[ad_1]
At the moment, we announce the discharge of a second model of the menace matrix for storage providers, a structured instrument that assists in figuring out and analyzing potential safety threats on knowledge saved in cloud storage providers. The matrix, first launched in April 2021 as detailed within the weblog put up Menace matrix for storage providers, lays out a wealthy set of assault methods mapped to a widely known set of ways described by MITRE’s ATT&CK® framework and complete information base, permitting defenders to extra effectively and successfully adapt and reply to new methods.
Cybercriminals goal cloud storage accounts and providers for quite a few functions, corresponding to accessing and exfiltrating delicate knowledge, gaining community footholds for lateral motion, enabling entry to extra sources, and deploying malware or participating in extortion schemes. To fight such threats, the up to date menace matrix supplies higher protection of the assault floor by detailing a number of new preliminary entry methods. The matrix additional supplies visibility into the menace panorama by detailing a number of novel assaults distinctive to cloud environments, together with some not but noticed in actual assaults. The brand new model of the matrix is offered at: https://aka.ms/StorageServicesThreatMatrix
Of the brand new methods detailed on this weblog, a number of noteworthy examples embody:
- Object replication – Permits attackers to maliciously misuse the article replication characteristic in each instructions by both utilizing outbound replication to exfiltrate knowledge from a goal storage account or utilizing inbound replication to ship malware to the goal account.
- Operations throughout geo replicas – Helps attackers evade defenses by distributing operations throughout geographical copies of storage accounts. Safety options could solely have visibility into components of the assault and will not detect sufficient exercise in a single area to set off an alert.
- Static web site – Permits attackers to exfiltrate knowledge utilizing the “static web site” characteristic, a characteristic offered by main storage cloud suppliers that may typically be neglected by much less skilled customers.
On this weblog put up, we’ll introduce new assault methods which have emerged since our final evaluation and canopy the assorted phases of a possible assault on cloud storage accounts.
New methods within the matrix
1. Reconnaissance
Reconnaissance consists of methods that contain attackers actively or passively gathering data that can be utilized to help concentrating on.
DNS/Passive DNS – Attackers could seek for DNS knowledge for legitimate storage account names that may change into potential targets. Menace actors can question nameservers utilizing brute-force methods to enumerate current storage accounts within the wild, or search by way of centralized repositories of logged DNS question responses (often known as passive DNS).
Sufferer-owned web sites – Attackers could search for storage accounts of a sufferer enterprise by looking out its web sites. Sufferer-owned web site pages could also be saved on a storage account or include hyperlinks to retrieve knowledge saved in a storage account. The hyperlinks include the URL of the storage and supply an entry level into the account.
2. Preliminary entry
Preliminary entry consists of methods that use varied entry vectors to achieve their preliminary foothold on a storage account. As soon as achieved, preliminary entry could permit for continued entry, knowledge exfiltration, or lateral motion by way of a malicious payload that’s distributed to different sources.
SFTP credentials – Attackers could receive and abuse credentials of an SFTP (Safe File Switch Protocol) account as a way of gaining preliminary entry. SFTP is a prevalent file switch protocol between a shopper and a distant service. As soon as the person connects to the cloud storage service, the person can add and obtain blobs and carry out different operations which are supported by the protocol. SFTP connections require SFTP accounts, that are managed domestically within the storage service occasion, together with credentials within the type of passwords or key-pairs.
NFS entry – Attackers could carry out preliminary entry to a storage account utilizing the NFS protocol the place enabled. Whereas entry is restricted to an inventory of allowed digital networks which are configured on the storage account firewall, connection through NFS protocol doesn’t require authentication and might be carried out by any supply on the required networks.
SMB entry – Attackers could carry out preliminary entry to a storage account file shares utilizing the Server Message Block (SMB) protocol.
Object replication – Attackers could set a replication coverage between supply and vacation spot containers that asynchronously copies objects from supply to vacation spot. This characteristic might be maliciously misused in each instructions. Outbound replication can function an exfiltration channel of buyer knowledge from the sufferer’s container to the adversary’s container. Inbound replication can be utilized to ship malware from an adversary’s container to a sufferer’s container. After the coverage is about, the attacker can function on their container with out accessing the sufferer container.
3. Persistence
Persistence consists of methods that attackers use to maintain entry to the storage account on account of modified credentials and different interruptions that might minimize off their entry. Methods used for persistence embody any entry, motion, or configuration modifications that allow them preserve their foothold on techniques.
Create SAS Token – Attackers could create a high-privileged SAS token with lengthy expiry to protect legitimate credentials for a protracted interval. The tokens usually are not monitored by storage accounts, thus they can’t be revoked (besides Service SAS) and it’s not straightforward to find out whether or not there are legitimate tokens within the wild till they’re used.
Container entry stage property – Attackers could alter the container entry stage property on the granularity of a blob or container to allow nameless learn entry to knowledge within the storage account. This configuration secures a channel to exfiltrate knowledge even when the preliminary entry method is not legitimate.
