Hackers Use Public Cloud Features to Breach, Persist In Business Networks

Attackers are abusing the characteristics of cloud services to launch and hide their activity as they traverse target networks.

A new body of evidence indicates threat actors are using increasingly advanced techniques to target unsecured cloud users and leveraging features common to public cloud platforms to conceal activity as they breach and persist in target networks.
Data comes from the Threat Stack security team, which spotted the pattern over multiple years of observing behavior on client networks. It was in 2016 when they noticed attacks leveraging Amazon Web Services (AWS) were becoming more sophisticated, says CSO Sam Bisbee. The trend picked up in 2017.
The problem, the team notes, is not with AWS but with the way attackers are maliciously using it.
These are not exploits or vulnerabilities in the AWS services and software, Bisbee explains. This is about the features and attributes of AWS leveraged by attackers in more sophisticated ways.
In simpler attacks, actors typically steal AWS keys and seek direct paths to resources stored in open S3 buckets, or they launch a new Amazon Elastic Compute Cloud (EC2) to mine cryptocurrency. Sometimes they dont have to look far: Misconfigured S3 buckets made a number of
headlines
in the past couple of years. Amazon emphasizes S3 buckets are secured by default; it also launched
Macie
to protect AWS S3 data and provides free bucket checks via Trusted Advisor.
While these less advanced techniques are still problematic, Bisbee says threats leveraging AWS are becoming more complex and targeted, with attacks launched on AWS features and combined with network-based intrusion attacks.
In any industry and any platform, youre constantly playing cat and mouse, he says. As blue teams and defenders become more sophisticated, the red team has to level up.
How It Works
Most of these attacks start with credential theft, which Bisbee says is the most common initial entry point. An attacker can steal access keys or credentials via phishing attacks, deploying malware that picks up usernames and passwords, and snatching data from a Github repository where a developer may have accidentally uploaded his information.
Credentials secured, the next step is to figure out what level of permissions can be attained. If an actor realizes he doesnt have what he needs, he may attempt to create additional roles or credentials in AWS and then launch a new EC2 instance inside the target environment. However, the stolen credentials must have access to IAM to create new roles, which AWS does not allow by default.
Typically, the way most AWS accounts are configured, I can deploy that AWS instance anywhere in your network that I want, Bisbee says. It could go at the networks edge or at its center, where an organizations more interesting infrastructure and databases are located.
At this point, the attacker has established a beachhead in the network from which the target can be scanned. The attacker can move laterally from his EC2 instance in a traditional network attack chain, Bisbee explains, exploiting different hosts on the network.
Upon landing on a new host, the attacker checks its AWS permissions. If the attacker is only looking for a small amount of data, he can exfiltrate through the terminal or chain of compromised hosts, bypassing DLP tools. However, the desired amount of data depends on the actor and their motivation.
Who, Where, and Why
This
behavioral pattern
is typically seen in more targeted, persistent attack patterns, Bisbee says. Most actors are attempting to achieve access to specific pieces of data, and theyre generally hitting targets in popular industries, such as manufacturing, financial, and tech.
The amount of data sought depends on the target, he adds. If a company is storing healthcare information or voter records, the attacker is looking for data in bulk. If the attacker is targeting a media company, he may only want prereleased content or something more specific. Because data can be extracted by copying and pasting or snapping a screenshot, its hard to detect theft.
One reason the lateral movement in the AWS scenario was hard to detect was because most security monitoring techniques assume an attacker will want to dive deep into the host and escalate privileges. In this case, the actors were trying to move off the host layer and back into the AWS control plane, which most blue teams arent on the lookout for.
AWS is just as critical as underlying servers, Bisbee says. You need to be monitoring all aspects of your environment.
Amazon has deployed multiple services to boost AWS security. GuardDuty, a managed threat detection service, is designed to monitor for malicious or unauthorized behavior (unusual API calls, potentially unauthorized deployments) and help AWS users protect their accounts and workloads. Amazon Inspector, a separate service, automates security assessments to ensure security and compliance for applications deployed on AWS.
Related Content:
10 Threats Lurking on the Dark Web
Google Updates: Cloud HSM Beta, Binary Authorization for Kubernetes
Researchers Find New Fast-Acting Side-Channel Vulnerability
Exploring, Exploiting Active Directory Admin Flaws
Learn from the industrys most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early bird rate ends August 31. Click for
more info
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Hackers Use Public Cloud Features to Breach, Persist In Business Networks