logs) for suspicious role creation, modification, or assumption events.

• Behavioral Analytics:

  • Using anomaly detection tools or security information and event management (SIEM) systems to identify unusual IAM activity patterns or anomalous role assumptions.

• Identity and Access Management (IAM) Policy Reviews:

  • Periodic reviews of IAM policies and roles to identify unauthorized or suspicious changes, overly permissive roles, or newly created roles that do not adhere to established naming conventions or policies.

• Monitoring Temporary Credential Usage:

  • Tracking the frequency, source, and scope of temporary credentials generated via STS or similar services to detect anomalous or malicious role assumptions.

Specific Indicators of Compromise (IoCs) include:

• Creation of roles with overly broad permissions or administrative privileges.

• Sudden appearance of roles with naming conventions inconsistent with organizational standards.

• Unusual or unauthorized cross-account role assumptions.

• High frequency or volume of temporary credential generation events from unusual sources or times.

Why it is Important to Detect This Technique

Detecting Additional Cloud Roles (T1098.003) is crucial for maintaining the security and integrity of cloud environments. Failure to detect and respond promptly can lead to severe consequences, including:

• Persistent Unauthorized Access:

  • Attackers can maintain long-term stealthy access, making remediation difficult and resource-intensive.

• Privilege Escalation:

  • Attackers may escalate privileges, gaining administrative or sensitive access to critical cloud resources, data, or applications.

• Data Exfiltration and Theft:

  • Unauthorized roles may facilitate data exfiltration, intellectual property theft, or exposure of sensitive customer or organizational information.

• Financial Impact:

  • Attackers may leverage additional roles to provision unauthorized cloud resources, incurring significant financial costs.

• Compliance and Regulatory Violations:

  • Uncontrolled role creation or modification may lead to breaches of compliance requirements and regulatory standards, resulting in legal, financial, and reputational damage.

Early detection minimizes the damage, reduces remediation costs, and preserves organizational reputation and compliance posture.

Examples

Real-world examples of Additional Cloud Roles (T1098.003) include:

• Capital One Data Breach (2019):

  • Attackers leveraged compromised AWS credentials to assume roles and access sensitive customer data stored in AWS S3 buckets.

  • The attacker created additional roles and assumed them via AWS STS, enabling data exfiltration and unauthorized access to sensitive resources.

  • Impact: Exposure of personal information of over 100 million customers, significant financial penalties, and reputational damage.

• TeamTNT Cloud Attacks:

  • TeamTNT, a threat actor group, targets cloud environments by creating new IAM roles or modifying existing ones to maintain persistence and escalate privileges.

  • The group leverages automation scripts and cloud-native CLI tools to rapidly create and assume roles, facilitating lateral movement and cryptojacking activities.

  • Impact: Unauthorized resource provisioning, increased cloud costs, and compromised infrastructure stability.

• Misconfigured Cross-Account Role Exploitation:

  • Attackers exploit improperly configured cross-account IAM roles, assuming roles in multiple accounts within an organization.

  • Once assumed, attackers escalate privileges, exfiltrate sensitive data, or launch additional attacks from compromised accounts.

  • Impact: Extensive lateral movement, data breaches, and significant remediation efforts.

These examples underline the necessity of robust monitoring, detection, and response capabilities to mitigate threats associated with Additional Cloud Roles (T1098.003).