SFTP account – Attackers could create an SFTP account to take care of entry to a goal storage account. The SFTP account is native on the storage occasion and isn’t topic to Azure RBAC permissions. The account can be unaffected in case of storage account entry keys rotation.
Trusted Azure providers – Attackers could configure the storage account firewall to permit entry by trusted Azure providers. Azure Storage supplies a predefined listing of trusted providers. Any useful resource from that listing that belongs to the identical subscription because the storage account is allowed by the firewall even when there isn’t any firewall rule that explicitly permits the supply deal with of the useful resource.
Trusted entry based mostly on a managed identification – Attackers could configure the storage account firewall to permit entry by particular useful resource cases based mostly on their system-assigned managed identification, no matter their supply deal with. The useful resource kind might be chosen from a predefined listing offered by Azure Storage, and the useful resource occasion have to be in the identical tenant because the storage account. The RBAC permissions of the useful resource occasion decide the varieties of operations {that a} useful resource occasion can carry out on storage account knowledge.
Personal endpoint – Attackers could set personal endpoints for a storage account to ascertain a separate communication channel from a goal digital community. The brand new endpoint is assigned with a personal IP deal with throughout the digital community’s deal with vary. All of the requests despatched to the personal endpoint bypass the storage account firewall by design.
4. Protection evasion
The protection evasion tactic consists of methods which are utilized by attackers to keep away from detection and conceal their malicious exercise.
Disable audit logs – Attackers could disable storage account audit logs to forestall occasion monitoring and keep away from detection. Audit logs present an in depth report of operations carried out on a goal storage account and could also be used to detect malicious actions. Thus, disabling these logs can depart a useful resource weak to assaults with out being detected.
Disable cloud workload safety – Attackers could disable the cloud workload safety service which raises safety alerts upon detection of malicious actions in cloud storage providers.
Personal endpoint – Attackers could set personal endpoints for a storage account to ascertain a separate communication channel from a goal digital community. The brand new endpoint is assigned with a personal IP deal with throughout the digital community’s deal with vary. All of the requests despatched to the personal endpoint bypass the storage account firewall by design.
Operations throughout geo replicas – Attackers could break up their requests throughout geo replicas to scale back the footprint in every area and keep away from being detected by varied guidelines and heuristics.
5. Credential entry
Credential entry consists of methods for stealing credentials like account names and passwords. Utilizing official credentials can provide adversaries entry to different sources, make them more durable to detect, and supply the chance to assist obtain their objectives.
Unsecured communication channel – Attackers could sniff community visitors and seize credentials despatched over an insecure protocol. When a storage account is configured to help unencrypted protocol corresponding to HTTP, credentials are handed over the wire unprotected and are vulnerable to leakage. The attacker can use the compromised credentials to achieve preliminary entry to the storage account.
6. Discovery
Discovery consists of methods attackers could use to achieve information in regards to the service. These methods assist attackers observe the surroundings and orient themselves earlier than deciding learn how to act.
Account configuration discovery – Attackers could leverage management airplane entry permission to retrieve the storage account configuration. The configuration comprises varied technical particulars that will help the attacker in implementing a wide range of ways. For instance, firewall configuration supplies community entry data. Different parameters could reveal whether or not entry operations are logged. The configuration may include the backup coverage that will help the attacker in performing knowledge destruction.
7. Exfiltration
Exfiltration consists of methods that attackers could use to extract knowledge from storage accounts. These could embody transferring knowledge to a different cloud storage exterior of the sufferer account and may embody placing measurement limits on the transmission.
Static web site – Attackers could use the “static web site” characteristic to exfiltrate collected knowledge exterior of the storage account. Static web site is a cloud storage supplier internet hosting functionality that permits serving static internet content material straight from the storage account. The web site might be reached through another internet endpoint which may be neglected when limiting entry to the storage account.
Object replication – Attackers could set a replication coverage between supply and vacation spot containers that asynchronously copies objects from supply to vacation spot. Outbound replication can function an exfiltration channel of buyer knowledge from a sufferer’s container to an adversary’s container.
Conclusion
As the quantity of information saved within the cloud continues to develop, so does the necessity for sturdy safety measures to guard it. Microsoft Defender for Cloud may also help detect and mitigate threats in your storage accounts. Defender for Storage is powered by Microsoft Menace Intelligence and conduct modeling to detect anomalous actions corresponding to delicate knowledge exfiltration, suspicious entry, and malware uploads. With agentless at-scale enablement, safety groups are empowered to remediate threats with contextual safety alerts, remediation suggestions, and configurable automations. Study extra about Microsoft Defender for Cloud help for storage safety.
Evgeny Bogokovsky
Microsoft Menace Intelligence
References
Additional studying
For the newest safety analysis from the Microsoft Menace Intelligence neighborhood, take a look at the Microsoft Menace Intelligence Weblog: https://aka.ms/threatintelblog.
To get notified about new publications and to hitch discussions on social media, observe us on Twitter at https://twitter.com/MsftSecIntel.
[ad_2]