Unsecured Credentials: API метаданных облачных экземпляров
Other sub-techniques of Unsecured Credentials (7)
Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.
Most cloud service providers support a Cloud Instance Metadata API which is a service provided to running virtual instances that allows applications to access information about the running virtual instance. Available information generally includes name, security group, and additional metadata including sensitive data such as credentials and UserData scripts that may contain additional secrets. The Instance Metadata API is provided as a convenience to assist in managing applications and is accessible by anyone who can access the instance.(Citation: AWS Instance Metadata API) A cloud metadata API has been used in at least one high profile compromise.(Citation: Krebs Capital One August 2019)
If adversaries have a presence on the running virtual instance, they may query the Instance Metadata API directly to identify credentials that grant access to additional resources. Additionally, adversaries may exploit a Server-Side Request Forgery (SSRF) vulnerability in a public facing web proxy that allows them to gain access to the sensitive information via a request to the Instance Metadata API.(Citation: RedLock Instance Metadata API 2018)
The de facto standard across cloud service providers is to host the Instance Metadata API at http[:]//169.254.169.254.
Примеры процедур |
|
| Название | Описание |
|---|---|
| TeamTNT |
TeamTNT has queried the AWS instance metadata service for credentials.(Citation: Trend Micro TeamTNT)(Citation: Cisco Talos Intelligence Group) |
| Peirates |
Peirates can query the query AWS and GCP metadata APIs for secrets.(Citation: Peirates GitHub) |
| Hildegard |
Hildegard has queried the Cloud Instance Metadata API for cloud credentials.(Citation: Unit 42 Hildegard Malware) |
Контрмеры |
|
| Контрмера | Описание |
|---|---|
| Disable or Remove Feature or Program |
Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries. |
| Filter Network Traffic |
Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic. |
Обнаружение
Monitor access to the Instance Metadata API and look for anomalous queries. It may be possible to detect adversary use of credentials they have obtained such as in Valid Accounts.
Ссылки
- Higashi, Michael. (2018, May 15). Instance Metadata API: A Modern Day Trojan Horse. Retrieved July 16, 2019.
- Krebs, B.. (2019, August 19). What We Can Learn from the Capital One Hack. Retrieved March 25, 2020.
- AWS. (n.d.). Instance Metadata and User Data. Retrieved July 18, 2019.
- MacCarthaigh, C. (2019, November 19). Add defense in depth against open firewalls, reverse proxies, and SSRF vulnerabilities with enhancements to the EC2 Instance Metadata Service. Retrieved October 14, 2020.
- Fiser, D. Oliveira, A. (n.d.). Tracking the Activities of TeamTNT A Closer Look at a Cloud-Focused Malicious Actor Group. Retrieved September 22, 2021.
- Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022.
- InGuardians. (2022, January 5). Peirates GitHub. Retrieved February 8, 2022.
- Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021.
Связанные риски
Каталоги
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.