Cloud Infrastructure Discovery
An adversary may attempt to discover infrastructure and resources that are available within an infrastructure-as-a-service (IaaS) environment. This includes compute service resources such as instances, virtual machines, and snapshots as well as resources of other services including the storage and database services.
Cloud providers offer methods such as APIs and commands issued through CLIs to serve information about infrastructure. For example, AWS provides a DescribeInstances
API within the Amazon EC2 API that can return information about one or more instances within an account, the ListBuckets
API that returns a list of all buckets owned by the authenticated sender of the request, the HeadBucket
API to determine a bucket’s existence along with access permissions of the request sender, or the GetPublicAccessBlock
API to retrieve access block configuration for a bucket.(Citation: Amazon Describe Instance)(Citation: Amazon Describe Instances API)(Citation: AWS Get Public Access Block)(Citation: AWS Head Bucket) Similarly, GCP's Cloud SDK CLI provides the gcloud compute instances list
command to list all Google Compute Engine instances in a project (Citation: Google Compute Instances), and Azure's CLI command az vm list
lists details of virtual machines.(Citation: Microsoft AZ CLI) In addition to API commands, adversaries can utilize open source tools to discover cloud storage infrastructure through Wordlist Scanning.(Citation: Malwarebytes OSINT Leaky Buckets - Hioureas)
An adversary may enumerate resources using a compromised user's access keys to determine which are available to that user.(Citation: Expel IO Evil in AWS) The discovery of these available resources may help adversaries determine their next steps in the Cloud environment, such as establishing Persistence.(Citation: Mandiant M-Trends 2020)An adversary may also use this information to change the configuration to make the bucket publicly accessible, allowing data to be accessed without authentication. Adversaries have also may use infrastructure discovery APIs such as DescribeDBInstances
to determine size, owner, permissions, and network ACLs of database resources. (Citation: AWS Describe DB Instances) Adversaries can use this information to determine the potential value of databases and discover the requirements to access them. Unlike in Cloud Service Discovery, this technique focuses on the discovery of components of the provided services rather than the services themselves.
Procedure Examples |
|
Name | Description |
---|---|
Scattered Spider |
Scattered Spider enumerates cloud environments to identify server and backup management infrastructure, resource access, databases and storage containers.(Citation: MSTIC Octo Tempest Operations October 2023) |
Pacu |
Pacu can enumerate AWS infrastructure, such as EC2 instances.(Citation: GitHub Pacu) |
Mitigations |
|
Mitigation | Description |
---|---|
User Account Management |
Manage the creation, modification, use, and permissions associated to user accounts. |
Detection
Establish centralized logging for the activity of cloud infrastructure components. Monitor logs for actions that could be taken to gather information about cloud infrastructure, including the use of discovery API calls by new or unexpected users and enumerations from unknown or malicious IP addresses. To reduce false positives, valid change management procedures could introduce a known identifier that is logged with the change (e.g., tag or header) if supported by the cloud provider, to help distinguish valid, expected actions from malicious ones.
References
- Vasilios Hioureas. (2019, September 13). Hacking with AWS: incorporating leaky buckets into your OSINT workflow. Retrieved February 14, 2022.
- Microsoft. (n.d.). az ad user. Retrieved October 6, 2019.
- Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020.
- Google. (n.d.). gcloud compute instances list. Retrieved May 26, 2020.
- Amazon. (n.d.). DescribeInstances. Retrieved May 26, 2020.
- Amazon. (n.d.). describe-instance-information. Retrieved March 3, 2020.
- Amazon Web Services. (n.d.). Retrieved May 28, 2021.
- Amazon Web Services. (n.d.). Retrieved May 28, 2021.
- Amazon Web Services. (n.d.). AWS HeadBucket. Retrieved February 14, 2022.
- A. Randazzo, B. Manahan and S. Lipton. (2020, April 28). Finding Evil in AWS. Retrieved June 25, 2020.
- Microsoft. (2023, October 25). Octo Tempest crosses boundaries to facilitate extortion, encryption, and destruction. Retrieved March 18, 2024.
- Rhino Security Labs. (2019, August 22). Pacu. Retrieved October 17, 2019.
Связанные риски
Риск | Связи | |
---|---|---|
Раскрытие информации об ИТ инфраструктуре
из-за
использования встроенного механизма Application Programming Interface (API)
в облачном сервисе
Конфиденциальность
Раскрытие информации
|
|
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.