Tim Crothers - Living off the (land)cloud: Scattered Spider and the cloud control plane

It is uh it is really great to be here. This is personally my favorite conference every year. I just uh I love besides Sagesta. Hey, I don't know about you all but I have seen an amazing number of talks today. there. I I have not seen a single talk where I didn't go, "Oh, that's new data. Wrote that down. I got to go do some more digging on that." So, please, please, please, when you see all the volunteers around and all the B-side shirts, etc., thank them. They have worked their tails off to make this happen. Uh, you know, especially after our little uh hurricane incident last year and a lot of stuff had to be

redone. So, uh, they do this out of a love of our industry and for us, not making any money off of it. So, uh, please do thank them. All right. So, I'm going to talk today. I my my official title here is, uh, scattered spider, but this is less about scattered spider, certainly includes them, but more really about how the adversaries are moving to the cloud. I'm I'm seeing and talking to a bunch of my peers, uh, seeing folks struggling with how do I do detection natively in the cloud? How do I find them? How do I And that's really what I want to focus on is giving everybody just some good information uh on how

we're seeing these cloud breaches happen. And they're ramping up. They're going faster and faster and faster. And so, uh, my real objective is is to hopefully arm you a little bit, uh, on that. Of course, scattered spider, if you're not familiar with them, shame on you. Go go go do some Googling and and research. They have become prevalent. But it's not just, like I said, it's not just about scattered spider. Scattered Spider has demonstrated how utterly ineffective a lot of our defenses can be against simple social engineering attacks. And I'll give you some specific examples because I like to use real world cases on this. So earlier this year, I it wasn't scattered spider. I'm

confident it wasn't, but it looked just like their techniques. So about 10:00 a.m. in the morning, the HR help desk at this organization gets a call and says, "Hey, I I'm I'm locked out. I need my employee ID." And and they had enough data, including full social for an executive at this particular organization. So the HR person goes, "Okay, yep, you've done the validation." They gave the employee ID, hung up, called the help desk. Now that they're armed with the employee ID, which was the other piece of data they needed for the validation for the help desk, they got the password reset and the MFA reset. so they could reestablish both of them from scratch. Logged into that

Office 365 instance, then proceeded what this particular actor and why I'm pretty confident it wasn't scattered spider. They went straight for the HR system and they changed the direct deposit bank account for the executives's pay to one that they control. Hung up, call back, did the same thing for another executive. I know, right? it it just so so unfortunately for this particular organization all of their controls were completely ineffective. Now that one's not specifically cloud-based. there was a lot of cloud piece in but a lot of what I'll talk about today was not part of that particular one but that's the kind of thing that we've seen a dramatic uh uh uptick in and and a lot of that it

really comes down to tightening up our our policies and how we do this. So let's talk about the different components. Specifically, I'm going to be mostly focused around cloud because that's where I'm finding in talking to friends and peers that we've got a lot of gaps, right? So we've got from accounts to cloud infrastructures. Uh I'm sure all of you are familiar with uh initial access brokers and the rise with them, right? There's a lot of clear evidence that scattered spider is making money on the side as an initial access broker that they'll get a lot of this via the social engineering then turn around and sell these accesses to organizations uh rather than do it

themselves. So you can see there's there's a bunch of of of examples a bunch of the talks starting with Dr. or this morning have talked about several of these, right? And then we move to persistence in the cloud, right? We're seeing them using cloud native and I'm going to do some demos to to actually see uh a bunch of this. They're focusing uh hopefully no surprise to anybody here on identity because identity is of course everything in the cloud and they're looking to get that one foothold and then we'll use some techniques that I'm going to demonstrate here in a minute to to use that to gain ultimately they're trying to get to the uh the

control plane if the cloud instance is configured with a control plane or if not just a simple cloud admin credential so that they can uh take you can see several of their tools, right? A lot of the standard stuff that I'm sure you've seen, uh, like the NES, Team Viewer, etc. A lot of the stuff we're seeing is direct console stuff, and I'll I'll lay that out here in a minute where they're trying as quickly as possible to get to the AWS console, Azure console, etc. in order to be able to pipe commands directly. Then they're doing a variety of credential dumping. The credential access is mostly on local systems. So think about the the keynote this morning

uh where he talked about the supply chain and targeting of the developers. That's a huge focus for the folks who are interested going after our cloud instances because of course they've got a lot of keys set up for pushing to the cloud for a lot of the pipelines that they're using etc. So that's a huge focus on the credential area uh for them to use to go after this this cloud access. And then of course we've seen a huge explosion in ransomware deployment in the cloud. So had a big case early this year, February time frame. You know, they um pivoted in to the to the local organization. They were able to get uh AWS cloud credentials for the

organization, got up into AWS cloud. They're using just simple AWS native commands. So, you know, S3CP copy the S3 buckets out into local control or using SSH reverse tunnels uh to to pipe into the consoles and such. So, again, I'll show all of that with the intent of standard ransomware, but in the cloud. In the cloud, it's a lot easier and faster typically for them. And so, as you might imagine, um, you know, even a year ago, I was just, you know, being asked to help with different situations. Cloud instances were mostly smash and grabs, right? They they'd um, you know, get access, they'd hit and pull out whatever data they could or they do crypto mining, right?

