Nathaniel "Q" Quist works with Palo Alto Network’ Prisma Cloud and Unit 42 as a Senior Threat Researcher focused on researching the threats facing public cloud platforms, tools, and services. He has worked within government, public, and private sectors. He holds a master of science in information security engineering (MSISE) from the SANS Institute, where he focused on network and system forensics, malware reversal, and incident response. He is the author of multiple blogs, reports, and whitepapers published by Unit 42 as well as the SANS InfoSec Reading Room. Quist is actively focused on identifying the threats facing cloud environments, specifically the malware targeting those environments and the actor groups behind those attacks.View the profile
About the talk
Nathaniel Quist, Senior Threat Researcher, Palo Alto Networks/Unit 42 Dr. Chien-An (Jay) Chen, Sr. Threat Researcher, Palo Alto Networks Pen testers poke at misconfigured IAM policies, cloud users open their environments to attack, and attackers target IAM credentials while cryptojacking. Dive into how Identity impacts cloud environments from three different angles: a red team case study, alert analysis from thousands of accounts across three major CSPs, and how cryptojacking malware authors are targeting IAM credentials.
Hi, my name is j. I am a cloud security researcher with no network. My research has been focusing my coworker, but then you quit. Hi, my name is Nathaniel. I'm a senior researcher with Palo Alto networks and Yuna 42. My primary focus is on a cloud security and who's expecting ants in house. So the first half of the top, I will first go over interesting reckon that the size that we did in one day. I will start without action browser. SS management. What's the background? I
will then going to the detail of already. After the exercise to identify will cover the evidence that we saw in our internal Titus it and he will present some interesting findings related to pick up Jack and finally, we will come to help and prevent. The fundamental concept of identity and access management action that the principal can perform one set of resource. And the principle can be a user or an application and the actions can be like read right or
attitude and the resource and be file function so that I can we put in the cow, in the county of Iron Man, like the principle can be a user control or a Federate user, or even interpretation that can perform depend on the results. We think easy to they are set of actions such as an instant. Instant instant instant. And in case of a s p, a r. In a tabular currently, there are more than 200 different service. You can actually fight. A service for any kind of application that you can think of. And for each service user. Is there a state of more than 50 actions that can become feeder
for for for for specific service and out of the box? When you create an account, there are 500 pre-settlement many policies that AWS Define for users. It's always so many surveys and so many actions. It is not an easy job to. Manage identity, unss. Mention that you are responsible for a collar, with hundreds of users hundred developers. Not it is impossible to define a policy of prevention policy for its users or so. You probably don't want those engineered come to you everyday for different different, different service in
the principle that easy. So do you know in 2020 we doing an engagement with our customers, we work with them to perform a reading exercise to evaluate their calling burn. And the outcome of this. Off this rake and exercises that we found a few critical and interesting that allow us to take over the account. We start remodeling the environment and we look at the environment from different aspects. And today. I, I will just cover the two. Most interesting Friday that we have earrings or writing exercise
management. Discount vacations that allow us to compromise their early permissive. Cremation policy. We stopped at a stud. We started us and developer. We were given permission to any light and Insider attack or an emission leak. Engineer or software developers account was stolen and a tiger can use those stolen account, too. In inside, out from inside account. so, the first musical bigger than the first meets complication we saw is that With a developer account, we can put together a
set of overly permissive permission and eventually can the other Mint Condition access privileged access is the highest privilege. And the second time is competition is an overly permissive. I am trust policy. In this particular scenario, we started as an outsider. We we did not have any permission and zero privilege. In the current environment. Do foothold into their Cloud as an anonymous user and eventually. From the image of point of Foothill to other
service and exercise, highly sensitive data in Dade County environment. So I was supposed to go over the first meeting. I will first cover two important Concept in order to understand its configuration. Service road is a type of Road in a diverse environment that is assigned to services such as easy to do CS Orlando Service Road Grand service permission to access call resource Service. Road can be attached to an ec2 instance and this virtual machine after being a tight. Squeeze the service door. You can start
to access resources such as land or or Key Management Service. So this is a special type of raw that is assigned to that users and pass road Paso. Robles a special action in identity, access management. Astro permission allows a principal to attach a service to a service road to a cervix. If I'm a user and I have the password Mission. I can create an ec2 instance, and attach a draw, a service service road to this p.m. And then use the commission's. Associates associated with Easter Service, throw to access to AWS
resources. Graphically, so I have my permission and I can first create an ec2 instance and attach or service road through this instance and this instance, then can use the service road to access other end of his resources. So, as I mentioned earlier, we started as a developer. We were even as a developer emissions up. There are other developers in the, it's in the same,. So we quickly and the particular permission that immediately caught our attention, is that I am Astro. Why, why, why is this special? How do you say,
