A recent study conducted by Palo Alto Networks has revealed that threat actors are gaining more knowledge and expertise in cloud environments, as demonstrated by complex attacks that targeted AWS environments using a zero-day vulnerability in SugarCRM. Margaret Zimmermann, a cloud incident responder at Palo Alto Networks, discussed the findings of the study during a session at the Black Hat USA 2023 conference titled “When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM 0-Day Vulnerability.”
The research found that the primary lesson learned from the incident response cases handled by Palo Alto Networks’ Unit 42 was that threat actors are becoming more proficient in operating within cloud environments. The vulnerability exploited by the attackers was not specific to AWS and could have been exploited in any cloud environment. This highlights the growing competence of threat actors in cloud-related attacks.
SugarCRM is a customer relationship management (CRM) platform that provides software for marketing and sales teams. The attackers took advantage of an improper input validation remote code execution vulnerability, known as CVE-2023-22952, which had a CVSS score of 8.8 and affected multiple SugarCRM products. Using this vulnerability, the threat actors gained direct access to Amazon Elastic Compute Cloud (EC2) instances and successfully compromised long-term AWS access keys.
One interesting aspect of the attacks highlighted by Zimmermann was the attackers’ use of untraditional methods, such as scanning customers’ cost and usage service. Initially, this appeared random, but upon analysis, it was determined that this service contained valuable information that could help the threat actors remain undetected. By targeting accounts with higher total costs, the attackers could create new resources without raising suspicion.
Additionally, the threat actors created public Amazon Relational Database Service (RDS) instances and different EC2 instances, sometimes in regions that differed from the organization’s normal infrastructure. However, their attempts to gain root logins were unsuccessful in many cases, often due to the implementation of multifactor authentication.
Zimmermann emphasized that the incident response investigations revealed the threat actors’ working knowledge of AWS and cloud environments overall. This level of proficiency is uncommon among attackers, but it demonstrates their adaptability and ability to learn. The use of API calls to gather information without triggering threat detection alerts was one example of how they have adapted to the cloud.
To defend against such attacks, Zimmermann recommended focusing on four key areas: access keys, identity and access management (IAM) policies, monitoring root access, and logging. Patching the CVE-2023-22952 vulnerability is crucial for defense, but additional steps should be taken to protect access keys, such as regular rotation and deletion of any unused keys. Restricting IAM permissions is also important to prevent attackers from exploiting expansive permissions.
In terms of monitoring and logging, Zimmermann advised enabling CloudTrail and GuardDuty services in all regions for AWS users. Virtual private cloud logs can also help determine if data has been stolen. Log analysis played a crucial role in the incident response cases involving the SugarCRM attacks, where abnormal API calls were identified and investigated.
Although these recommended tools are not automatically enabled for AWS users, organizations can access default 90 days of CloudTrail logs for the API, and free trials may be available for other cloud tools.
In closing, Zimmermann stressed the importance of organizations keeping pace with the evolving threat landscape by proactively implementing security measures in cloud environments. By understanding the tactics and techniques used by threat actors, organizations can better protect their assets and mitigate the risk of cloud-related attacks.