Cryptocurrency mining on the platform. Just some simple things like that. We've very much evolved over the past year and plus where they're getting much more sophisticated and being cloudnative. In particular, if your cloud is configured, and it should be with a control plane architecture, you've got to be hyper mindful of what's going on, who's got access, what are your blast radiuses for your identities, and as you'll see, some of the groups that we use for that. Okay. Uh, and I will do questions. So, why cloud? You know, I get asked this a fair bit. And more specifically, what are they doing in cloud? Of course, they're doing data theft and extortion around that data theft. They're doing

ransomware in the cloud has become extremely common again with extortion intent. Another thing we've seen a huge uptick in is staging. So, one of the the simple things that has taken off in the last few years is a dangling DNS problem. So, what what I mean by that is you've got your engineering teams, you're building your pipelines to push your code to cloud, right? And then you scale some of that back. Well, your pipeline automatically provisioned a DNS uh record on your company's domain pointing to a particular IP address. Now you scale back, the cloud provider recovers that IP address, but you don't get rid of the DNS entry. So when you do a reverse lookup on this IP,

it's going to the IP with your company's domain or the company that owns it even though it's now under the control of a thread actor. So there's a lot of scanning for that because a lot of the reputational stuff for like spamming and other things are tied to domain reputation and other things. So this staging to use our infrastructure to attack others has really started to ramp up a lot and I expect it to grow a lot more as we go. Of course, compute resources. A lot initially of this was just cryptocurrency mining. That has expanded greatly beyond just cryptocurrency mining uh for building models in your compute infrastructure so that they can use uh your compute for

instance and of course as was called out earlier supply chain attacks via credentials etc have just become really prevalent. So the plane itself right the control plane in cloud should be your governance layer right and so it's attractive for your engineering teams and infrastructure teams because of course it's central management for the cloud well that also means it's central management for the threat actors if they gain access to it. So you really want to treat your control planes in cloud as critical infrastructure for your organization from a defense perspective. Right? Everybody still with me? I know it's midafter afternoon. Trying to keep the energy up so folks aren't nodding off. All right. So here's an example of

a of a representative attack. Might be a little too small to see. So, you know, we've got scattered spider, one of the similar folks, SMS fishing, SIM swapping. I'm sure you all are seeing a huge uptick in the SMS fishing as an initial vehicle since a lot of the BYOD devices. We don't have any way of having visibility as defenders to what's going to our folks that gets them into, you know, some sort of cloud level access. usually not admin out of the gate, usually even a low-level access. But as I run a demo here in a second, you'll see how they parlay that into uh a deeper access. They do a recon, get to

the serial console, and then run something like this one, right? Where we've got a process event that's using uh a reverse shell, right, piped out to the attacker C2 infrastructure, right? s super simple. It's worked for decades at this point at least. Uh works in the cloud just as well as it works in our in our local environments. Uh and of course then they get RTP and and various and go on to have all of their fun. So that's often what the sequence so and some sort of initial credential theft which then gets parlayed into uh higher level credentials so that they can leverage it. So this is a really nice uh breakdown we found on you know kind of some of the

different attacks at the different layer. Of course, for today I'm focusing primarily on the infrastructure as a service layer, right? The the cloud layer. But I include this larger slide because it's important for us to understand that even though the threat actors are focusing very much on the cloud native and that's an area that we need to dramatically improve our defenses. It by no means is the whole story, right? For those of you who've uh attended a lot of my talks, you know I'm a a huge fan in creating an attacker's dilemma where we're building an environment where we just need to catch them somewhere in this larger uh attack stream and break that chain before they

complete their objective. Right? And so that's why I included that. uh but for purposes of today I really want to drill into the cloud layer right and these are some of the the techniques that we're seeing and some of the hunts that we're using to go look for indications of compromise in these cloud environments right so of course attackers we've got things like the AWS management console S3 browser cloud shell all of those have a ton of information on what exists in this environment, right? Um, of course, S3, if you're in in AWS, is going to tend to be where a lot of your critical data is going to be sitting that there can potentially exfiltrate.

