In the present day, we announce the discharge of a second model of the menace matrix for storage providers, a structured software that assists in figuring out and analyzing potential safety threats on knowledge saved in cloud storage providers. The matrix, first launched in April 2021 as detailed within the weblog submit Menace matrix for storage providers, lays out a wealthy set of assault methods mapped to a well known set of ways described by MITRE’s ATT&CK® framework and complete data base, permitting defenders to extra effectively and successfully adapt and reply to new methods.
Cybercriminals goal cloud storage accounts and providers for quite a few functions, resembling accessing and exfiltrating delicate knowledge, gaining community footholds for lateral motion, enabling entry to extra assets, and deploying malware or participating in extortion schemes. To fight such threats, the up to date menace matrix supplies higher protection of the assault floor by detailing a number of new preliminary entry methods. The matrix additional supplies visibility into the menace panorama by detailing a number of novel assaults distinctive to cloud environments, together with some not but noticed in actual assaults. The brand new model of the matrix is obtainable at: https://aka.ms/StorageServicesThreatMatrix
Of the brand new methods detailed on this weblog, a number of noteworthy examples embrace:
- Object replication – Permits attackers to maliciously misuse the thing replication function in each instructions by both utilizing outbound replication to exfiltrate knowledge from a goal storage account or utilizing inbound replication to ship malware to the goal account.
- Operations throughout geo replicas – Helps attackers evade defenses by distributing operations throughout geographical copies of storage accounts. Safety options might solely have visibility into elements of the assault and will not detect sufficient exercise in a single area to set off an alert.
- Static web site – Permits attackers to exfiltrate knowledge utilizing the “static web site” function, a function offered by main storage cloud suppliers that may typically be neglected by much less skilled customers.
On this weblog submit, we’ll introduce new assault methods which have emerged since our final evaluation and canopy the assorted phases of a possible assault on cloud storage accounts.
New methods within the matrix
1. Reconnaissance
Reconnaissance consists of methods that contain attackers actively or passively gathering data that can be utilized to assist focusing on.
DNS/Passive DNS – Attackers might seek for DNS knowledge for legitimate storage account names that may change into potential targets. Menace actors can question nameservers utilizing brute-force methods to enumerate current storage accounts within the wild, or search by centralized repositories of logged DNS question responses (referred to as passive DNS).
Sufferer-owned web sites – Attackers might search for storage accounts of a sufferer enterprise by looking out its web sites. Sufferer-owned web site pages could also be saved on a storage account or comprise hyperlinks to retrieve knowledge saved in a storage account. The hyperlinks comprise the URL of the storage and supply an entry level into the account.
2. Preliminary entry
Preliminary entry consists of methods that use numerous entry vectors to achieve their preliminary foothold on a storage account. As soon as achieved, preliminary entry might enable for continued entry, knowledge exfiltration, or lateral motion by a malicious payload that’s distributed to different assets.
SFTP credentials – Attackers might acquire and abuse credentials of an SFTP (Safe File Switch Protocol) account as a method of gaining preliminary entry. SFTP is a prevalent file switch protocol between a shopper and a distant service. As soon as the person connects to the cloud storage service, the person can add and obtain blobs and carry out different operations which might be supported by the protocol. SFTP connections require SFTP accounts, that are managed regionally within the storage service occasion, together with credentials within the type of passwords or key-pairs.
NFS entry – Attackers might carry out preliminary entry to a storage account utilizing the NFS protocol the place enabled. Whereas entry is restricted to a listing of allowed digital networks which might be configured on the storage account firewall, connection through NFS protocol doesn’t require authentication and could be carried out by any supply on the required networks.
SMB entry – Attackers might carry out preliminary entry to a storage account file shares utilizing the Server Message Block (SMB) protocol.
Object replication – Attackers might set a replication coverage between supply and vacation spot containers that asynchronously copies objects from supply to vacation spot. This function could be maliciously misused in each instructions. Outbound replication can function an exfiltration channel of buyer knowledge from the sufferer’s container to the adversary’s container. Inbound replication can be utilized to ship malware from an adversary’s container to a sufferer’s container. After the coverage is about, the attacker can function on their container with out accessing the sufferer container.
3. Persistence
Persistence consists of methods that attackers use to maintain entry to the storage account as a consequence of modified credentials and different interruptions that might reduce off their entry. Methods used for persistence embrace any entry, motion, or configuration adjustments that permit them keep their foothold on methods.
Create SAS Token – Attackers might create a high-privileged SAS token with lengthy expiry to protect legitimate credentials for a protracted interval. The tokens usually are not monitored by storage accounts, thus they can’t be revoked (besides Service SAS) and it’s not simple to find out whether or not there are legitimate tokens within the wild till they’re used.
Container entry stage property – Attackers might alter the container entry stage property on the granularity of a blob or container to allow nameless learn entry to knowledge within the storage account. This configuration secures a channel to exfiltrate knowledge even when the preliminary entry method is not legitimate.