Astro? Boy action? So, interesting, the reason is that It's really about the configuration of this permission of this permission. We will you be able with this permission. We were able to pass any service to any road. We want this is because of the the resource, any rope to any service. Then we start to check, what are the service that we are allowed to pass. So they're as a spare set of Service rules in this database account that we are testing. And we look into it service road to check their permission. And luckily
there are a few Service rules that have other means access the highest privilege account. So now we have to pass real. Cremation that allow us to pass any service road and we also find a service road like not not just one multiple service road that has like a mean permission. So now we have Multiple attack past and this is just one of the example that we can pull this. So weak just like I described earlier, we first create an instance when we attach a service road with Adam information to this instance. Because we created this instance, we can
log-in, we have to finish up so we can look into this virtual machine and start to access the call from this virtual machine. What I described here is just one of the possible attack us because we we also have access to other services, such as land, a function and and easiest Computer Service. We can also perform the same kind of attack using other services such as Linda,. Or if you do. Well, let's look at the second disc of the duration overly permissive. I am trust.
Open concept is associated with two policies. The first policy is the first one is trust policy. And the second is, cremation policy at rust College, C. Define, who can a Shumard, use this real? So in this example, District policy Grandpa Grandpa Mission, too easy to service, only easy to service uses the road to confirm action. Now, let's to know, let's see if we can look at the root cause of the second miscalculation in this part of this is configuration is overly permissive trust
that we saw in the current environment a part of Trumps policy that grants Everyone permission to access to use, or assume this role as I highlight in the Redbox, awl, meaning that any one can assume and use the stroke. And this, any, any person. Weeping or outside the car. You don't need to be a user in this article, environment. You can be any user in other, Vermin as long as long as, you know, the name of this road and you can get the access to this,. So this is like having
you search that can be looking without a password. All you need to know is a username, then you you can access the when you can access the house. So they don't allow us to get to the customer's car,. I will explain how we actually exploit the miscalculation. And move laterally in the car environment. What I say because of this application, we Outsiders and the access to the environment, show me this. This computer. We were given access to information to identify. What are the permissions that
were granted to this particular road. That was his computer. So we found that this whole time Connex s 3-pw Service ec2s 3 + 10 And the configuration of the street of this, with the permission of the duration of this road with x-ray, very limited for each service that only print a very small set of missions. Oliver's, we are able to use and leverage. This small subset of permission to move, laterally, inside the car environment and eventually the critical information. The sensitive data.
Three in particular, we look inside the main part of the EC to Cindy calling Barrowman in from the identified. A set of every pocket that is easy to instant success from those buckets because we have the S3 list and get permission. We can excess, we can also access those extra pockets. And inside, we found a lot of information. So, the exact information that exact, I thought we sort this extra pockets are the certificate and then we also found encrypted credential
store inside this at a pocket which we were able to decrypt with the KMS service that were also in this century and the access to their source code repository like single. Like, just a simple miscalculation that allow us to gain the initiative with her started, move laterally after the wrecking exercise for you are very curious. How prevalent? Type of miscommunication is in a while. So we start researching which we try to identify this type of trust, trust quality in the Y. So how it is that we first Crow, the entirety of how to find
the Usos and the Paw Patrol names in this in this IV, out the account, IDs from these files and Prosser bunch of possible, real names and chemo. Then we start to set up against to find if any of this real names are with computers. So, what we eventually found out eventually. At least that we went to around 300,000 files. I'll do around 150 re-identified, almost 70,000 in this. We found a subset of this rose with stuff. We found a subset of rows that warms and out of this
whole thing's of easy to stop shop that we can access in a lot of pain. I think straight really good information on here. So, within this next section of the talk, maybe talking about information that we looked across multiple Cloud environments and we're looking at the data that we've actually found from his environment that can lead to potential risks that we saw within our red team exercise that the that we perform. And then we're going to dive into the incident and how they actually
can relate back into some of the natural functions or even the mr. Figured. I am truck policies that they delivered to So I first talked we're going to look at the evidence based findings in these aspects. Again. We wanted to look at identity as a whole identity and access management and we drove into specific environments to see if we could find examples of potential threats that are in vitamins today, that could bring about a security risk for compromised. Want to. Look at here is overly prescribed for
Mission exactly what role count on and what they actually do. One of the biggest stress that we saw. It was we found that 62% of cloud organizations on a global scale on actual that are using Google Cloud to Google Cloud platform. They're they're bm's inside of the Google call Pop work or actually be running underneath admin rights or elevated, a service account to have admin privileges by with him. So 62% of all Cloud organizations using Google Cloud platform.
