This analysis surveys VM attack paths into cloud environments across AWS, Azure, and GCP, showing how legitimate features and misconfigurations can be abused to access or control virtual machines. It also outlines mitigations, provider-specific safeguards, and how Unit 42 threat research and Palo Alto Networks products help defend cloud workloads. #Unit42 #AWS #Azure #GCP
Keypoints
- 11% of cloud hosts exposed to the internet contain Critical or High severity vulnerabilities, representing a key initial-access risk.
- Attack paths often leverage control plane APIs and permissions obtained via credential leaks or phishing to reach VM instances.
- Startup script manipulation (AWS User Data, Azure Custom Data, and GCP Metadata) can inject malicious code at VM initialization.
- SSH key push mechanisms across CSPs (EC2 Instance Connect, VMAccess, and metadata-based keys) enable unauthorized VM access if not properly restricted.
- Direct code execution across VMs is possible via cloud features like SSM Run Command, VM Run Command, and OS Config/VM Manager.
- SSH over middleware and serial console access provide alternate entry points that can bypass typical network controls if not properly secured.
- Mitigations focus on restricting risky permissions, monitoring API usage, and using security tools (Prisma Cloud, Cortex XDR, Cortex Xpanse) to enforce attack-path policies.
MITRE Techniques
- [T1190] Exploit Public-Facing Application β Attackers gain initial access by exploiting remotely exploitable VM vulnerabilities. βThe vulnerability allows remote code execution, file access or file overwriting.β
- [T1547.001] Boot or Logon Initialization: Modify startup scripts β Attacker modifications to startup scripts can inject malicious code into VMs. βA startup script is a file that executes tasks during the initialization process of a VM instance. β¦ If attackers gain permissions to alter a VMβs startup script, they could exploit this feature to inject malicious code into the VMs.β
- [T1556.004] SSH Authorized Keys β Attackers push SSH keys to gain access across CSPs. βIf attackers gain permissions to push SSH keys, they could exploit this feature to gain unauthorized access to VMs.β
- [T1021] Remote Services β Use of cloud-based remote command mechanisms to run commands across VMs. βThe Run Command feature allows users to execute commands on nodes where the System Manager is installed.β
- [T1133] External Remote Services β Serial console access as a remote management path that could be abused to bypass network controls. βMost cloud service providers offer serial console access as a feature to troubleshoot boot and network configuration issues in VMs.β
- [T1059] Command and Scripting Interpreter β Direct code execution across VMs via cloud commands. βThe Run Command feature allows users to execute commands on nodes where the System Manager is installed.β
Indicators of Compromise
- [Domain] Unit 42 threat research and Palo Alto Networks pages referenced β unit42.paloaltonetworks.com, paloaltonetworks.com
- [URL] Source links cited in the article β https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/, https://www.paloaltonetworks.com/prisma/unit42-cloud-threat-research
- [Domain] Cloud service provider domains mentioned in context β cloud.google.com, amazonaws.com, cloud.google.com
Read more: https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/