Cloud lateral movement across AWS, GCP, and Azure is explored, showing how attackers leverage cloud APIs and compute instances to pivot and access data, while defenders should use a combination of agent and agentless protections to bolster cloud security posture. This piece highlights techniques, mitigations, and tooling from Unit 42 to help defenders detect and respond to cloud-based lateral movement. #EC2 #EBS #EC2InstanceConnect #SSHKeys #OSLogin #VMAccess #AzureVMAccess
Keypoints
- Attacks leverage both host-level actions and cloud API calls to move laterally within cloud environments (AWS, GCP, Azure).
- Technique 1: Snapshot Creation via AWS EBS to access target disk data by mounting an attacker-controlled snapshot to a new instance.
- Technique 2: SSH Keys manipulation across providers (AWS EC2 Instance Connect, GCP metadata-based SSH keys, Azure VMAccess extension) to access compute instances.
- Technique 3: Serial Console Access as an alternative access path, including pushing a public SSH key to enable console connectivity.
- Technique 4: Management Services (e.g., AWS Systems Manager) used to start sessions and run commands across many managed instances, potentially bypassing security groups.
- Agent and agentless solutions are complementary; correlating cloud API activity with host-level telemetry improves detection and response.
MITRE Techniques
- [T1078] Valid Accounts – Attacker used compromised IAM credentials to access AWS resources and pivot to other instances, e.g. “an attacker with compromised identity and access management (IAM) credentials used the AuthorizeSecurityGroupIngress API to add an inbound SSH rule… They were able to temporarily push a public SSH key by using the SendSSHPublicKey API.”
- [T1021.004] SSH – Remote Services – Attacker leveraged SSH-related capabilities (inbound SSH rule via AuthorizeSecurityGroupIngress and EC2 Instance Connect’s SendSSHPublicKey) to connect to EC2 instances: “they were able to temporarily push a public SSH key by using the SendSSHPublicKey API.”
- [T1059] Command and Scripting Interpreter – Use of cloud-run commands across many instances (SendCommand) to execute scripts: “The command to do this is shown in Figure 13.”
- [T1552.001] Credentials in Files – Attacker discovers credentials stored on disk, including private SSH keys and AWS access tokens: “additional cleartext credentials saved to disk, notably a private SSH key and AWS access tokens.”
- [T1562.001] Impair Defenses – Attackers with sufficient privileges can disable local security controls and security agents on hosts: “attackers who are able to access hosts often have sufficient privileges to disable local security controls.”
Indicators of Compromise
- [Credentials/Secrets] – private SSH key, AWS access tokens, and other credentials stored on disk; example: “private SSH key and AWS access tokens.”
- [Public Keys] – SSH public keys used for access and injection via cloud APIs; example: “temporary push a public SSH key” and “SSH keys stored in instance/project metadata.”
- [Cloud API Calls] – API calls associated with lateral movement; example: CreateSnapshot, AuthorizeSecurityGroupIngress, SendSSHPublicKey, StartSession, SendCommand.
- [Instance/Host Identifiers] – EC2 instance IDs and GCP Compute/VM identifiers used to pivot between resources; example: references to EC2, Instance Connect, and Compute Engine instances.
Read more: https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/