T1078.004-Cloud Accounts

Adversaries may exploit valid accounts in cloud environments to achieve malicious objectives like Initial Access, Persistence, Privilege Escalation, or Defense Evasion. These accounts, set up by organizations for user access and resource administration, can be cloud-only or hybrid-joined with on-premises systems via syncing or federation with identity sources like Windows Active Directory. Attackers often target service or user accounts using techniques such as Brute Force and Phishing. Federated or synced accounts can compromise both cloud and on-premises environments by leveraging shared credentials for Remote Services.

High-privileged cloud accounts may enable adversaries to pivot to on-premises systems using SaaS tools to execute commands. Once compromised, attackers can create long-lasting Additional Cloud Credentials to maintain access and bypass security measures like multi-factor authentication. Misconfigurations in role assignments can also allow adversaries to exploit permissions, enabling them to harvest sensitive data from cloud storage and databases via APIs.

What Are Cloud Accounts and Where Do We Use Them in Our Daily Life?

Cloud accounts are digital identities created for users to access various cloud-based services and applications, such as software-as-a-service (SaaS) platforms for email, file storage, and messaging. As organizations increasingly migrate critical productivity applications to the cloud, the volume of sensitive data stored online has surged. This transition has attracted adversaries who now view cloud accounts as valuable targets, similar to traditional endpoints. The threat landscape extends beyond SaaS to include infrastructure-as-a-service (IaaS) platforms like Amazon Web Services, Microsoft Azure, and Google Cloud Platform. These accounts serve as gateways to complex cloud infrastructures containing vital information, making them appealing to both enterprises and adversaries.

The motivations for targeting cloud accounts vary, as these accounts play an integral role in organizational ecosystems. Adversaries exploit the interconnectedness of cloud services, leading to potential data exfiltration, denial of access to critical applications, and unexpected costs due to resource misuse, such as cryptocurrency mining. The ease of creating cloud accounts poses a significant challenge for defenders, particularly in large organizations with thousands of accounts requiring careful oversight of permissions and roles. Additionally, techniques like SMS phishing (or “smishing”) have emerged, allowing adversaries to exploit unsuspecting users through text messages that lead to credential theft. To combat these evolving threats, organizations must implement proactive security awareness training for employees to keep them informed about the latest attack techniques and enhance overall security posture.

Malicious Objectives for Abusing Cloud Accounts

The Evolution of Cloud Credentials

Cloud credentials extend beyond traditional username and password combinations. While many SaaS users, especially in small companies, rely on these for authentication, the landscape now includes various authentication factors. With the rise of single sign-on (SSO), users often enjoy seamless access, utilizing API keys, access tokens, X.509 certificates, biometric data, and one-time passwords (OTP). However, the diversity of these methods also introduces more potential attack vectors, providing adversaries with greater opportunities to employ both sophisticated and simple tactics to steal credentials. This underscores the importance of heightened vigilance in securing the authentication process.

Exploiting Access for Reconnaissance

Once adversaries gain legitimate account access, they can mimic genuine user behavior, complicating detection efforts. They leverage this access through web applications, endpoint tools, or command-line interfaces, focusing on reconnaissance to escalate their permissions. Automated scripts allow attackers to systematically explore access points and gather data from web API endpoints, enabling them to understand their current position and identify additional accounts to target.

Common Tactics and Challenges

Common tactics employed by adversaries include sifting through files and emails for sensitive information, often resulting in “smash and grab” attacks where email attachments are primary targets. Additionally, there has been a rise in multi-factor authentication (MFA) changes, where attackers alter the SMS OTP phone number to one under their control, ensuring continued access to compromised accounts. This evolving threat landscape necessitates a proactive approach to security in cloud environments.

Actions That Need to be Taken

In addition to proactive employee training, it is essential for organizations to enforce multi-factor authentication (MFA) across all cloud accounts. To strengthen defenses further, consider adopting phish-resistant MFA methods such as FIDO2 keys, smart cards, or biometric authentication.

It’s important to note that not all MFA factors provide the same level of security. For example, SMS one-time passwords (OTPs) are vulnerable to attacks where adversaries gain access to legitimate credentials and execute a "SIM swap" to intercept these codes. While SMS-based MFA is an improvement over having no MFA at all, it still poses significant risks.

Similar vulnerabilities exist with push notification approvals, where users must manually accept prompts on their devices. This has led to the phenomenon known as “MFA fatigue,” where attackers inundate users with push notifications, hoping for a quick acceptance that could grant unauthorized access. Although less common, this method can still lead to account takeovers. Despite these concerns, any implementation of MFA is preferable to none. Adhering to the following MFA principles is vital for robust security:

• Something you know: Password or personal identification number (PIN)

• Something you have: Smart card, mobile token, or hardware token

• Biometric factors: Fingerprint, palm print, or voice recognition

Visibility

Most SaaS applications and cloud providers generate valuable logs for tracking system and user activities. However, the high volume of these logs can lead to significant storage costs. It's essential to prioritize their collection and retention for retrospective investigations and threat hunting.

