99% of cloud identities are overly permissive, opening door to attackers

Almost all cloud users, roles, services, and resources grant excessive permissions leaving organizations vulnerable to attack expansion in the event of compromise, a new report from Palo Alto’s Unit 42 has revealed. The security vendor’s research discovered that misconfigured identity and access management (IAM) is opening the door to malicious actors that are targeting cloud infrastructure and credentials in attacks.

The findings indicate that when it comes to IAM in the cloud, organizations are struggling to put good governance in place. The report also identifies five attack groups that have been detected targeting cloud environments and reveals their attack methods.

99% of cloud identifies are too permissive

In Identity and Access Management: The First Line of Defense, Unit 42 researchers analyzed more than 680,000 identities across 18,000 cloud accounts and over 200 different organizations to understand their configurations and usage patterns. It revealed that 99% of the cloud users, roles, services, and resources granted “excessive permissions” that were left unused for 60 days. Adversaries who compromise these identities can leverage such permissions to move laterally or vertically and expand the attack radius, the report read.

Unit 42’s data showed that there were two times more unused or excessive permissions within built-in Content Security Policies (CSPs) compared to customer-created policies. “Removing these permissions can significantly reduce the risk each cloud resource exposes and minimize the attack surface of the entire cloud environment.” However, cloud security is being hampered by poorly implemented IAM and credential management, the report stated.

Unit 42 said that misconfigurations are behind 65% of detected cloud security incidents, while 53% of analyzed cloud accounts allowed weak password usage and 44% allowed password reuse, the report read. What’s more, almost two-thirds (62%) of organizations had cloud resources publicly exposed. “Misconfigurations within the identity user, role, or group policies within a cloud platform can significantly increase the threat landscape of an organization’s cloud architecture,” and these are vectors adversaries constantly seek to exploit, Unit 42 said. “All the cloud threat actors that we identified attempted to harvest cloud credentials when compromising a server, container, or laptop. A leaked credential with excessive permissions could give attackers a key to the kingdom.”

Unit 42 identifies five attacks groups targeting cloud infrastructure

Unit 42 detected and identified five threat actors leveraging unique escalation techniques and collecting credentials to directly target cloud service platforms. Of them, three performed container specific operations including permission discovery and container resource discovery, two performed container escape operations, and all five collected cloud service or container platform credentials as part of their operating procedures. They are:

• TeamTNT: Considered the most sophisticated cloud threat actor in terms of cloud identity enumeration techniques, this group’s operations include lateral movement within Kubernetes clusters, establishment of IRC botnets, and the hijacking of compromised cloud workload resources to mine the Monero cryptocurrency.
• WatchDog: While technically adept, this group is willing to sacrifice skill for easy access, Unit 42 said. It uses custom-built Go scripts as well as repurposed cryptojacking scripts from other groups (including TeamTNT) and are an opportunistic threat group that targets exposed cloud instances and applications.
• Kinsing: Another opportunistic cloud threat actor with heavy potential for cloud credential collection, this group targets exposed Docker Daemon APIs using GoLang based malicious processes running on Ubuntu containers and has begun to expand their operations outside of Docker containers, specifically targeting container and cloud credential files contained on compromised cloud workloads.
• Rocke: An “old-timer” group ramping up cloud endpoint enumeration techniques, Rocke specializes in ransomware and cryptojacking operations within cloud environments and is known for using the computing power of compromised Linux-based systems, typically hosted within cloud infrastructure.
• 8220: Rocke’s cousin, this group is adopting containers into its target set. Tools commonly employed during their operations are PwnRig or DBUsed, which are customized variants of the XMRig Monero mining software. The group is believed to have originated from a GitHub fork of the Rocke group’s software.

IAM misconfigurations a common entry point 

Unit 42 advised organizations to address IAM vulnerabilities to secure their cloud infrastructures. “Properly configured IAM can block unintended access, provide visibility into cloud activities, and reduce the impact when security incidents happen,” it stated. “However, maintaining IAM in the most secure state is challenging due to its dynamic nature and complexity. Historically, IAM misconfigurations have been the entry point and pivot cybercriminals most commonly exploit.”

To assist in the defense of cloud environments against threat actors, Unit 42 said organizations should implement cloud-native application protection platforms (CNAPP), focus on hardening IAM permissions, and increase security automation.