Cloud compute credentials attacks target misconfigured cloud compute services to steal credentials and access cloud infrastructure, causing costly resource usage and remediation work. The article presents two real-world cases—one in AWS Lambda and one in Google Cloud App Engine—illustrating attacker flows from credential theft to phishing and cryptomining, along with detection recommendations. #ComputeTokenTheft #CloudComputeCredentials
Keypoints
- Cloud compute credential theft is a growing threat that enables attackers to access cloud infrastructure and incur unexpected costs.
- Attack Case 1 shows compromised AWS Lambda credentials leading to a phishing campaign via AWS SES.
- Attack Case 2 shows a compromised Google Cloud App Engine service account (default SA with Editor rights) deploying thousands of cryptomining VMs.
- Attack flows include credential exfiltration, identity and access management (IAM) enumeration, and subsequent cloud service abuse.
- Detection hinges on cloud logging/monitoring, with indicators such as unusual IPs and unauthorized firewall or IAM changes.
- Defensive guidance emphasizes least-privilege IAM, cloud audit logs, and protections like GuardDuty and IAM security tooling.
MITRE Techniques
- [T1087] Account Discovery – The attacker used GetCallerIdentity to learn the account identity; “The attack started with the GetCallerIdentity command. This command is equivalent to whoami, as it provides information about the entity the credentials are associated with.”
- [T1069.002] Permission Groups Discovery – IAM enumeration involved attempts to enumerate roles/policies: “ListAttachedRolePolicies” and “ListRolePolicies.”
- [T1566.003] Phishing: Spearphishing via Service – The phishing attack was launched from AWS SES: “the attacker launched a phishing attack by abusing the cloud email service, which included executing commands such as VerifyEmailIdentity and UpdateAccountSendingEnabled.”
- [T1068] Privilege Escalation – The attacker attempted to escalate privileges by adding the compute/admin role to the IAM policy: “Privilege Escalation 2022-06-16T12:21:17.624 UTC … by adding the following object into the IAM policy.”
Indicators of Compromise
- [IP Address] 50.82.94.112 – used to detect that API calls were coming from a non-Lambda IP during the AWS attack.
- [Credential] AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN – credentials exfiltrated from the Lambda environment.
Read more: https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/