SFTP account – Attackers might create an SFTP account to take care of entry to a goal storage account. The SFTP account is native on the storage occasion and isn’t topic to Azure RBAC permissions. The account can be unaffected in case of storage account entry keys rotation.
Trusted Azure providers – Attackers might configure the storage account firewall to permit entry by trusted Azure providers. Azure Storage supplies a predefined record of trusted providers. Any useful resource from that record that belongs to the identical subscription because the storage account is allowed by the firewall even when there is no such thing as a firewall rule that explicitly permits the supply deal with of the useful resource.
Trusted entry primarily based on a managed id – Attackers might configure the storage account firewall to permit entry by particular useful resource situations primarily based on their system-assigned managed id, no matter their supply deal with. The useful resource kind could be chosen from a predefined record offered by Azure Storage, and the useful resource occasion have to be in the identical tenant because the storage account. The RBAC permissions of the useful resource occasion decide the sorts of operations {that a} useful resource occasion can carry out on storage account knowledge.
Non-public endpoint – Attackers might set personal endpoints for a storage account to ascertain a separate communication channel from a goal digital community. The brand new endpoint is assigned with a non-public IP deal with inside the digital community’s deal with vary. All of the requests despatched to the personal endpoint bypass the storage account firewall by design.
4. Protection evasion
The protection evasion tactic consists of methods which might be utilized by attackers to keep away from detection and conceal their malicious exercise.
Disable audit logs – Attackers might disable storage account audit logs to forestall occasion monitoring and keep away from detection. Audit logs present an in depth document of operations carried out on a goal storage account and could also be used to detect malicious actions. Thus, disabling these logs can depart a useful resource weak to assaults with out being detected.
Disable cloud workload safety – Attackers might disable the cloud workload safety service which raises safety alerts upon detection of malicious actions in cloud storage providers.
Non-public endpoint – Attackers might set personal endpoints for a storage account to ascertain a separate communication channel from a goal digital community. The brand new endpoint is assigned with a non-public IP deal with inside the digital community’s deal with vary. All of the requests despatched to the personal endpoint bypass the storage account firewall by design.
Operations throughout geo replicas – Attackers might cut up their requests throughout geo replicas to scale back the footprint in every area and keep away from being detected by numerous guidelines and heuristics.
5. Credential entry
Credential entry consists of methods for stealing credentials like account names and passwords. Utilizing authentic credentials can provide adversaries entry to different assets, make them more durable to detect, and supply the chance to assist obtain their objectives.
Unsecured communication channel – Attackers might sniff community visitors and seize credentials despatched over an insecure protocol. When a storage account is configured to assist unencrypted protocol resembling HTTP, credentials are handed over the wire unprotected and are prone to leakage. The attacker can use the compromised credentials to achieve preliminary entry to the storage account.
6. Discovery
Discovery consists of methods attackers might use to achieve data in regards to the service. These methods assist attackers observe the atmosphere and orient themselves earlier than deciding learn how to act.
Account configuration discovery – Attackers might leverage management airplane entry permission to retrieve the storage account configuration. The configuration accommodates numerous technical particulars that will help the attacker in implementing quite a lot of ways. For instance, firewall configuration supplies community entry data. Different parameters might reveal whether or not entry operations are logged. The configuration might also comprise the backup coverage that will help the attacker in performing knowledge destruction.
7. Exfiltration
Exfiltration consists of methods that attackers might use to extract knowledge from storage accounts. These might embrace transferring knowledge to a different cloud storage outdoors of the sufferer account and might also embrace placing dimension limits on the transmission.
Static web site – Attackers might use the “static web site” function to exfiltrate collected knowledge outdoors of the storage account. Static web site is a cloud storage supplier internet hosting functionality that permits serving static net content material straight from the storage account. The web site could be reached through another net endpoint which may be neglected when proscribing entry to the storage account.
Object replication – Attackers might set a replication coverage between supply and vacation spot containers that asynchronously copies objects from supply to vacation spot. Outbound replication can function an exfiltration channel of buyer knowledge from a sufferer’s container to an adversary’s container.
Conclusion
As the quantity of information saved within the cloud continues to develop, so does the necessity for sturdy safety measures to guard it. Microsoft Defender for Cloud will help detect and mitigate threats in your storage accounts. Defender for Storage is powered by Microsoft Menace Intelligence and habits modeling to detect anomalous actions resembling delicate knowledge exfiltration, suspicious entry, and malware uploads. With agentless at-scale enablement, safety groups are empowered to remediate threats with contextual safety alerts, remediation suggestions, and configurable automations. Study extra about Microsoft Defender for Cloud assist for storage safety.
Evgeny Bogokovsky
Microsoft Menace Intelligence
References
Additional studying
For the newest safety analysis from the Microsoft Menace Intelligence neighborhood, try the Microsoft Menace Intelligence Weblog: https://aka.ms/threatintelblog.
To get notified about new publications and to hitch discussions on social media, observe us on Twitter at https://twitter.com/MsftSecIntel.