Identity and access management systems have improved the security of cloud services, but CyberArk researchers showed how threat actors can use those very same systems to maintain a persistent presence in enterprise networks.
In a session at RSA Conference 2018 on Thursday, CyberArk demonstrated how malicious actors or insider threats could create "shadow admins" within cloud environments such as Amazon Web Services by simply changing a couple lines of an identity and access management (IAM) policy.
Lavi Lazarovitz, cyber-research team leader of CyberArk Labs, based in Newton, Mass., said the team began researching cloud shadow admins a few months ago and saw how cloud permission structures might hide unique privileged accounts that often get lost in the mix of standard privileged accounts.
"We looked at specific accounts that had specific permissions to do specific things, such as a DevOps engineer having permission to run a certain cloud instance," Lazarovitz told SearchSecurity. "We looked at how those very unique accounts and sets of permissions might eventually allow the user themselves or a malicious actor to escalate the privileges, based on the permissions structure, and take control of the whole network."
Using AWS as an example, Asaf Hecht, security researcher at CyberArk, explained during the session how a DevOps engineer's account that may not have permission to delete EC2 instances could still be used to wipe out all of the target organization's instances. If an attacker compromised an engineer's credentials, he said, the permissions are limited and prevent the user from accessing a full AWS user list for the organization.
However, the attacker can still create a new EC2 instance. By accessing AWS instance profiles and searching for a privileged account such as "AdminRole," the attacker can attach the AdminRole account to the new instance, read its metadata and retrieve the credentials. Those credentials, which include the account's access key and the session token, can then be loaded into the AWS command-line interface, where the attacker can use those elevated privileges to delete all the organization's EC2 instances.
That example was one of 10 scenarios Lazarovitz and Hecht detailed in their presentation; other examples included abusing the "addusertogroup" API call and editing actual AWS permission policies. They explained that once elevated privileges are obtained, attackers can hide the shadow admin accounts from enterprise security teams by attaching permissions to legitimate groups and denying read access to the accounts.
Lazarovitz said there are many other scenarios where threat actors can use cloud IAM systems to elevate privileges and create shadow admins, but he stressed this isn't the fault of AWS or other cloud providers.
"I think this is totally out of the hands of the cloud providers," he told SearchSecurity. "They provide very extensive flexibility; they allow thousands and thousands of specific permissions, and that flexibility has this one drawback in that it might become hard to manage for organizations."
Hecht agreed and said being able to grant specific, granular permissions for each individual API call provides security benefits that outweigh the overall risk presented by the cloud IAM systems.
Combatting shadow admins
CyberArk offered the audience some advice on how to detect and stop shadow admins in cloud environments, starting with scanning cloud environments for privileged accounts with sensitive permissions. To that end, the company released a free, open source tool called SkyArk during the conference.
SkyArk features two models, AWStealth and AWSTrace, which are designed to discover shadow admin accounts that have been created and monitor for changes in sensitive permissions, respectively. Both tools, which are currently available on GitHub, scan AWS entities and logs using read-only access.
Lazarovitz also recommended the audience remove all unnecessary privileged accounts, regardless of who created them, and secure legitimate cloud admin accounts with multifactor authentication and other features. "AWS and other cloud platforms allow organizations to also add conditions to permission policies that restrict the usage of sensitive permissions to specific IP addresses, times and resources," he told SearchSecurity.
Luckily, CyberArk hasn't seen a lot of shadow admins in cloud environments. Lazarovitz said there have been a few incidents, such as the OneLogin breach, where threat actors obtained a set of the company's AWS keys, used them to access an AWS API with an intermediate host and then created several instances in OneLogin's environment to perform reconnaissance -- OneLogin said it detected the activity several hours after the attack started and shut down the affected keys and instances within minutes.
But Lazarovitz warned that shadow admins could be exploited by both cybercriminals and nation-state groups. "We think that shadow admins might be relevant for both opportunistic attacks like cryptomining and also APTs [advanced persistent threats] and targeted attacks," he said. "These accounts are easy to find and create, so you don't need the expertise of a nation-state group. On the other hand, shadow admins obviously provide a 'shadow' part where nation-state attackers can persist within the network and remain hidden."