To manage expenses, consider utilizing cold storage for these logs, allowing for later retrieval without incurring high costs. This approach ensures you maintain access to crucial data for security analysis while effectively controlling operational expenses.

User Account and Logon Sessions

User accounts and logon sessions serve as critical data sources for monitoring authentication activity in cloud accounts. These logs are essential for understanding authentication behaviors, which are vital for adversaries attempting to exploit cloud accounts.

Cloud Service, Application Log, and Web Credential

Since cloud accounts can perform actions and make changes, it's important to analyze not only authentication logs but also Cloud Service, Application Log, and Web Credential data sources. These logs will be invaluable for post-breach investigations.

Detection Technology

AWS

CloudTrail is AWS's primary management and control plane log source, essential for security operations. It serves as a comprehensive record of user and system activities within an AWS account, logging thousands of event types, such as AWS console logins, creation of long-term access tokens, role assumptions, and more.

In addition to CloudTrail's control plane logs, there's another visibility layer known as data plane operations. These logs capture activities occurring within specific resources rather than operational changes. While not all AWS services generate data plane records, many do, including Amazon S3 and Amazon RDS. Keep in mind that enabling data plane operations can significantly increase log volume, making it important to manage log data effectively. For best practices in AWS security, refer to the AWS Security Best Practices guide.

Microsoft

Understanding the complexities of Azure logging requires a close examination of Entra ID (formerly Azure AD). While Azure serves as the foundational infrastructure for cloud resources—such as Virtual Machines and Storage—Entra ID is central to identity and access management (IAM). Both platforms utilize role-based access control (RBAC), but these controls fundamentally depend on the identities managed within Entra ID. Each platform generates a variety of log sources, making it essential to adopt a segmented approach for clarity. To effectively navigate these log sources, it’s crucial to distinguish between Azure and Entra ID and understand their respective telemetry outputs.

Entra ID manages all identities and cloud accounts that access Azure resources, including applications, service principals, managed identities, and users. It automatically records several categories of authentication logs that cannot be disabled, such as interactive user sign-ins, non-interactive sign-ins, service principal sign-ins, and managed identity sign-ins. Additionally, an audit log continuously tracks tenant-level modifications, providing a comprehensive view of the behaviors associated with your cloud accounts.

Beyond these default logs, there are additional visibility layers that may require manual activation and may depend on the appropriate licensing level. One notable source worth exploring is the Graph Activity Logs, which serve as a form of data plane record for Microsoft's SaaS offerings. These logs deliver detailed insights into the Microsoft Graph API—the primary interface for several Microsoft SaaS products, including Outlook, SharePoint, and Teams. They track identities that initiate HTTP requests to the Graph API, along with the relevant request URIs and the applications making those requests. This detailed information can reveal reconnaissance activities following a cloud account compromise, especially in scenarios where adversaries do not alter data directly within the SaaS product, resulting in conventional logs capturing only login events.

Azure enables resource deployment akin to AWS, with the Azure Activity log documenting changes to resources and significant RBAC assignments, including the granting of administrative or owner privileges within Azure’s RBAC model. Importantly, the activity log is mandatory and cannot be disabled. Furthermore, many Azure resources offer the option to enable additional data plane logging—often referred to as resource logs or diagnostic logs. These logs meticulously track resource usage, such as accessing a secret or retrieving a key from a vault. All records include the originating cloud account and can generate substantial volumes of data, depending on the specific resource utilization in your organization. For more information, refer to the Azure Activity Log documentation.

Possible Use Cases

Geographical Anomalies Detection

User location is a critical factor in assessing the legitimacy of login attempts. By maintaining an up-to-date database of known remote office locations and using calendar data to track employee travel, security teams can quickly identify unusual access patterns.

• Unexpected Logins: Automatically flag any login attempts from countries or cities not associated with the user’s typical work locations.

• Travel Alerts: Cross-reference calendar events with login times to determine if users are traveling, reducing false positives in anomaly alerts.

• Historical Patterns: Use historical login data to establish a baseline for normal geographical behavior and identify deviations from this baseline.

VPN and Proxy Identification

Many organizations use VPNs and proxies to secure remote access. Knowing which IP ranges are associated with these services allows security teams to differentiate legitimate traffic from potentially malicious logins.

• Known IP Address Validation: Maintain a dynamic list of known VPN and proxy IP addresses. Flag any login from IPs not on this list for further investigation.

• Frequency Analysis: Monitor the frequency of logins from non-corporate IP addresses. A sudden spike could indicate an attacker using compromised credentials.

