In the SANS 2019 Cloud Security Survey, 56% of respondents stated their primary concern with the cloud was unauthorized access to their data by outsiders. Of the 10.5% that actually experienced attacks, 49% indicated that account and credential hijacking were to blame, and another 38% indicated that privileged user abuse was involved.
These statistics reveal that cloud attacks are often linked to credential and privilege abuse, and most attackers try to escalate their privileges whenever possible to access sensitive data or perform other malicious actions. Unfortunately, there are many ways to accomplish privilege escalation attacks today.
How privilege escalation in the cloud can happen
Privilege escalation in the cloud can occur in several ways. Here are three examples.
Misconfiguration of identity and access management (IAM) policies
One of the most common tactics an attacker could use to escalate privileges in cloud environments is abuse overly permissive identity and access policies for cloud users and services. In June 2018, security researchers at Rhino Security Labs released a staggering number of innovative privilege escalation techniques for AWS IAM users. These techniques involve policy creation and manipulation, profile changes, AWS Lambda function manipulation, the ability to pass roles to DevOps tools that may be in use and more.
The same overly permissive policies may be applied directly to cloud storage nodes and other objects as well. This was found to be possible for Amazon S3 buckets by the team at Detectify in 2017, and the Rhino Security Labs team described similar permission configuration issues with Google Cloud Platform buckets. Both issues amount to low-privilege users who gain the ability to manipulate bucket policies or objects and, in some cases, could simply alter or replace the policy to one that is less restrictive.
Manipulation of APIs
There are many new APIs present within cloud service environments that can be readily abused to escalate privileges. One example of this is the AWS metadata service that can be queried from any running EC2 instance. If the instance has a defined IAM role associated with it, an attacker who gained access to the instance could execute AWS Command Line Interface commands in the context of that role and potentially perform actions and execute commands against other AWS services.
For example, an attacker could potentially use the compromised AWS EC2 instance to access objects in S3 or within Relational Database Service, along with many others. Other APIs might be available for container orchestration and other services in the cloud.
In 2018, security firm RedLock discovered that the automotive company Tesla has exposed Kubernetes APIs publicly, which enabled an attacker to create new containers and use them for cryptocurrency mining.
Cloud provider vulnerabilities
While not the most prevalent tactic for privilege escalation in the cloud, there have been cloud provider vulnerabilities that could enable an attacker to assume additional roles and administrative privileges. In 2017, Microsoft patched a flaw in its Azure AD Connect synchronization tool that could enable Azure administrators to reset any Active Directory user’s password to something they know and then hijack the account. Another Azure AD Connect flaw announced in May 2019 could enable remote execution of PowerShell scripts that could perform privileged actions as well.
How to prevent privilege escalation in the cloud
Organizations can take a number of steps to help prevent escalation of privilege attacks against their cloud environments. First, track any vulnerability announcements from providers that may require an emergency patch to prevent exploitation of flaws that could elevate privileges for attackers and insiders. This should fall under the helm of vulnerability management programs already in place.
Next, perform regular audits of any IAM policies and roles defined within the cloud service environments in use. Rhino Security Labs released a penetration testing tool called aws_escalate that can be run against your AWS environment to find out if any policy settings may enable privilege escalation. Scanning tools from third-party providers, like RedLock — now owned by Palo Alto Networks — CloudCheckr and others, can also be used to scan cloud configurations for issues, as can cloud-native tools, like AWS Trusted Advisor or Microsoft Security Center.
Finally, scan the environment for exposed APIs using traditional network scanners and security query tools, like Shodan, and monitor cloud environments for suspicious network traffic or user activities.