[ad_1]
Right now, we announce the discharge of a second model of the risk matrix for storage companies, a structured device that assists in figuring out and analyzing potential safety threats on knowledge saved in cloud storage companies. The matrix, first launched in April 2021 as detailed within the weblog submit Menace matrix for storage companies, lays out a wealthy set of assault methods mapped to a well known set of techniques described by MITRE’s ATT&CK® framework and complete information base, permitting defenders to extra effectively and successfully adapt and reply to new methods.
Cybercriminals goal cloud storage accounts and companies for quite a few functions, equivalent to accessing and exfiltrating delicate knowledge, gaining community footholds for lateral motion, enabling entry to further assets, and deploying malware or participating in extortion schemes. To fight such threats, the up to date risk matrix gives higher protection of the assault floor by detailing a number of new preliminary entry methods. The matrix additional gives visibility into the risk panorama by detailing a number of novel assaults distinctive to cloud environments, together with some not but noticed in actual assaults. The brand new model of the matrix is obtainable at: https://aka.ms/StorageServicesThreatMatrix
Of the brand new methods detailed on this weblog, a number of noteworthy examples embrace:
- Object replication – Permits attackers to maliciously misuse the item replication characteristic in each instructions by both utilizing outbound replication to exfiltrate knowledge from a goal storage account or utilizing inbound replication to ship malware to the goal account.
- Operations throughout geo replicas – Helps attackers evade defenses by distributing operations throughout geographical copies of storage accounts. Safety options could solely have visibility into components of the assault and should not detect sufficient exercise in a single area to set off an alert.
- Static web site – Permits attackers to exfiltrate knowledge utilizing the “static web site” characteristic, a characteristic offered by main storage cloud suppliers that may typically be ignored by much less skilled customers.
On this weblog submit, we’ll introduce new assault methods which have emerged since our final evaluation and canopy the assorted levels of a possible assault on cloud storage accounts.
New methods within the matrix
1. Reconnaissance
Reconnaissance consists of methods that contain attackers actively or passively gathering data that can be utilized to assist focusing on.
DNS/Passive DNS – Attackers could seek for DNS knowledge for legitimate storage account names that may turn into potential targets. Menace actors can question nameservers utilizing brute-force methods to enumerate current storage accounts within the wild, or search by way of centralized repositories of logged DNS question responses (often called passive DNS).
Sufferer-owned web sites – Attackers could search for storage accounts of a sufferer enterprise by looking its web sites. Sufferer-owned web site pages could also be saved on a storage account or include hyperlinks to retrieve knowledge saved in a storage account. The hyperlinks include the URL of the storage and supply an entry level into the account.
2. Preliminary entry
Preliminary entry consists of methods that use numerous entry vectors to achieve their preliminary foothold on a storage account. As soon as achieved, preliminary entry could enable for continued entry, knowledge exfiltration, or lateral motion by way of a malicious payload that’s distributed to different assets.
SFTP credentials – Attackers could acquire and abuse credentials of an SFTP (Safe File Switch Protocol) account as a way of gaining preliminary entry. SFTP is a prevalent file switch protocol between a consumer and a distant service. As soon as the consumer connects to the cloud storage service, the consumer can add and obtain blobs and carry out different operations which might be supported by the protocol. SFTP connections require SFTP accounts, that are managed regionally within the storage service occasion, together with credentials within the type of passwords or key-pairs.
NFS entry – Attackers could carry out preliminary entry to a storage account utilizing the NFS protocol the place enabled. Whereas entry is restricted to an inventory of allowed digital networks which might be configured on the storage account firewall, connection by way of NFS protocol doesn’t require authentication and could be carried out by any supply on the required networks.
SMB entry – Attackers could carry out preliminary entry to a storage account file shares utilizing the Server Message Block (SMB) protocol.
Object replication – Attackers could set a replication coverage between supply and vacation spot containers that asynchronously copies objects from supply to vacation spot. This characteristic could be maliciously misused in each instructions. Outbound replication can function an exfiltration channel of buyer knowledge from the sufferer’s container to the adversary’s container. Inbound replication can be utilized to ship malware from an adversary’s container to a sufferer’s container. After the coverage is ready, the attacker can function on their container with out accessing the sufferer container.
3. Persistence
Persistence consists of methods that attackers use to maintain entry to the storage account as a consequence of modified credentials and different interruptions that would lower off their entry. Strategies used for persistence embrace any entry, motion, or configuration modifications that permit them keep their foothold on methods.
Create SAS Token – Attackers could create a high-privileged SAS token with lengthy expiry to protect legitimate credentials for an extended interval. The tokens are usually not monitored by storage accounts, thus they can’t be revoked (besides Service SAS) and it’s not simple to find out whether or not there are legitimate tokens within the wild till they’re used.
Container entry stage property – Attackers could alter the container entry stage property on the granularity of a blob or container to allow nameless learn entry to knowledge within the storage account. This configuration secures a channel to exfiltrate knowledge even when the preliminary entry approach is now not legitimate.