Uh, and it's super easy to copy. If they get in, you know, it's just an S3SCP command to copy that out to wherever destination they want. uh and and do that. Uh they can do enumeration via things like billing console and the systems manager interface in AWS. Of course, they're going for credential harvesting and takeover. Credential harvesting are things like um they'll look at the CIC CD pipeline that runs in the cloud. Do you have any embedded credentials in uh environment variables and scripts and things like that are a great place for that, right? Your AWS uh API keys and such will often be accessible if they get into that. So all of those are direct vehicles that they

can extract to go against us. We've got instance profile replacement, right? They can go in, you've got a running instance in your cloud, they can configure the profile on that to replace it with credentials that allow takeover, other things. I'm sure you're not surprised. They're going to often disable guard duty and uh stop your logging right from your AWS cloud. Uh S3 data theft we've talked about and of course EC2 uh takeover. So, how do we look for all of that? Well, here's some examples uh that are hunting uh to look for possible indications that we've got either one a problem uh of an existing compromise or just as importantly do we have a situation where the environment

is ripe for this kind of an incursion if they get some level of access to the system. Okay. So, let's run a little demo here to actually show this in action. I'm going to pause it because we're going to come back uh in a little bit and I'm going to talk about defense on this. All right. So, this particular demo, we've got a cloud shell into AWS open.

We see that make sure right. looking for who am I essentially right to see what level of access we've got in this particular environment at the moment.

Then we use a simple command to list out all of our roles.

Scroll for those. What we're looking for here are roles that are assumable is what the thread actor is looking for. Sorry, I should hold the microphone up better. All right. So, finds a role there that's assumable then then can issue a single command and take on that role, add it to my existing i.e cloudnative privilege escalation. Right? So, we'll come back to that in a minute. Uh let's talk about how do we prevent that? So we okay now I'm talking about the bad. How do we talk about the good? As you all know I never want to leave without giving you some ability to defend yourself better. Well of course this is why it's a little

harder to do cloudnative detection and response than it is in the infrastructure. Right? We've got all sorts of levels of groups that are going on depending on the architecture. Often different engineering teams have their own instances within our larger cloud instance that isn't closely regulated. Right? Just the fact that these workloads are dynamic in most cases is problematic because they're spinning up, they're spinning down. depending on how your logging is configured, there can be a lot of logs to parse through, right? And so then the bottom line is if from the defenders p or from the attackers's perspective, why this ends up being so so uh attractive for them is the majority of us are still relying on edr

xdr for most of our detection. So what do I mean by that? Well, we we are in AWS, we're in Azure, we stand up a bunch of virtual machines and what do we do? We we deploy EDR XYZ to those machines. Well, when they're issuing control plane, you know, cloud shell natively, none of that is seen by our EDRXDR, right? That's only going in your cloud trail logs and only if you've got your cloud trail configured appropriately, right? So, as most of you know, and full disclosure, oh, did we lose it? Oh, just the one screen, I guess. Um, uh, I'm an adviser for Calvio. Calvio has done a lot of this research and their work to how do we defend this? Um,

and so full disclosure there, but I think most of you know I won't I won't uh associate with an organization I don't believe in. Uh, and so as you've seen probably some of my talks, I'm a huge proponent on Honey tokens. Our front monitors are cutting in and out. There they go. So what do we do in cloud? Well, we can do deceptive IM users, roles, and service principles, right? We can add IM stores that are again deceptionbased, right? What's going on? But they're blinking in and out. Um, thank you. The uh I'll look at the back side. We can also do workloadbased, right? uh inside of our workloads. Of course, we can use the same sorts of deception

that we would use within our on-prem environment, you know, in terms of of Honey token accounts, keys, secrets, so on and so forth. All of this scales really really well to uh the cloud. So then the way that plays out in terms of the activity is

I'll pause. See if we get it back. There we go. It's blinking on my screen as well. Um, so the way this plays out is think about that demo that I just did, right? They they're in who am I? List my my own credentials. I list the locally provision groups. scroll through those looking for ideally something that's got uh an admin role of some sort, right? Um and essentially enumerate. Well, of course, if we uh if we provision deceptive uh tokens on accounts, deceptive workloads, uh etc., Then all we need is the adversary to hit one of ours and we're off to the races. Right. So again, we subvert. We've got the token. Boom. Our our our

sock knows we've got a problem in the cloud and can chase after it. So let's go back to the demo here.

