Cloud Accounts

Information

• Name: Cloud Accounts

• ID: T1585.003

• Tactics: TA0042

• Technique: T1585

Introduction

Cloud Accounts (T1585.003) is a sub-technique within the MITRE ATT&CK framework under the broader technique of "Establish Accounts" (T1585). This sub-technique specifically refers to adversaries creating, compromising, or otherwise leveraging cloud-based accounts to maintain persistence, escalate privileges, or conduct further malicious activities within cloud environments. Attackers may exploit cloud account access to bypass traditional security controls, evade detection, and maintain persistent access to victim resources.

Deep Dive Into Technique

Adversaries employing Cloud Accounts (T1585.003) take advantage of cloud infrastructure to establish persistence and facilitate lateral movement. Technical methods and mechanisms include:

• Creating Cloud Accounts:

  • Attackers may set up new cloud accounts using stolen or fraudulent credentials.

  • Leveraging compromised payment methods or stolen credit cards to fund cloud accounts.

  • Utilizing anonymized or disposable email addresses to register cloud accounts, complicating attribution efforts.

• Compromising Existing Cloud Accounts:

  • Credential theft via phishing campaigns targeting cloud service users.

  • Credential stuffing attacks using credential dumps to identify valid login credentials.

  • Exploiting vulnerabilities or misconfigurations in cloud services to gain unauthorized access.

• Leveraging Cloud Infrastructure:

  • Deploying malicious virtual machines or containers for command-and-control (C2) infrastructure.

  • Hosting malware payloads, phishing pages, or malicious scripts within cloud storage services.

  • Utilizing cloud-based compute resources for cryptomining or launching distributed denial-of-service (DDoS) attacks.

• Maintaining Persistence:

  • Creating additional privileged accounts or roles within compromised cloud environments.

  • Modifying account permissions and security policies to retain access even after initial compromise is detected.

  • Using automated scripts or cloud provider APIs to maintain stealthy and persistent access.

When this Technique is Usually Used

Attackers typically utilize Cloud Accounts (T1585.003) across various stages of the cyber kill chain, including:

• Initial Access:

  • Establishing footholds by compromising cloud service credentials through phishing or credential stuffing.

• Persistence:

  • Creating additional cloud accounts or leveraging existing compromised accounts to maintain persistent access.

• Privilege Escalation:

  • Exploiting account misconfigurations or overly permissive cloud IAM (Identity and Access Management) settings to escalate privileges within the cloud environment.

• Defense Evasion:

  • Hosting malicious infrastructure on reputable cloud provider platforms to evade network-level detection and bypass traditional perimeter security controls.

• Command and Control:

  • Utilizing cloud services as C2 infrastructure, benefiting from the reliability, scalability, and difficulty of blocking legitimate cloud IP ranges.

• Impact:

  • Leveraging cloud resources to deploy ransomware, cryptominers, or conduct destructive operations against victim infrastructure.

How this Technique is Usually Detected

Detection of Cloud Accounts (T1585.003) typically involves monitoring cloud environments for anomalous or unauthorized activity. Effective detection methods and indicators of compromise (IoCs) include:

• Monitoring Account Creation and Authentication Activity:

  • Alerts on new cloud account creations, especially from unfamiliar or suspicious IP addresses or geolocations.

  • Detection of multiple failed login attempts, indicative of brute-force or credential stuffing attacks.

• Analyzing Cloud Audit Logs:

  • Reviewing cloud provider logs (AWS CloudTrail, Azure Activity Logs, Google Cloud Audit Logs) for unusual account creations, modifications, or deletions.

  • Detecting unusual API calls or usage patterns inconsistent with normal organizational behavior.

• Behavioral Analytics and Anomaly Detection:

  • Implementing user and entity behavior analytics (UEBA) tools to identify deviations from baseline user or account behavior.

  • Detecting unusual resource provisioning, such as unexpected virtual machine deployments, storage bucket creations, or unusual network traffic patterns.

• Monitoring Financial and Billing Information:

  • Tracking sudden increases in cloud resource usage or billing anomalies that may indicate unauthorized cloud account usage.

  • Identifying unexpected cloud service charges or billing alerts triggered by unauthorized account activity.

• Specific Indicators of Compromise (IoCs):

  • Unrecognized or unauthorized cloud accounts appearing in IAM or user management consoles.

  • Unusual API calls or administrative actions from unknown or suspicious IP addresses.

  • Cloud instances or storage buckets hosting suspicious or malicious content.

  • Unusual outbound network connections from cloud infrastructure to known malicious IP addresses or domains.

Why it is Important to Detect This Technique

Early detection of Cloud Accounts (T1585.003) is critical due to the significant potential impacts on organizational security, operations, and reputation. Important reasons for timely detection include:

• Data Exfiltration and Privacy Breaches:

  • Attackers can leverage compromised cloud accounts to access sensitive organizational data, intellectual property, or customer information, leading to significant regulatory and compliance consequences.

• Financial Impact:

  • Unauthorized cloud resource usage can result in substantial financial losses due to increased cloud service costs and fraudulent activities.

• Operational Disruption:

  • Attackers may utilize cloud accounts to deploy ransomware, cryptominers, or execute other disruptive attacks, negatively affecting business continuity and operational resilience.

• Reputation Damage:

  • Organizations suffering cloud account compromises face potential damage to their reputation and trust relationships with customers, partners, and regulatory bodies.

• Difficulty in Attribution and Remediation:

  • Attackers leveraging cloud infrastructure often complicate attribution efforts due to the dynamic and ephemeral nature of cloud resources, making incident response and remediation more challenging.

Examples

Several real-world examples illustrate the use of Cloud Accounts (T1585.003) by adversaries:

• TeamTNT Malware Campaign:

  • Attackers compromised cloud accounts by scanning for misconfigured Docker APIs and Kubernetes clusters.

  • Leveraged compromised cloud infrastructure to deploy cryptomining malware targeting cloud compute resources, resulting in unauthorized resource consumption and increased billing costs.

• Rocke Cryptojacking Group:

  • Utilized compromised cloud accounts and infrastructure to deploy cryptominers on victim cloud instances.

  • Modified cloud security policies and IAM roles to maintain persistent access, evade detection, and prolong malicious activity.

• APT33 (Elfin) Cloud Infrastructure Abuse:

  • Iranian threat actor APT33 leveraged compromised cloud accounts to host malicious infrastructure, conduct phishing campaigns, and distribute malware payloads.

  • Used cloud services to establish command-and-control infrastructure, benefiting from the legitimacy and reliability of cloud providers to evade detection.

• Capital One Data Breach (2019):

  • Attacker exploited a misconfigured firewall in AWS to access sensitive data stored in cloud resources, highlighting the importance of secure cloud account configuration and monitoring.

  • Demonstrated the severe financial, reputational, and regulatory consequences resulting from cloud account compromise and unauthorized access.

These examples highlight the diverse ways adversaries exploit cloud accounts, emphasizing the importance of robust detection, monitoring, and response capabilities for cloud-based environments.