Saw this particular person of organization within particular region, so pretty high about you. With the access keys at again. Jay was just talking about when it comes to the access keys, that we may be able to scrape or bleeding from get hugs. Or if we were able to find specific access to, these were in Cloud instances by themselves. Like, they haven't talked, her may find an access key within that. We found that these access keys are not being rotated on a regular basis. So, we look to access keys or
toddler meant to have access keys that are in excess of 90 days. Old am so older than 90 days. We've spent of organizations. They're using the cloud on a global basis, are are older than our have access keys that are older, than 90 days. Mamma Mia, talked out. I was in the region ality this particular. It's at 72% of cloud organizations located within a mere. Saw it at that. I said she's are older than 90 days. Something else very very serious last letter to hear 24% of organization have enabled multi-factor authentication for their
group accounts, which means that 76% of organizations have not enabled MFA for the Rubik's. Once it's just a staggering number that the NSA is just, it's not, it's not the sort of sort of security. It is something that is that that makes the ability to log into a particular account, whole lot more difficult. Raises the bar significantly, so I'm getting getting our, our, our Cloud environments or Cloud. I am rules especially those with root privileges or admit, and I'm in a straight of access. Getting those with MFA is a key is a key Target that we should all focus on.
In contrast to just traditional or standard user of IAM role, we found that 47% of traditional rules are actually am able to actually push our Dev Ops and I T Community suit Shore up some of his identity and access management credentials were in transition a little bit. One thing we talked about with intercloud trip report as well with within this last one here. I was with cryptojacking specifically we found the 23% of organizations are environments worldwide
on experienced, some sort of communication or cryptojacking our crypto mining operation network communications within within their Cloud environments. Do you leave quarter of all Cloud environment? Actually, doing some sort of communication with these mining pools. Operation, actually look like within this Aristocrat to specific crypto mining operations on specifically with kissing. And another one with Team TNT on both of these cryptojacking groups, or actually targeting actively targeting AWS environment on
and they're specifically targeting out of it. How they operate in general is they, they perform a very wide, they cast a very wide net, using a scanning tools, like mask and scorpions in. They've also started using other two, was I like Seagram, which is a go strolling based Network scanner as well. All men are focusing on when they find exploit exploitable system systems that are exposed and then exploited on their very first action is to gather and capture. The AWS on those
particular importance. Is that a w s folder. Configuration folder does exist on the same points. They will, they will scrape those credentials and then send them off to their control note. I'm so they can most likely perform post exploitation operations. Let's refer back to AJ was talking about with both the first and the second scenario. I was in his talk portion of the talk in that if you know the access keys and the access ID for a ticular accounts, are there. Misconfigured permissions within those particular rules that you can
leverage to gain larger access outside of those instances. So, we see that cryptojacking operation. They're actually most likely targeting the larger Cloud environments. In order to do additional damage or additional information gathering. One thing of note that would really like to have to stay within most cryptojacking operations is there is a lot of commonality with, in the most not just kinsinger team. Tim Tebow with other groups, like rock and pop 8220. Lemon, lot of different ones as well as if they're very active at
removing other miners on those systems on those in front of a compromised. They're very active about scanning for Expo systems, using mask and specifically. For a common tool is another one, as well as more and more troops. Also following the Ken singing team TNT Trend in that they're trying to do a w. S Prudential scraping as well unit. 42 just published a little J was a co-author for that specifically focused on team team and how they're actually also grabbing kubernetes
credentials as well. So they are vacant. Start targeting Network mesh back that kubernetes has on so they can exploit that as well. As there is a trend towards larger and larger Target bases within cloud. So, do you want to talk about the mitigation aspects? This what kind of cover both what Jay just presented as well as the information that I discovered. How does this talk kind of applied to the larger RSA conference agenda and specifically looking at the educate
