Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Техника Перемещение данных между облачными учетными записями
CVE уязвимости
БДУ ФСТЭК уязвимости
НКЦКИ уязвимости
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
EN
Риски
Каталоги
MITRE ATT&CK
Техника
Перемещение данных между облач...
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Перемещение данных между облачными учетными записями

Adversaries may exfiltrate data by transferring the data, including through sharing/syncing and creating backups of cloud environments, to another cloud account they control on the same service. A defender who is monitoring for large transfers to outside the cloud environment through normal file transfers or over command and control channels may not be watching for data transfers to another account within the same cloud provider. Such transfers may utilize existing cloud provider APIs and the internal address space of the cloud provider to blend into normal traffic or avoid data transfers over external network interfaces.(Citation: TLDRSec AWS Attacks) Adversaries may also use cloud-native mechanisms to share victim data with adversary-controlled cloud accounts, such as creating anonymous file sharing links or, in Azure, a shared access signature (SAS) URI.(Citation: Microsoft Azure Storage Shared Access Signature) Incidents have been observed where adversaries have created backups of cloud instances and transferred them to separate accounts.(Citation: DOJ GRU Indictment Jul 2018)

ID: T1537
Тактика(-и): Exfiltration
Платформы: IaaS, Office Suite, SaaS
Источники данных: Application Log: Application Log Content, Cloud Storage: Cloud Storage Creation, Cloud Storage: Cloud Storage Metadata, Cloud Storage: Cloud Storage Modification, Network Traffic: Network Traffic Content, Snapshot: Snapshot Creation, Snapshot: Snapshot Metadata, Snapshot: Snapshot Modification
Версия: 1.5
Дата создания: 30 Aug 2019
Последнее изменение: 15 Oct 2024

Примеры процедур
Название Описание
INC Ransom

INC Ransom has used Megasync to exfiltrate data to the cloud.(Citation: Secureworks GOLD IONIC April 2024)
RedCurl

RedCurl has used cloud storage to exfiltrate data, in particular the megatools utilities were used to exfiltrate data to Mega, a file storage service.(Citation: group-ib_redcurl1)(Citation: group-ib_redcurl2)

Контрмеры
Контрмера Описание
Data Loss Prevention

Use a data loss prevention (DLP) strategy to categorize sensitive data, identify data formats indicative of personal identifiable information (PII), and restrict exfiltration of sensitive data.(Citation: PurpleSec Data Loss Prevention)
Password Policies

Set and enforce secure password policies for accounts.
User Account Management

Manage the creation, modification, use, and permissions associated to user accounts.
Software Configuration

Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.
Filter Network Traffic

Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.

Обнаружение

Monitor account activity for attempts to share data, snapshots, or backups with untrusted or unusual accounts on the same cloud service provider. Monitor for anomalous file transfer activity between accounts and to untrusted VPCs. In AWS, sharing an Elastic Block Store (EBS) snapshot, either with specified users or publicly, generates a ModifySnapshotAttribute event in CloudTrail logs.(Citation: AWS EBS Snapshot Sharing) Similarly, in Azure, creating a Shared Access Signature (SAS) URI for a Virtual Hard Disk (VHS) snapshot generates a "Get Snapshot SAS URL" event in Activity Logs.(Citation: Azure Blob Snapshots)(Citation: Azure Shared Access Signature)

Ссылки

  1. Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018.
  2. Microsoft. (2023, June 7). Grant limited access to Azure Storage resources using shared access signatures (SAS). Retrieved March 4, 2024.
  3. Microsoft Azure. (2021, December 29). Blob snapshots. Retrieved March 2, 2022.
  4. Delegate access with a shared access signature. (2019, December 18). Delegate access with a shared access signature. Retrieved March 2, 2022.
  5. Clint Gibler and Scott Piper. (2021, January 4). Lesser Known Techniques for Attacking AWS Environments. Retrieved March 4, 2024.
  6. Amazon Web Services. (n.d.). Share an Amazon EBS snapshot. Retrieved March 2, 2022.
  7. Microsoft. (2024, January 9). Learn about data loss prevention. Retrieved March 4, 2024.
  8. Google. (n.d.). Use Workspace DLP to prevent data loss. Retrieved March 4, 2024.
  9. Counter Threat Unit Research Team. (2024, April 15). GOLD IONIC DEPLOYS INC RANSOMWARE. Retrieved June 5, 2024.
  10. Microsoft. (2023, October 11). Manage sharing settings for SharePoint and OneDrive in Microsoft 365. Retrieved March 4, 2024.
  11. Google. (n.d.). Manage external sharing for your organization. Retrieved March 4, 2024.
  12. Group-IB. (2021, November). RedCurl: The Awakening. Retrieved August 14, 2024.
  13. Group-IB. (2020, August). RedCurl: The Pentest You Didn’t Know About. Retrieved August 9, 2024.
  14. Microsoft. (2023, October 1). Use sharing auditing in the audit log. Retrieved March 4, 2024.
  15. Google. (n.d.). Drive log events. Retrieved March 4, 2024.
Навигация

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.