In the 2H 2020 edition of the biannual Palo Alto Networks Unit 42 Cloud Threat Report, researchers conducted Red Team exercises, scanned public cloud data and pulled proprietary Palo Alto Networks data to explore the threat landscape of identity and access management (IAM) and identify where organisations can improve their IAM configurations.
During a Red Team exercise, Unit 42 researchers were able to discover and leverage IAM misconfigurations to obtain admin access to a customer’s entire Amazon Web Services (AWS) cloud environment – a potentially multi-million dollar data breach in the real-world. These examples highlight just how serious the failure to secure IAM can be for an organisation.
The following highlights dive into specific data points that reinforce the research and recommendations outlined in the report.
Unauthorized External Access
During a Red Team exercise, researchers successfully exploited the misconfigured IAM role trust policy “AssumeRole” to gain temporary access to sensitive resources. The Unit 42 team was able to accomplish this using an anonymous AWS account. It is key to point out that an AWS CloudTrail event is generated for each attempt to assume an AWS role. It is critical that organisations monitor their CloudTrail logs for AssumeRole events and ensure that only approved AWS accounts are performing these actions against the organisation’s environment. The root cause that allowed this unauthenticated access was an overly permissive IAM role trust policy. The misconfigured policy allowed any AWS user who is not in the account to assume the role and obtain an access token. This could result in any number of attacks against an organisation, including denial-of-service (DoS) and ransomware, or even open a door for an advanced persistent threat (APT) adversary.
Lateral Movement and Privileged Escalation
In the same Red Team exercise, Unit 42 researchers were able to successfully move laterally with non-administrator access by leveraging a misconfigured IAM role related to flow-log management. They then successfully escalated their privileges from a restricted developer account to gain persistence, accomplished by hijacking an administrator account. By leveraging this overly permissive IAM role related to flow-logs, Unit 42 researchers gained administrative access to the entire cloud environment, allowing for the unrestricted manipulation of cloud resources. They were then able to create new Amazon Elastic Compute Cloud (EC2) and Relational Database Service (RDS) instances, as well as modify user and policy permissions. Attackers could use this technique to steal sensitive data, wipe out infrastructure, or lockdown an operation with ransomware.
JAPAC and EMEA Organizations Display Poor Cloud Identity Hygiene
Unit 42 researchers found that 75% of organisations in Japan and Asia-Pacific (JAPAC), as well as 74% of organisations in Europe, the Middle East and Africa (EMEA), are using Google Cloud to run workloads with admin privileges. By contrast, only 54% of organisations in the Americas run with the same type of privileges. It is a best practice to run workloads with the principle of least privilege – limiting permissions for users to the bare minimum they need. If an attacker is able to compromise a workload with admin privileges, the attacker would gain the same level of elevated access. This provides an easy path for attackers to use cloud resources to perform attacks, like cryptojacking operations, at the expense of the organisation.
Many Organizations Experience Cryptojacking
In addition to the IAM research, the Unit 42 team provided an update to its ongoing examination of the overall security posture of cloud infrastructure around the world. Unit 42 research shows cryptojacking to affect at least 23% of organisations globally that maintain cloud infrastructure. The team found that cloud environments are being targeted by cybercrime groups focused on malicious cryptomining operations, which remain one of the highest-profile attacks against cloud infrastructure.
Three Distinct Goals to Empower Businesses
Protecting your cloud infrastructure from the exploitation of misconfigured IAM roles and policies can improve and strengthen the defence of cloud infrastructure. Methods gleaned from the Unit 42 Cloud Threat Report can help organisations stay secure in the cloud in three distinct ways:
• Provide situational awareness of the latest adversary tactics regarding targeting IAM roles and policies, which can lead to serious security incidents unique to the cloud.
• Empower DevOps and security teams to stay ahead of the threat curve and better protect their cloud environments.
• Instill the mindset that a secure cloud is only possible when organisations take meaningful steps to harden their IAM roles and policies.