SFTP account – Attackers could create an SFTP account to take care of entry to a goal storage account. The SFTP account is native on the storage occasion and isn’t topic to Azure RBAC permissions. The account can be unaffected in case of storage account entry keys rotation.
Trusted Azure companies – Attackers could configure the storage account firewall to permit entry by trusted Azure companies. Azure Storage gives a predefined record of trusted companies. Any useful resource from that record that belongs to the identical subscription because the storage account is allowed by the firewall even when there isn’t a firewall rule that explicitly permits the supply tackle of the useful resource.
Trusted entry based mostly on a managed identification – Attackers could configure the storage account firewall to permit entry by particular useful resource cases based mostly on their system-assigned managed identification, no matter their supply tackle. The useful resource kind could be chosen from a predefined record offered by Azure Storage, and the useful resource occasion should be in the identical tenant because the storage account. The RBAC permissions of the useful resource occasion decide the kinds of operations {that a} useful resource occasion can carry out on storage account knowledge.
Non-public endpoint – Attackers could set non-public endpoints for a storage account to determine a separate communication channel from a goal digital community. The brand new endpoint is assigned with a non-public IP tackle throughout the digital community’s tackle vary. All of the requests despatched to the non-public endpoint bypass the storage account firewall by design.
4. Protection evasion
The protection evasion tactic consists of methods which might be utilized by attackers to keep away from detection and conceal their malicious exercise.
Disable audit logs – Attackers could disable storage account audit logs to forestall occasion monitoring and keep away from detection. Audit logs present an in depth document of operations carried out on a goal storage account and could also be used to detect malicious actions. Thus, disabling these logs can go away a useful resource susceptible to assaults with out being detected.
Disable cloud workload safety – Attackers could disable the cloud workload safety service which raises safety alerts upon detection of malicious actions in cloud storage companies.
Non-public endpoint – Attackers could set non-public endpoints for a storage account to determine a separate communication channel from a goal digital community. The brand new endpoint is assigned with a non-public IP tackle throughout the digital community’s tackle vary. All of the requests despatched to the non-public endpoint bypass the storage account firewall by design.
Operations throughout geo replicas – Attackers could break up their requests throughout geo replicas to scale back the footprint in every area and keep away from being detected by numerous guidelines and heuristics.
5. Credential entry
Credential entry consists of methods for stealing credentials like account names and passwords. Utilizing authentic credentials can provide adversaries entry to different assets, make them more durable to detect, and supply the chance to assist obtain their objectives.
Unsecured communication channel – Attackers could sniff community site visitors and seize credentials despatched over an insecure protocol. When a storage account is configured to assist unencrypted protocol equivalent to HTTP, credentials are handed over the wire unprotected and are inclined to leakage. The attacker can use the compromised credentials to achieve preliminary entry to the storage account.
6. Discovery
Discovery consists of methods attackers could use to achieve information concerning the service. These methods assist attackers observe the surroundings and orient themselves earlier than deciding the best way to act.
Account configuration discovery – Attackers could leverage management airplane entry permission to retrieve the storage account configuration. The configuration accommodates numerous technical particulars which will help the attacker in implementing quite a lot of techniques. For instance, firewall configuration gives community entry data. Different parameters could reveal whether or not entry operations are logged. The configuration may additionally include the backup coverage which will help the attacker in performing knowledge destruction.
7. Exfiltration
Exfiltration consists of methods that attackers could use to extract knowledge from storage accounts. These could embrace transferring knowledge to a different cloud storage exterior of the sufferer account and may additionally embrace placing dimension limits on the transmission.
Static web site – Attackers could use the “static web site” characteristic to exfiltrate collected knowledge exterior of the storage account. Static web site is a cloud storage supplier internet hosting functionality that allows serving static internet content material straight from the storage account. The web site could be reached by way of an alternate internet endpoint which could be ignored when proscribing entry to the storage account.
Object replication – Attackers could set a replication coverage between supply and vacation spot containers that asynchronously copies objects from supply to vacation spot. Outbound replication can function an exfiltration channel of buyer knowledge from a sufferer’s container to an adversary’s container.
Conclusion
As the quantity of information saved within the cloud continues to develop, so does the necessity for sturdy safety measures to guard it. Microsoft Defender for Cloud can assist detect and mitigate threats in your storage accounts. Defender for Storage is powered by Microsoft Menace Intelligence and conduct modeling to detect anomalous actions equivalent to delicate knowledge exfiltration, suspicious entry, and malware uploads. With agentless at-scale enablement, safety groups are empowered to remediate threats with contextual safety alerts, remediation suggestions, and configurable automations. Study extra about Microsoft Defender for Cloud assist for storage safety.
Evgeny Bogokovsky
Microsoft Menace Intelligence
References
Additional studying
For the most recent safety analysis from the Microsoft Menace Intelligence group, try the Microsoft Menace Intelligence Weblog: https://aka.ms/threatintelblog.
To get notified about new publications and to affix discussions on social media, observe us on Twitter at https://twitter.com/MsftSecIntel.
[ad_2]