• Multi-Factor Analysis: Combine geographical data with IP address analysis to assess the legitimacy of access attempts, ensuring they align with company policies.

Operating System Compliance Check

Different job functions often require different operating systems and devices. By tracking the operating systems used by employees, organizations can establish baselines for compliance and flag unusual logins.

• Device Inventory Matching: Regularly update and maintain an inventory of compliant devices and operating systems for all users.

• Non-Compliant Access: Automatically flag logins from devices or operating systems that are not part of the approved inventory.

• Behavioral Patterns: Analyze user behaviors based on device type, monitoring for unusual patterns such as high-risk applications accessed from non-compliant devices.

Application Access Monitoring

Monitoring application access is crucial in identifying potentially unauthorized access to sensitive information. Keeping an inventory of approved applications helps create a clear baseline for expected behavior.

• Whitelist Maintenance: Continuously update the whitelist of applications used by employees and monitor for any logins to unapproved applications.

• Access Patterns: Analyze typical access patterns to sensitive applications. Any deviations, such as access from a new location or device, should trigger an alert.

• User Behavior Analytics: Utilize machine learning models to detect anomalous login behaviors specific to applications that regularly access user mailboxes, helping to identify possible insider threats or account takeovers.

Authentication Protocol Anomalies

Different roles within an organization typically utilize specific authentication protocols. Monitoring for unusual usage patterns can help identify potential breaches.

• Protocol Usage Tracking: Track and log the types of authentication protocols used by each user and their relevance to their roles.

• Role-Based Analysis: Flag any instances where non-technical users are utilizing advanced authentication flows (e.g., Device Code Flow or Resource Owner Password Credentials) that are not commonly associated with their job functions.

• Behavioral Alerts: Generate alerts when uncommon protocols are used, especially in conjunction with anomalous login locations or times.

Unusual SMS MFA Phone Number Changes

Monitoring changes to SMS MFA phone numbers is vital as these can indicate unauthorized attempts to gain access. Understanding the typical contact details for users can enhance security.

• Number Verification: Automatically verify new SMS MFA phone numbers against a database of known corporate numbers or contact details to flag discrepancies.

• Ownership Validation: Analyze the ownership of new phone numbers to determine if they belong to the user. This can involve looking up the number to see if it’s a VoIP number or matches known contacts.

• Change Frequency: Monitor the frequency of SMS MFA phone number changes. Frequent changes may indicate account compromise or insider threats.

Job Title Behavior Alignment Check

Employees typically exhibit behaviors consistent with their job titles. Monitoring for deviations in expected behaviors can help detect unauthorized access or misuse of credentials.

• Behavioral Baseline: Establish a behavioral baseline for each job title, documenting common actions taken during work hours.

• Role-Behavior Mismatch: Flag any unusual actions, such as a non-technical employee accessing engineering tools or logging in from a high-risk environment (e.g., a public Wi-Fi network).

• Contextual Analysis: Combine job title information with contextual data (e.g., device type, access patterns) to create a more robust alerting system that can distinguish legitimate work from suspicious activities.

Real-life Example

Douglas Bienstock. (2022, August 18). You Can’t Audit Me: APT29 Continues Targeting Microsoft 365. Retrieved February 23, 2023.

APT29 has effectively leveraged advanced tactics to navigate Microsoft 365 environments stealthily. One of their key strategies involved disabling essential logging features that could have revealed their presence. By targeting the Purview Audit functionality, they managed to eliminate crucial logging capabilities that organizations rely on to monitor user activities. This action not only obscured their movements but also left organizations unaware of the specific mailboxes being targeted for data exfiltration.

In addition to manipulating logging features, APT29 has shown a particular proficiency in exploiting dormant accounts. Through a series of password guessing attacks, they were able to gain access to accounts that had not been in use for some time. By taking advantage of Azure Active Directory's default MFA enrollment process, they registered their own MFA device, allowing them to bypass security measures and infiltrate the organization's VPN infrastructure. This series of maneuvers underscores the adversary's ability to exploit weaknesses in security protocols, especially in environments with overlooked or inactive accounts.

• Disabling Purview Audit: By turning off this critical feature in compromised Microsoft 365 accounts, APT29 eliminated essential logging capabilities, silencing audit trails that could have alerted organizations to their activities. With Mail Items Accessed logs disabled, they could target specific mailboxes for email collection without leaving traces, allowing them to gather sensitive information while significantly reducing the risk of detection.

• Exploiting Dormant Accounts: APT29 demonstrated their cunning through password guessing attacks on unused accounts. By successfully guessing the password of a dormant account, they took advantage of Azure Active Directory's default MFA enrollment process to register their device for MFA access. This maneuver granted them entry into the organization's VPN infrastructure, highlighting the vulnerabilities associated with unmonitored accounts and illustrating APT29's ability to effectively exploit gaps in security protocols.