Check Your Privilege – the Risks of Privilege Escalation In the Cloud

Facebook founder and CEO Mark Zuckerberg’s famous motto, ‘move fast and break things’ is believed to be one of the drivers behind the company’s innovations and growth.  However, moving faster than you’d planned isn’t always a good thing, as organizations worldwide discovered during the COVID-19 pandemic.  While 2020 saw digital transformation programs advance by over five years in response to the pandemic, this rapid move to mass remote working and cloud connectivity also meant that for many organizations, some things got broken along the way – including security.

Research in mid-2020 by Check Point found that public cloud security is a major concern for 75% of enterprises, and over 80% of enterprises found their existing security tools don’t work at all or had only limited functions in the cloud, exposing them to the risks of breaches and attacks.  The dynamic, fast-moving nature of the cloud is one of the root causes of these risks, because it often leads to misconfigured permissions and privileges linked to identities or users.

Threat actors and cyber criminals have been quick to exploit these misconfigurations and vulnerabilities.  The Ponemon Institute’s 2020 Cost of a Data Breach Report identified cloud misconfigurations as the attackers’ entry point of choice:  combined with stolen or compromised credentials, these issues were the cause of nearly 40% of all breaches.  And they also led to one of the largest and most significant cyber-attacks ever:  the ‘Sunburst’ supply chain compromise attacks which breached over 18,000 government and private-sector technology organizations worldwide via a backdoor embedded in their SolarWinds network management software.

Blinded by Sunburst

Dark Halo, the threat actor behind the Sunburst attacks, relied heavily on the cloud model to access sensitive information and gain footholds on the networks of targeted organizations. Once an enterprise was compromised, the attacker moved laterally from the backdoor in the target’s SolarWinds server to their Active Directory Federation Services server, which is responsible for the organization’s Single Sign On processes for accessing cloud services like Office365. At this point, the attacker used a previously published technique to gain persistent, full and hard-to-detect access to the victim’s cloud services, allowing them to explore and steal data from emails and storage.

But how did the threat actor compromise SolarWinds’ systems in the first place, giving themselves the platform from which they could use privilege escalation to attack organizations using its software?  Stolen or guessed credentials are one of the main sources of attack SolarWinds is investigating:  executives have blamed a company intern for a critical lapse in password security that was undiagnosed for years, and have yet to rule out this lapse as a root cause of the attack.  It shows just how significant a single breached, stolen password can be.

Taking unearned privileges

Sunburst is the highest-profile example of a significant change in the nature of cloud misconfigurations, their root causes, and their consequences over the past year as identity and access management (IAM) misconfigurations began making headlines. These targeted attacks on cloud accounts, sometimes caused by flaws in the provider’s permissions or trust policy logic, can allow an attacker to gain privilege escalation and move laterally within the corporate’s cloud environment, thus obtaining certificate private keys, sensitive information and database credentials and enabling them to access sensitive data.

Essentially, we are seeing a shift towards attacking cloud accounts instead of cloud resources. This shift has opened the door for attack vectors based on role assumption – the ability to obtain short-term permissions to authorized resources – that often enables vast operations within the cloud environment, including data theft.  According to security researchers, Identity and Access Management (IAM) roles can be abused by 22 APIs found in 16 AWS services. Privilege escalation exploits based on permission settings can also be found on Salesforce, which unlike AWS, is a SaaS (Software as a Service) solution.

This new class of privilege escalation attacks, leveraging structural components of the cloud infrastructure, can often be achieved by chaining several vulnerabilities and misconfigurations together. Initial access can be obtained via a vulnerable cloud-hosted application and used by the attackers to obtain the token required to gain elevated permissions.  This then enables them to move laterally within the different segments of the environment, gradually escalating privileges.

These attacks rely on understanding the components, architecture, and trust policy of both IaaS (Infrastructure-as-a-Service, such as Amazon) and SaaS providers to construct sophisticated multi-stage attacks.  This is in contrast with previously-common types of data breaches, which mostly relied on misconfigured settings – such as publicly exposed AWS S3 storage buckets.

Protecting your privileges

So how should organizations go about closing off security gaps and vulnerabilities that could be exploited by criminals?  As we saw earlier with the Sunburst attack, sometimes the flaw lies in a particular application or multiple applications within their environments.  This means it’s critical to monitor for security patches for all applications used, and to apply them as soon as possible to minimise the opportunity for attackers.  It’s also useful to ensure that unneeded services within an application are disabled, to minimize network access points.

Organizations should also design their networks and cloud infrastructures according to least privilege principles, so that users do not have access to services they are unlikely to, or should not use.  Many attacks rely on exploit chains that combine multiple vulnerabilities in multiple systems, so breaking one link in that chain can often stop the entire attack in its tracks.  Finally, enterprises need to get holistic visibility across all their public cloud environments, and deploy unified, automated cloud-native protections. This way, they can keep pace with business demands while ensuring continuous security and compliance.

Find out more about the latest threats targeting public clouds, and how they can be mitigated in Check Point’s new 2021 Security Report.