Cloud TTPs Details. The Cyber Magician's Handbook
Key TTPs of document “cyber actors adapt tactics for initial cloud access"
📌Credential Access / T1110 Brute Forcing: actors utilize password spraying and brute forcing as initial infection vectors. This approach involves attempting multiple passwords against different accounts (password spraying) or numerous password attempts on a single account (brute forcing) to gain unauthorized access.
📌Initial Access / T1078.004 Valid Accounts: Cloud Accounts: The actors gains access to cloud services by using compromised credentials. This includes targeting both system accounts (used for automated tasks and services) and dormant accounts (inactive accounts that still remain on the system).
📌Credential Access / T1528 Steal Application Access Token: Actors exploit stolen access tokens to log into accounts without needing the passwords. Access tokens are digital keys that allow access to user accounts, and obtaining these can bypass traditional login mechanisms.
📌Credential Access / T1621 Multi-Factor Authentication Request Generation: Known as 'MFA bombing' or 'MFA fatigue,' this technique involves actors repeatedly sending MFA requests to a victim's device. The goal is to overwhelm or fatigue the victim into accepting the request, thus granting the attacker access.
📌Command and Control / T1090.002 Proxy: External Proxy: To maintain covert operations and blend in with normal traffic, actors use open proxies located in residential IP ranges. This makes malicious connections harder to distinguish from legitimate user activity in access logs.
📌Persistence / T1098.005 Account Manipulation: Device Registration: After gaining access to accounts, actors attempt to register their own devices on the cloud tenant. Successful device registration can provide persistent access to the cloud environment.
Access via Service and Dormant Accounts
One of the key strategies employed by actors involves targeting service and dormant accounts within cloud environments. Service accounts are used to run and manage applications and services without direct human interaction. These accounts are particularly vulnerable because they often cannot be protected with multi-factor authentication (MFA) and may have highly privileged access depending on their role in managing applications and services. By gaining access to these accounts, threat actors can obtain privileged initial access to a network, which they can use as a launchpad for further operations
The document also highlights that campaigns have targeted dormant accounts—accounts belonging to users who are no longer active within the victim organization but have not been removed from the system. These accounts can be exploited by attackers to regain access to a network, especially following incident response measures such as enforced password resets. actors have been observed logging into these inactive accounts and following password reset instructions, allowing them to maintain access even after incident response teams have attempted to evict them
Cloud-Based Token Authentication
Another TTP mentioned in the document is the use of cloud-based token authentication. Actors have been observed using system-issued access tokens to authenticate victims' accounts without needing a password. This technique bypasses traditional credential-based authentication methods and can be particularly effective if the validity period of these tokens is long or if the tokens are not properly secured and managed
Brute Forcing and Password Spraying
The document also describes the use of brute forcing (T1110) and password spraying by actors as initial infection vectors. These techniques involve attempting to access accounts by trying many passwords or using common passwords against many accounts, respectively. Such methods are often successful due to the use of weak or reused passwords across different accounts
The Role of Access Tokens
Access tokens are an integral part of modern authentication systems, especially in cloud environments. They are designed to simplify the login process for users and provide a secure method of accessing resources without repeatedly entering credentials. Tokens are typically issued after a user logs in with a username and password, and they can be used for subsequent authentication requests.
Risks Associated with Token Authentication
While token-based authentication can offer convenience and security, it also introduces specific risks if not properly managed. If threat actors obtain these tokens, they can gain access to accounts without needing to know the passwords. This can be particularly problematic if the tokens have a long validity period or if they are not adequately secured.
Adjusting Token Validity
The document notes that the default validity time of system-issued tokens can vary depending on the system in use. However, it is crucial for cloud platforms to provide administrators with the ability to adjust the validity time of these tokens to suit their security needs. Shortening the validity period of tokens can reduce the window of opportunity for unauthorized access if tokens are compromised.
Bypassing Password Authentication and MFA
The document details how actors have successfully bypassed password authentication on personal accounts through techniques such as password spraying and credential reuse. Password spraying involves attempting to access a large number of accounts using commonly used passwords, while credential reuse exploits the tendency of users to recycle the same passwords across multiple accounts. These methods exploit weaknesses in password-based authentication systems to gain initial access to accounts.
Furthermore, actors have employed a technique known as 'MFA bombing' or 'MFA fatigue' (T1621) to bypass multi-factor authentication (MFA) systems. This technique involves repeatedly sending MFA requests to a victim's device until the victim, overwhelmed or frustrated by the constant notifications, accepts the request. This method effectively exploits human psychology and the inconvenience of repeated notifications to circumvent an otherwise robust security measure.
Enrolling New Devices to the Cloud
Once past these initial security barriers, the document reports that actors have been observed registering their own devices as new devices on the cloud tenant (T1098.005). This step is critical for maintaining access to the cloud environment and facilitating further malicious activities. The success of this tactic hinges on the absence of stringent device validation rules within the cloud tenant's security configuration. Without proper device validation measures, attackers can easily add unauthorized devices to the network, granting them access to sensitive data and systems.
Defense Against Unauthorized Device Enrollment
The document highlights the importance of configuring the network with robust device enrollment policies as a defense mechanism against such attacks. By implementing strict device validation rules and enrollment policies, organizations can significantly reduce the risk of unauthorized device registration. Instances where these measures have been effectively applied have successfully defended against actors, denying them access to the cloud tenant.
Residential Proxies and Their Use by Actors
Residential proxies are intermediary services that allow users to route their internet traffic through an IP address provided by an internet service provider (ISP) that is typically assigned to a residential address. This makes the traffic appear as if it is originating from a regular home user, which can be particularly useful for cyber actors looking to blend in with normal internet traffic and avoid raising red flags.
The use of residential proxies by actors serves to obfuscate their true location and the source of their malicious activities. By making their traffic appear to come from legitimate ISP ranges used by residential broadband customers, they can significantly reduce the likelihood of their connections being flagged as malicious. This tactic complicates the efforts of cybersecurity defenses that rely on IP address reputation or geolocation as indicators of compromise.
Challenges Posed by Residential Proxies
The effectiveness of residential proxies in hiding the origin of traffic presents a challenge for network defenses. Traditional security measures that track and block known malicious IP addresses may not be effective against attackers using residential proxies, as these IP addresses may not have a prior history of malicious activity and are indistinguishable from those of legitimate users.
Vkontakte
Twitter
Одноклассники
Предыдущий
