SAN FRANCISCO – Credential theft and abuse have long been a nagging problem for local network administrators. The threat surface ranges from pretexting scams to insiders who abuse network privileges in order to grant themselves higher permissions than otherwise assigned.
Here at RSA Conference, CyberArk researchers Asaf Hecht and Lavi Lazarovitz outlined a new attack surface for this age-old problem – the cloud.
In a session on Thursday researchers offered nearly a dozen proof-of-concept scenarios where an inside-attacker can silently persist and abuse cloud platforms to escalate user privileges to cause harm or access protected company data.
“What we call cloud shadow admins can undermine the security of the cloud infrastructure and allow malicious actors to persist silently within it,” Lazarovitz said. “Cloud shadow admins can be used to compromise the entire cloud infrastructure.”
This newly identified threat vector is similar to what the company calls “shadow admins” in network environments. Shadow admins are network accounts with sensitive privileges, typically overlooked because they are not members of a highly privileged Active Directory group. “Instead, shadow admin accounts are granted their privileges through the direct assignment of permissions using access control lists on AD objects,” describes the company.
Those same network risks now exist in the cloud infrastructure either accidentally or through malicious intent by a rogue user, the researcher said.
“When organizations migrate their entire infrastructure or just part of it to the cloud, new cloud users are created or federated and assigned specific permissions to perform specific tasks,” Lazarovitz said. That’s when a user might erroneously be given too many privileges and become what the company terms a cloud shadow admin.
“It might be they can launch a new machine, connect to the machine and assign the machine permissions. Next, they can use those permissions to shut down cloud instances, exfiltrate data from databases or run crypto mining code,” he said. This might also be very difficult to spot especially if there are thousands of entities’ user machine services, each with its own permission combination, he said.
In one example of an attack by a cloud shadow admin with malicious intent, researchers describe how an adversary can maliciously terminate Amazon Elastic Compute Cloud (EC2) instances running within a targeted company.
The example involves the attacker compromising a low-level DevOps user’s computer with limited permissions. The DevOps’ limited credentials prevented the attacker from deleting EC2 machine instances, which require privileged credentials for terminating the instance. To get privileged access the attacker abuses the EC2 service framework and eventually is able to escalate the privileges of the low-level DevOps user. To do this takes multiple steps.
First, the attacker uses his limited access to request an EC2 list of “instance-profile names” tied to the company. One of them, in the CyberArk example, is “AdminRole” – which suggest this is a privileged AWS “role” or “entity.” The goal is to get the credentials of the AdminRole in order to terminate the privileged EC2 machine instances.
To retrieve AdminRole credentials, the attacker uses DevOps privileges to create AWS EC2 Key Pairs – used to connect to all EC2 instances within a network. Using that access, the attacker can create a new EC2 instance.
The keys are used to connect to the newly launched (EC2) instance, Lazarovitz said. Now using a tool such as PuTTY (an open-source terminal emulator, serial console and network file transfer application) the attacker can gain access to that new EC2 instance.
Now, buried in the metadata of the new instance are the AdminRole credentials (access key ID, secret key and session token). Once that information is extracted the attacker can load the AdminRole credentials to the AWS command line interface and terminate not just that EC2 instance, but all of the organization’s machine instances, according to the researchers.
“The terrifying thing is we have discovered ten different examples just like this,” Lazarovitz said. “In each example the attacker only needs one permission to escalate and gain full admin rights.”