Threat Actors Targeting Cloud and Managed Service Providers
Written by: Vikram Navali,Senior Technical Product Manager - One year after the SolarWinds supply chain attack, the cyber attackers are charging up with new tricks and campaigns. The threat groups are increasingly targeting unsecured cloud users via cloud solution providers (CSPs). Most start with credential theft, stealing credentials or access keys via phishing attacks and deploying malware that picks up usernames and passwords.
Mandiant’s research has identified two distinct clusters of activity. The first threat group known as UNC2652 focused on diplomatic entities and leveraged phishing emails. The second threat group known as UNC3004 attempted to gain entry into both federal and private entities via a cloud and managed service providers.
Some challenges and opportunities exist in front of the defenders. The discussion below examines an attacker’s journey and intended operations in the attack life cycle.
Threat Actor Journey
The threat actors used some of the tactics below in their attack journey towards targeting Cloud Service Providers.
- Compromised multiple technology solutions, services, and reseller companies since 2020
- Obtained credentials from an info-stealer malware campaign by a third-party actor to gain initial access to organizations
- Used accounts with Application Impersonation privileges to harvest sensitive mail data since Q1 2021
- Used both residential IP proxy services and newly provisioned geo-located infrastructure to communicate with compromised victims
- Used novel Tactics, Techniques, and Procedures (TTPs) to bypass security restrictions within environments, including but not limited to extracting virtual machines to determine internal routing configurations
- Used a new bespoke downloader called CEELOADER.
- Abused multi-factor authentication leveraging “push” notifications on smartphones.
Their journey starts with compromising CSPs with stolen credentials, establishing a foothold, collecting data, then moving laterally to compromise downstream customers further.
Initial Compromise of CSPs
Threat actors have tried to gain an initial foothold into the network by leveraging remote access mechanisms from external locations. Threat groups in their campaign have used a local virtual private network (VPN) account and performed reconnaissance. The research also reveals that the threat actor obtained the session token from an info-stealer malware campaign by a third-party actor to gain initial access to the organization’s Microsoft 365 environment.
In the campaign, they compromised a Microsoft Azure AD account within a CSP’s tenant that held a specific Azure AD role to use the Admin on Behalf Of (AOBO) feature. The threat actors leveraged these compromised CSP’s credentials and the AOBO feature to gain privileged access to Azure subscriptions used to host and manage downstream customer systems.
The actors executed commands with NT AUTHORITY\SYSTEM privileges within Azure VMs using the Azure Run Command feature in victim environments.
Lateral Movement Between CSP and Downstream Clients
Once the threat group completed the initial compromise and obtained higher privileges using AOBO/RBAC features, they moved laterally through the network, searching for sensitive data and other high-value assets. The actors compromised a customer administration account within the CSP’s environment then moved laterally towards the victim customer network using the stolen credentials and RDP.
In another incident, the actors deployed Cobalt Strike BEACON on endpoints via PowerShell scripts. The BEACON persistently installed CEELOADER (downloader that decrypts a shellcode payload to execute in memory) as a Scheduled Task that ran on login as SYSTEM on the victim’s endpoints.
How do Attivo Networks Solutions Help?
Attivo Networks solutions detect advanced attack techniques that threat actors use to move laterally inside an organization’s network, data center, cloud environment, remote site, or branch offices.
Additionally, Attivo Networks Identity Detection and Response solutions provide visibility and reduce the attack surface for identities and entitlements in the cloud. The solution helps monitor entitlements to essential cloud services across all cloud platforms such as Microsoft Azure, AWS, and Google Cloud. It provides detailed entitlement visibility for users, applications, virtual machines, containers, serverless functions, and other objects the threat groups target.
MITRE ATT&CK Techniques Mapped to Attivo Networks Solutions
The following table lists the MITRE ATT&CK techniques observed in the threat actors’ campaigns. The table below summarizes the comprehensive coverage and how Attivo Networks solutions can address these TTPs.
|MITRE ATT&CK Tactic||MITRE ATT&CK Techniques||Attivo Network’s Products and Features|
|Initial Access||External Remote Services (T1133) Valid Accounts (T1078) Trusted Relationship (T1199)||The EDN ThreatStrike® and ThreatPath solutions|
|Execution||Command and Scripting Interpreter (T1059) PowerShell (T1059.001) Windows Command Shell (T1059.003)||The ADSecure solution|
|Persistence||External Remote Services (T1133) Valid Accounts (T1078)||The EDN ThreatStrike and ThreatPath® solutions|
|Privilege Escalation||Valid Accounts (T1078)||The EDN ThreatStrike and ThreatPath solutions|
|Defense Evasion||Valid Accounts (T1078)||The EDN ThreatStrike and ThreatPath solutions|
|Credential Access||OS Credential Dumping (T1003)||The ADSecure, EDN ThreatStrike, and ThreatPath solutions|
|Discovery||File and Directory Discovery (T1083) Account Discovery (T1087) Local Account (T1087.001) Domain Account (T1087.002) System Network Configuration Discovery (T1016) System Owner/User Discovery (T1033) System network Connections Discovery (T1049) Network Service Scanning (T1046) System Service Discovery (T1007) Permission Groups Discovery (T1069)||The EDN ThreatStrike solution, Anti-Ransomware capabilities, and ADSecure solutions|
|Lateral Movement||Remote Services (T1021) Remote Desktop Protocol (T1021.001) SSH (T1021.004)||The Attivo Networks ThreatDefend® platform.|
|Collection||Data from Information Repositories (T1213)||The Attivo Networks ThreatDefend platform.|
Both Microsoft and Mandiant reported on UNC2652 and UNC3004 activity and linked them to the group behind the SolarWinds compromise. The report also highlights that groups can leverage third-party and trusted vendor relationships to carry out nefarious operations targeting cloud computing services. Organizations can implement active defense strategies that accelerate incident response, especially for businesses moving to the cloud.
Free Active Directory Assessment
Get Visibility Into Privilege And Service Account Exposure
For a limited time, Attivo Networks is providing free Active Directory Security Assessments to demonstrate how ADAssessor provides unprecedented and continuous visibility to AD vulnerabilities.
Try Our Endpoint Detection Net (EDN) for Free
FAST AND EASY
Free use offer of our Award-winning security solution to prevent attackers from lateral movement, credential theft, and privilege escalation, fast and easy.
ADSecure 90-Day Free Trial
GET PROTECTION AGAINST UNAUTHORIZED ACCESS TO ACTIVE DIRECTORY
- Hide and deny access to AD objects
- Get alerted on unauthorized queries
- Attack details easily viewable in dashboard
- Your data remains on-premise