Cloud Account

Information

• Name: Cloud Account

• ID: T1136.003

• Tactics: TA0003

• Technique: T1136

Introduction

Cloud Account (T1136.003) is a sub-technique within the MITRE ATT&CK framework under the parent technique "Create Account" (T1136). It specifically describes adversaries creating unauthorized accounts within cloud environments to maintain persistence, escalate privileges, or facilitate further malicious activities. Attackers leverage cloud-based services and management consoles to establish accounts that blend in with legitimate users, making detection and remediation challenging.

Deep Dive Into Technique

Adversaries employing the Cloud Account sub-technique typically follow a structured approach to create unauthorized accounts within cloud environments:

• Initial Access and Reconnaissance:

  • Attackers initially gain access to cloud environments through compromised credentials, phishing campaigns, or exploiting vulnerabilities in cloud infrastructure.

  • After gaining initial access, adversaries conduct reconnaissance to understand the cloud architecture, IAM roles, permissions, and user account configurations.

• Account Creation Methods:

  • Console Access: Attackers may directly use cloud service management consoles (e.g., AWS Management Console, Azure Portal, Google Cloud Console) to create new accounts or users.

  • Command Line Interfaces (CLI): Attackers often leverage cloud provider CLIs (such as AWS CLI, Azure CLI, GCloud CLI) to automate account creation through scripts or commands.

  • API Calls and SDKs: Attackers may use cloud provider APIs and SDKs to programmatically create accounts, allowing automation and stealthy operations.

  • Federated or SSO Integration: Attackers may exploit federated identity services or Single Sign-On (SSO) mechanisms to create or provision accounts that appear legitimate and bypass traditional security controls.

• Privilege Escalation and Persistence:

  • Newly created cloud accounts typically possess privileges that attackers can escalate or adjust according to their objectives.

  • Attackers may assign administrative rights or privileged roles (e.g., AWS IAM administrator, Azure Global Administrator) to these accounts to maintain persistent, high-level access.

  • Attackers may also create multiple accounts with varying privilege levels to ensure redundancy and persistence within the compromised environment.

• Obfuscation and Stealth:

  • Attackers frequently use naming conventions similar to legitimate accounts or standard organizational naming patterns to blend in and avoid suspicion.

  • They may also configure cloud accounts to use legitimate IP addresses, VPNs, or proxies to mask their origin and evade detection.

When this Technique is Usually Used

This sub-technique appears in various attack scenarios and stages, including:

• Persistence Stage: Creating cloud accounts allows attackers to maintain persistent access even after initial compromise vectors are mitigated or credentials are reset.

• Privilege Escalation Stage: Attackers create accounts with elevated privileges or roles to escalate their capabilities within cloud environments.

• Lateral Movement Stage: Adversaries may establish multiple cloud accounts to facilitate lateral movement across cloud resources, services, or environments.

• Data Exfiltration Stage: Attackers may use newly created cloud accounts to access sensitive data, storage buckets, databases, or other cloud resources for exfiltration purposes.

• Impact Stage: Attackers may leverage unauthorized cloud accounts to disrupt services, delete resources, or perform destructive actions.

How this Technique is Usually Detected

Organizations can detect unauthorized cloud account creation through several methods, tools, and indicators:

• Cloud Audit Logging and Monitoring:

  • Enable comprehensive audit logging features provided by cloud providers (e.g., AWS CloudTrail, Azure Activity Log, Google Cloud Audit Logs).

  • Regularly monitor logs for suspicious account creation events, especially those performed outside normal business hours or from unusual geographic locations or IP addresses.

• Behavioral Anomaly Detection:

  • Implement User and Entity Behavior Analytics (UEBA) to detect anomalous behaviors, such as unusual account creation patterns or privilege escalation activities.

  • Monitor for sudden spikes in account creations or changes in IAM roles and permissions.

• Security Information and Event Management (SIEM):

  • Integrate cloud logs into SIEM solutions (e.g., Splunk, Elastic Stack, Azure Sentinel) to correlate events and detect unauthorized account creations.

  • Configure alerts based on specific indicators, such as account creations from unknown devices, suspicious IP addresses, or unusual API calls.

• Cloud Security Posture Management (CSPM) Tools:

  • Employ CSPM solutions (e.g., Prisma Cloud, Orca Security, CloudGuard) to monitor cloud environments continuously for unauthorized accounts and compliance violations.

  • Use these tools to identify newly created accounts with elevated permissions or deviations from standard IAM policies.

• Indicators of Compromise (IoCs):

  • Unrecognized or unauthorized cloud accounts appearing in IAM consoles or audit logs.

  • Accounts created from suspicious IP addresses, VPNs, or proxy services.

  • Accounts with naming patterns similar but not identical to legitimate users or administrators.

  • Sudden changes in IAM policies, roles, or permissions associated with new accounts.

  • API calls or CLI commands from unknown or unauthorized sources to create new accounts.

Why it is Important to Detect This Technique

Early detection of unauthorized cloud account creation is critical due to the significant impact it can have on systems and networks:

• Persistence and Long-Term Access: Undetected cloud accounts enable attackers to maintain persistent and covert access, complicating remediation and incident response efforts.

• Privilege Escalation: Attackers can escalate privileges using unauthorized accounts, potentially gaining administrative control over cloud environments, leading to severe security breaches.

• Data Breaches and Exfiltration: Unauthorized cloud accounts provide attackers direct access to sensitive data, facilitating data theft, leakage, and regulatory compliance violations.

• Financial Impact: Attackers may leverage cloud accounts to provision resources, initiate cryptocurrency mining, or launch denial-of-service attacks, incurring significant financial costs.

• Operational Disruption: Attackers can use unauthorized accounts to delete critical resources, disrupt cloud services, or halt business operations entirely.

• Compliance and Regulatory Risks: Failure to detect and remediate unauthorized cloud accounts can result in non-compliance with regulatory frameworks (e.g., GDPR, HIPAA, PCI DSS), leading to legal and financial penalties.

Examples

Real-world examples highlighting the use of the Cloud Account sub-technique include:

• Capital One Breach (2019):

  • Attackers exploited a web application firewall misconfiguration to gain access to AWS credentials.

  • An unauthorized AWS IAM account was created, granting persistent access to sensitive data stored in AWS S3 buckets.

  • Attackers exfiltrated personal information of approximately 100 million customers, resulting in significant financial and reputational damage.

• Tesla Kubernetes Incident (2018):

  • Attackers gained access to Tesla's Kubernetes administrative console hosted on AWS due to weak security configurations.

  • Attackers created unauthorized AWS cloud accounts and IAM roles, deploying cryptocurrency mining software on Tesla's infrastructure.

  • The incident led to unauthorized resource utilization and increased operational costs.

• TeamTNT Cloud Malware Campaigns (2020-2021):

  • Attackers targeted exposed Docker and Kubernetes instances hosted in cloud environments (AWS, Azure, Google Cloud).

  • Unauthorized cloud accounts and IAM roles were created to deploy cryptocurrency miners, exfiltrate cloud credentials, and facilitate lateral movement.

  • Victims experienced unauthorized resource usage, financial losses, and potential data exposure.

• Cloud Hopper Campaign (APT10):

  • APT10 targeted managed service providers (MSPs) and cloud service providers to gain persistent access to client cloud environments.

  • Attackers created unauthorized cloud accounts to maintain persistent access, exfiltrate sensitive client data, and conduct espionage activities.

  • The campaign affected numerous global organizations, highlighting the importance of monitoring and detecting unauthorized cloud account creation.