Exploiting, detecting, and correcting IAM security misconfigurations

Bad Actor

Conclusion

The real-life scenario attacks presented in this article show how it's possible for an adversary to use IAM security misconfigurations to gain high privileges inside a cloud environment. Such attacks can start with valid credentials found online or obtained by tricking users in a phishing attack and can proceed with further privilege escalation to take control of an account.

By leveraging AWS features such as CloudTrail and CloudWatch, among others, it's possible to get alerts when changes are applied in your environment, triggering automatic responses.

Infos

Cloud lateral movement: https://sysdig.com/blog/lateral-movement-cloud-containers/
Crypto miner attacks: https://sysdig.com/blog/crypto-sysrv-hello-wordpress/
IAM security best practices: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
Principle of least privilege: https://csrc.nist.gov/glossary/term/principle_of_least_privilege
Valid cloud accounts: https://attack.mitre.org/techniques/T1078/004/
Group policy modification: https://attack.mitre.org/techniques/T1484/001/
Phishing: https://attack.mitre.org/techniques/T1566/
Reverse shell: https://sysdig.com/blog/reverse-shell-falco-sysdig-secure/
CloudTrail: https://docs.aws.amazon.com/cloudtrail/index.html
CloudWatch: https://docs.aws.amazon.com/cloudwatch/index.html

The Author

Stefano Chierici is a security researcher at Sysdig, where his research focuses on defending containerized and cloud environments from attacks ranging from web to kernel. Stefano is a contributor to Falco, an incubation-level Cloud Native Computing Foundation (CNCF) project. He studied cyber security in Italy, and before joining Sysdig, he was a pen tester, a security engineer, and a red team member. In 2019, he obtained the Offensive Security Certified Professional (OSCP) Certification.

« Previous 1 2 3 4