When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability

MITRE Techniques

• [T1190] Exploit Public-Facing Application – Initial access via SugarCRM zero-day vulnerability. Quote: ‘The initial attack vector of these AWS account compromises was the zero-day SugarCRM vulnerability, CVE-2023-22952.’
• [T1552.001] Credentials in Files – Plain-text AWS credentials on compromised hosts used for discovery and access. Quote: ‘these plain-text credentials existed on the compromised hosts, which allowed the threat actors to steal them and start using the access keys for discovery activity.’
• [T1087] Account Discovery – GetCallerIdentity reveals user ID, account, and ARN; used to understand the compromised identity. Quote: ‘GetCallerIdentity is the AWS version of whoami… It returns various information about the entity that performed the call such as the user ID, account and Amazon Resource Name (ARN) of the principal associated with the credentials used to sign the request.’
• [T1021.001] Remote Services – SSH – Lateral movement via SSH; modified security groups to permit SSH from any IP and imported keys to enable new EC2 access. Quote: ‘the threat actors then moved to exfiltration, creating brand new databases from the snapshots, making them public and attaching the modified security groups.’
• [T1078] Valid Accounts – Privilege escalation attempts via Root login; attempted to log in as Root, which was noisy in CloudTrail logs. Quote: ‘the threat actors did not attempt to create new IAM users… They instead opted for attempting to login as the Root user. Despite using information they obtained from the Organizations calls… the threat actors still failed to successfully log in as the Root user.’