The rise of cloud services means that many applications and services operate using machine identities. The increase in non-human identities (NHI) has led to unchecked excessive privilege and left organizations blind to what is connected to what and what data may be exposed. A recent ransomware extortion carried out in AWS was recently reported by Unit 42. The attackers successfully compromised and extorted multiple victim organizations.
According to the Unit 42 article, the attackers collected Amazon Web Services keys and access tokens to various cloud services from environment variables insecurely stored in web applications and exposed publicly. Then they set up the attack infrastructure within various organizations’ Amazon Web Services (AWS) environments and used that groundwork to scan more than 230 million unique targets for sensitive information. The operation was uncovered while researchers investigated a compromised AWS environment that was being abused to launch automated scans against other domains as part of this campaign.
TLDR: Better Identity Hygiene and Continuous Least Privilege will minimize blast radius
There are multiple lessons from this incident, across identity threat detection and response, anomalous behavior detection, preventing privilege escalation, and continuous least privilege management. Let’s start with how the attack was carried out, what could have been done during the attack to detect it, and then finally how to prevent such an attack from happening in the first place.
The following outlines the phases of the attack and how Andromeda would go about detecting the breach and preventing the impact in a similar incident.
The Unit 42 researchers determined that the attackers collected .env files from around 110,000 domains, leading to the exposure of over 90,000 unique environment variables with 7,000 corresponding to cloud services used by organizations.
The access to the .env (Environment) file contained all types of credentials including IAM User access key, OAuth Credentials, Github Token, Slack API key, etc.
The attackers started doing discovery calls to AWS using the IAM User Keys. The most used discovery calls were to IAM, STS, and S3 services. One of the main calls in IAM was GetCallerIdentity, which is equivalent to whoami.
Andromeda behavioral modeling and threat detection
Andromeda uses behavioral modeling created based on the past activities of users and NHIs. We detect anomalies by understanding the baseline activity such as who is accessing what, where the access is from, and the usage pattern. This is combined with privilege risk (blast radius) of the access to identify the risk of an unusual activity.
Andromeda also checks if the discovery methods are from unknown sources or devices that have not been seen in the past.
The attackers began exploring the IAM users’ permissions to escalate their access by creating a new role with admin privileges, and then injecting that role into a Lambda function to perform any action on a trigger.
Andromeda identification and reduction of high risk identities
Andromeda identifies and classifies all the IAM users who have access to a high risk action such as IAM CreateRole, IAM PassRole, etc.
Andromeda provides recommendations to reduce the risk of the identities by removing high risk permissions so that the probability of escalating privilege is reduced to zero.
Andromeda detects use of such high risk actions through the behavioral model and sends alerts to a SIEM and/or SOAR.
The attackers attempted activities in various services such as EC2, Lambda, etc., and were successful in a few operations but failed where the role did not have permissions to those actions. Lambda was exploited the most in this attack.
The attackers then deleted all the contents of the S3 bucket after exfiltrating all the data and left a ransom note.
Andromeda least privilege and anomaly detection
With Andromeda’s least privilege enforcement, we prevent access to high risk assets while also detecting failed attempts through our behavioral anomaly model.
As the article states, "Multiple security missteps were present in the course of this campaign, including the following: Exposing environment variables, using long-lived credentials, and absence of least privilege architecture."
Andromeda helps you implement the following preventative best practices to reduce the chance of such an attack from happening in the first place.
Andromeda Security is an Identity Security Platform for human and non-human identities that provides complete visibility and insights across your cloud environments, makes recommendations to maintain least privilege based on usage and risk, and provides just-in-time (JIT) access with our AI recommendation engine
The rise of cloud services means that many applications and services operate using machine identities. The increase in non-human identities (NHI) has led to unchecked excessive privilege and left organizations blind to what is connected to what and what data may be exposed. A recent ransomware extortion carried out in AWS was recently reported by Unit 42. The attackers successfully compromised and extorted multiple victim organizations.
According to the Unit 42 article, the attackers collected Amazon Web Services keys and access tokens to various cloud services from environment variables insecurely stored in web applications and exposed publicly. Then they set up the attack infrastructure within various organizations’ Amazon Web Services (AWS) environments and used that groundwork to scan more than 230 million unique targets for sensitive information. The operation was uncovered while researchers investigated a compromised AWS environment that was being abused to launch automated scans against other domains as part of this campaign.
TLDR: Better Identity Hygiene and Continuous Least Privilege will minimize blast radius
There are multiple lessons from this incident, across identity threat detection and response, anomalous behavior detection, preventing privilege escalation, and continuous least privilege management. Let’s start with how the attack was carried out, what could have been done during the attack to detect it, and then finally how to prevent such an attack from happening in the first place.
The following outlines the phases of the attack and how Andromeda would go about detecting the breach and preventing the impact in a similar incident.
The Unit 42 researchers determined that the attackers collected .env files from around 110,000 domains, leading to the exposure of over 90,000 unique environment variables with 7,000 corresponding to cloud services used by organizations.
The access to the .env (Environment) file contained all types of credentials including IAM User access key, OAuth Credentials, Github Token, Slack API key, etc.
The attackers started doing discovery calls to AWS using the IAM User Keys. The most used discovery calls were to IAM, STS, and S3 services. One of the main calls in IAM was GetCallerIdentity, which is equivalent to whoami.
Andromeda behavioral modeling and threat detection
Andromeda uses behavioral modeling created based on the past activities of users and NHIs. We detect anomalies by understanding the baseline activity such as who is accessing what, where the access is from, and the usage pattern. This is combined with privilege risk (blast radius) of the access to identify the risk of an unusual activity.
Andromeda also checks if the discovery methods are from unknown sources or devices that have not been seen in the past.
The attackers began exploring the IAM users’ permissions to escalate their access by creating a new role with admin privileges, and then injecting that role into a Lambda function to perform any action on a trigger.
Andromeda identification and reduction of high risk identities
Andromeda identifies and classifies all the IAM users who have access to a high risk action such as IAM CreateRole, IAM PassRole, etc.
Andromeda provides recommendations to reduce the risk of the identities by removing high risk permissions so that the probability of escalating privilege is reduced to zero.
Andromeda detects use of such high risk actions through the behavioral model and sends alerts to a SIEM and/or SOAR.
The attackers attempted activities in various services such as EC2, Lambda, etc., and were successful in a few operations but failed where the role did not have permissions to those actions. Lambda was exploited the most in this attack.
The attackers then deleted all the contents of the S3 bucket after exfiltrating all the data and left a ransom note.
Andromeda least privilege and anomaly detection
With Andromeda’s least privilege enforcement, we prevent access to high risk assets while also detecting failed attempts through our behavioral anomaly model.
As the article states, "Multiple security missteps were present in the course of this campaign, including the following: Exposing environment variables, using long-lived credentials, and absence of least privilege architecture."
Andromeda helps you implement the following preventative best practices to reduce the chance of such an attack from happening in the first place.
Andromeda Security is an Identity Security Platform for human and non-human identities that provides complete visibility and insights across your cloud environments, makes recommendations to maintain least privilege based on usage and risk, and provides just-in-time (JIT) access with our AI recommendation engine