plus learning? And how do we actually buy that as an industry on for our perspective within this talk? As we wanted to provide the education aspect thing that seeking out new research by Jay and I performed a routine exercise which would run over. We're looking at cryptojacking environment with a cloud organization. Just kind of in General on in and how those affect your environment where you're at your infrastructure and that's where they've been learning a second. Kind of comes into this with the evaluating you or your Cloud environment. So can you identify that
policies are are performed accurately that you're not seeing that were Communications to cryptojacking operations excetera. And then, what are we? Apply that if we do see those, how we have to apply specific security measures, or how do we explain why the mitigation on that Jay's, cupboard and then I'll just jump into here in a second. I will bring those into your environment so you can actually have a more secure location aspects. As far as identity and access management.
There are specific best practices that we would encourage organization on to perform going around. This really want to encourage organizations, not to use iCloud or root accounts within their Cloud environment, specifically within the example. I gave earlier with Google Cloud platform with 67% of those organizations, providing a root access to their DM in removing those. Root access in just making it specifically to a specific service or a very specific.
I'm minimizing to use just crossed the board of admitting credentials again. Using at least privilege capability to only give that particular service or at I am. The only the credentials in the access they need in order to perform those those services that they're they're going to use groups using rules assigning. I am users to specific roles or specific groups will simplify the task and a burden of a managing and maintaining, I am accounts. So I'm using some sort of hierarchical
form. That is easy to understand but still granular enough to perform least privilege function. I should be used. Rotate your access cheese on a regular basis. As Jay said before using some sort of Automation in order form that functionality. I will greatly enable the security of your Cloud infrastructure. And then if you do use it, like a use passwords, like as your organization's allow you to use, I'll make sure that your passwords are actually of a significant length and an anarchist your passwords. As far as the consideration of your
infrastructure, your identity and access management infrastructure cabling multi-factor authentication. I will greatly increase the bar and it will not make any trouble but it will significantly increase the bar and security was in your car to your identity access Services rules. When your Cloud environment monitoring. The API for specific threats is a really big bonus as well, Auto remediating excessive permit privileges. If you have a user accounts that have not logged in, in a very long. Of time, removing, the IV access for those particular account, is
recommended find some way to remove, especially on administrative access from New York. Just don't need it again, leaving the best for last year. Make sure that only the accounts that had that need to access to specific service or function. That's the only thing they can access. They don't have anything excess enabled. Wake up the cryptojacking there about five factors that we can look at. While we would ensure that we want to ensure that your authentication, all of the container service
connection ensuring that you're not making connections to services or external IP. Addresses are not known to your Cloud environment. Make sure that you're monitoring those. I'm blocking all fireworks, firewall ports, by default, don't allow access to everything, evil inbound, and outbound Ingress egress traffic. I'll make sure that you're specifically allocating what access needs to be assigned for what service in Dustin. Some clouds, red need a security platform is McLoud or others. Something I can monitor. Your Cloud environment to ensure that your we are performing.
Best practices for configurations. Both of your, I am your network security excetera. I'm leveraging intelligent species, using third-party sources to Branch your environment. So you can black so you're not. So you're, you're enabling the, the blocking of blacklisted IP addresses, or the man that are known to the industry and in general, or maintaining a set of a trusted images, and Registries are only deploy images or container images are, that are proof that are bedded in your environment that you're not
bringing out, your changes are corrupted or poisoned our containers in your environment. That wraps up our discussion on if there any questions we will, we will refer to those on and, and thank you very much for pretending the stock preciate it.
Buy this talk
Buy this video
With ConferenceCast.tv, you get access to our library of the world's best conference talks.