Backdoors & Breaches: New scenarios and adaptations

Backdoors & Breaches: New scenarios and adaptations

Keypoints

  • Datadog showcased its Backdoors & Breaches expansion pack at DASH 2026 in the Security Zone.
  • The expansion pack can be ordered online or used in a digital format for distributed teams.
  • Datadog added four new starter scenarios based on active threat trends in the current landscape.
  • One scenario covers a backdoored software supply chain leading to credential store compromise, exfiltration through resource snapshotting, and additional credential creation.
  • Another scenario centers on a vibe-coded cloud application exposing secrets, followed by IAM policy abuse, cloud-based exfiltration, and a backdoored role trust policy.
  • Additional scenarios include an AI web app vulnerable to prompt injection in Kubernetes and a compromised GitHub Action causing exposed credentials, HTTPS exfiltration, and a malicious service.
  • The game now includes open-face play, detection tool screenshots, and consultant cards featuring SecurityHQ.

MITRE Techniques

  • [T1195.002] Compromise Software Supply Chain – A third-party library was integrated into the build pipeline and later used for unauthorized activity, indicating supply chain compromise [‘Your platform team recently integrated a popular third-party library into your build pipeline… long-lived API tokens are being used from unfamiliar environments’]
  • [T1528] Steal Application Access Token – Long-lived API tokens were abused from unfamiliar environments after deployment [‘long-lived API tokens are being used from unfamiliar environments’]
  • [T1110] Brute Force – Not mentioned.
  • [T1003] OS Credential Dumping – Credential store compromise was used as a pivot for escalation and further access [‘Pivot and escalate: Credential store compromise’]
  • [T1530] Data from Cloud Storage – Resources were snapshotted and used for exfiltration [‘C2 and exfil: Snapshotting resources as exfil’]
  • [T1098] Account Manipulation – Additional credential creation was used to maintain persistence [‘Persistence: Additional credential creation’]
  • [T1078.004] Cloud Accounts – Embedded secrets exposed cloud credentials, enabling unauthorized access from external sources [‘exposing cloud credentials due to embedded secrets in client-side code’]
  • [T1098.003] Additional Cloud Credentials – Privilege persistence was achieved by altering IAM-related trust and role policies [‘Persistence: Backdoored role trust policy’]
  • [T1484.001] Domain or Tenant Policy Modification – IAM policy abuse was used to escalate privileges in the cloud environment [‘Pivot and escalate: Identity and access management (IAM) policy abuse’]
  • [T1021.006] Cloud Service Dashboard – Data access and movement blended into normal cloud activity, indicating use of cloud services for exfiltration [‘C2 and exfil: Living off the cloud as exfil’]
  • [T1190] Exploit Public-Facing Application – A new AI web application vulnerable to prompt injection was compromised [‘A new AI web application vulnerable to prompt injection is running in one of your Kubernetes clusters’]
  • [T1611] Escape to Host – Not mentioned.
  • [T1068] Exploitation for Privilege Escalation – Privilege changes across the Kubernetes cluster suggest escalation [‘unusual service behavior and privilege changes across the cluster’]
  • [T1090.003] Multi-hop Proxy – Outbound traffic was quietly routed through a trusted SaaS provider, functioning as a proxy/VPN channel [‘outbound traffic that is quietly routing through a trusted SaaS provider’]
  • [T1133] External Remote Services – The trusted SaaS provider was used as a tunneling path for C2 [‘Software as a service (SaaS) tunneling virtual private network (VPN) as C2’]
  • [T1552.001] Credentials in Files – Secrets were exposed in client-side code and later in storage locations [‘exposing cloud credentials due to embedded secrets in client-side code’, ‘identified exposed credentials in a storage location’]
  • [T1053.007] Container and Resource Discovery – Not mentioned.
  • [T1525] Implant Internal Image – A previously unseen service continued running after the pod was terminated, suggesting persistence via a malicious service [‘a previously unseen service continues running in the environment’]
  • [T1213] Data from Information Repositories – Exposed credentials were discovered in a storage bucket [‘Credentials exposed in storage bucket’]
  • [T1041] Exfiltration Over C2 Channel – Unusual outbound HTTPS traffic was used for exfiltration [‘unusual outbound HTTPS traffic originating from systems that shouldn’t be communicating externally’]
  • [T1105] Ingress Tool Transfer – Not mentioned.

Indicators of Compromise

  • [Organization/Project names ] incident response game and training content – Backdoors & Breaches, Datadog, SecurityHQ
  • [Platforms/Services ] affected environments and attack surfaces – Kubernetes, GitHub Actions, cloud environment, SaaS provider
  • [Credential artifacts ] abused or exposed secrets – long-lived API tokens, cloud credentials, developer credentials
  • [Storage locations ] exposed or accessed for secrets and data – storage bucket, credential store
  • [Traffic patterns ] suspicious network activity – outbound HTTPS traffic, unusual API activity
  • [Behavioral indicators ] persistence and access anomalies – additional credential creation, malicious service, backdoored role trust policy


Read more: https://securitylabs.datadoghq.com/articles/backdoors-and-breaches-new-scenarios/