LAS VEGAS — Complex attacks that exploited a SugarCRM zero-day vulnerability against AWS environments last year highlighted threat actors’ increased knowledge of cloud environments, according to new research from Palo Alto Networks.
Margaret Zimmermann, cloud incident responder for Palo Alto Networks’ Unit 42, led a Black Hat USA 2023 session Thursday titled “When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM 0-Day Vulnerability.” During the presentation, she discussed lessons learned from incident response cases that Unit 42 handled during the past year where threat actors used the SugarCRM zero-day vulnerability as an initial attack vector to gain access to AWS accounts.
The predominant lesson was that threat actors are becoming more cloud competent, as the flaw was not in AWS and could have happened with any cloud environment, Zimmermann emphasized.
SugarCRM is a CRM platform that provides software for marketing and sales teams. Attackers exploited an improper input validation remote code execution vulnerability, tracked as CVE-2023-22952, that received a CVSS score of 8.8 and affects multiple SugarCRM products.
Unattributed threat actors used the vulnerability to gain direct access to Amazon Elastic Compute Cloud (EC2) instances and then successfully compromised long-term AWS access keys that existed on the host. Using the organization’s API, attackers could find management account IDs and root email addresses.
In a preview with TechTarget Editorial prior to the session, Zimmermann described the API query as “untraditional.” She highlighted additional attack anomalies as well; for example, Unit 42 observed the attackers scanning customers’ cost and usage service, which shows whether there’s a lack of resources in an account. While the API call appeared random at first, Zimmermann determined that the service contained valuable information that could help attackers. Targeting accounts with higher total costs, for instance, could help threat actors create new resources while remaining undetected.
Attackers also created public Amazon Relational Database Service (RDS) and different EC2 instances. In some cases, they created new EC2 instances in regions that differed from the rest of the organization’s normal infrastructure.
While the threat actors were able to successfully create public RDS instances, the root logins failed. In some cases, it failed because multifactor authentication was implemented.
Adversaries are adapting to the cloud
The incident response investigations made it clear to Zimmermann that the threat actors had working knowledge of AWS and cloud environments overall. Having that level of knowledge is unusual, she said, but it shows that attackers are learning. The use of API calls to gain information without triggering threat detection alerts is one example of how they’ve adapted to the cloud.
Zimmermann also observed unusual activity related to the access keys.
“Usually, if threat actors get access keys, we see them trying to do a couple things. But we don’t see them try to exploit the permissions that they’ve gotten in AWS,” she said. “Part of it has to do with [the fact that] the cloud is a completely different set of tools and infrastructure than on-premises, so there is a bit of complexity there that threat actors have to understand.”
Host analysis further confirmed the complexity. Zimmermann said threat actors were adept at compromising on-premises systems and then jumped to AWS. Since the attacks could have occurred in any cloud environment, Zimmermann emphasized the importance of enabling certain tools.
To prevent these types of attacks, she said, security teams should focus on four key areas: access keys, identity and access management (IAM) policies, monitoring root access, and logging.
While patching CVE-2023-22952 is the No. 1 way to defend against the attack described in the Black Hat session, Zimmermann provided further remediation steps to protect the access keys. Organizations need to rotate them on a regular schedule and delete any unused keys. Restricting IAM permissions is also important.
“What we saw in these cases was the threat actors were able to do everything that they wanted to do because of the expansive permissions that AWS IAM users had. That’s another thing — you want to make sure that you’re writing very specific permissions,” she said.
Zimmermann also urged enterprises to enable different monitoring and logging services for the cloud. For AWS, she specified enabling CloudTrail and GuardDuty in all regions.
To determine if data has been exfiltrated, virtual private cloud logs are also beneficial. Log analysis, particularly for the abnormal API calls, was crucial during incident response in the SugarCRM cases. The benefits of cloud logging were also portrayed by recent cyberespionage attacks against Microsoft where a threat actor breached email accounts that included several U.S. federal agencies.
For the most part, the recommended tools are not automatically enabled for AWS users. Organizations can pull a default 90 days of CloudTrail logs for the API, and free trials might be offered for the other cloud tools.
Arielle Waldman is a Boston-based reporter covering enterprise security news.