pick up where we left off. So lists out the different credentials. We're now parsing through those. Notice the action assume ro in here that allows us to do and these are common used for services like backups other sorts of services that need to run in cloud in order to gain access. So now the user is trying to uh attach to one of those existing policies then retrieves the update on it. But in this case we've created a deceptive identity access management role. So now when they go ahead and attempt to assume it here, of course, what that does since it's not a real role and is set up, they get a failure uh to execute and we get an

alert back in our sock that we've got a problem, right? Because people scraping around for these roles just to look for these isn't something that should be happening in our in our workloads, right? Um, and so it's it's a super simple approach. And just to be clear, you don't need to do to have a Calvio for this. Uh, you know, there's there's other approaches to this. The key, you can do this in your workloads manually. It just is a lot of maintenance, which is, you know, why having a commercial product can really uh really be helpful in this. So keys here if you want to go down this path um you want to think about uh that

they've got to be realistic, they've got to be enticing, of course. Um think about the identities they're looking for and focus in on those. And of course, like everything else, what we're looking to do is defense and depth, right? This by no means, you know, says that we shouldn't have, you know, our our CSPM or ASPM, you know, all of the segmentation, etc. As you might imagine from my years at at Mandandy, I I believer that prevention ultimately fails and uh we've got to be ready to intervene when it fails. I very much look at prevention as a bar. The higher our prevention, the higher our bar, the less bad guys that get over it.

But we got to know when those bad guys get over it, right? And and that's uh essentially what we're trying to do here is how do we get through all of that noise uh in the cloud uh and get to get to those sorts of things. So I am supposed to give out uh supposed to give out uh three giveaways here and then we'll open up for Q&A. Uh, what's one of the alternate uh designations people refer to scattered spider by? I saw that hand first. I'm sorry, can't quite hear you. >> Yes. All right. Nice job. Cuckoo's Egg by Cliff Stole. All right. We also have practical Linux forensics. What is the S3 bucket copy command look

like from cloud shell CP? Exactly. They made it kind of familiar to Linux for a reason. Nice job. And last but not least, we have a uh we have a uh wireless uh USBC adapter uh to give away. Um let's see what's another good question.

I'll hold on that for a minute. Let's open up for Q&A questions. Yes sir.

>> Correct. I mean, that's part of what makes this challenging, right? But a normal user is going to log in, do whatever they're going to do. They're not going to be doing things like looking at all of the groups and all of that recon. It's a lot of that recon that we want to build our detection around because that's not normal activity, right? Um not that it won't ever happen, of course, with some of our engineering teams, but it's definitely a tell uh for it. you know, some of the earlier talks, uh, like Steph's talk earlier this afternoon, right, where she was talking about some of the very specific things, the threat actors, those are all still valuable in cloud

context as well. The problem is a lot of that happens at the uh, host layers if you're running virtual machines in cloud instead of at the control plane layer. And so the key here is you want to go look at what's going on on your control plane layers and make sure you've got some robust detection around that. I saw another hand I thought over this way. Other questions?

>> Sure. Go for it. >> Yes. Yeah. Yeah.

>> Yeah. >> Yeah. Yeah. Yeah. Yeah. No. So, his question is, well, all right. So, we've got a threat actor. The threat actor um gains access to our account. They've heard about things like honey accounts and so they're nervous about picking the right one. They could go look at the logs and look for lack of activity in the logs. Absolutely. Except they'll need admin to do that or at least if we've configured correctly and if they've got admin then they don't really need to do that already. So it's a it's a chicken egg problem for them on one thing. Um two, your more sophisticated um you know platforms are putting a lot of energy into making these look realistic, right?

Like you don't want to do just static put these things out there and then just call it good. You know, you want them to be changing up, you know, etc. You know, ideally you want a platform that's looking at your existing, you know, so as your engineering teams deploy new infrastructure to cloud, they're going, "Oh, well, they're using these patterns, so we should add these groups and etc." That's really where the magic happens in my perspective, right? Um and why I am so um kind of passionate about this approach is because you know uh I I did my last tour of duty at Mandy was as their chief security officer and as you might imagine Mand's got a few folks who

don't like them very much. I think it's fair to say uh Russia and China in particular uh have a have a bit of a have a bit of a angst for for them right and oays are just what they are right um there's a lot of indications that China when they pulled back there for a while and retoled a lot of effort was putting on oays we've seen a lot of oays coming out of what looks to be Chinese activity right and so that means they're going get a foothold but we don't need to lose then right and we need to focus on the needs of the attacker right that's how I ultimately approach any of this is all

right well what does the attacker need they need connectivity they need either uh access credentials or exploits to move around right um and they need to get to wherever they're going that's got the data that they're looking for right so those needs are universal So I would start in cloud with all right how would a thread actor what did they need in order to move around within my cloud environment right start with that with your engineering teams you know whether you're GCP Azure AWS all three or or the bajillion other clouds but those are obviously our primaries you they will all uh have uh unique aspects based based upon the the configuration on how your clouds are

con uh configured. And so you're going to want to partner with them. And that's also why I included the threat hunting stuff is that's a really good way to kind of get an idea on where your exposure for want of a better word is in cloud uh in terms of those accesses and and some of the tooling like your whizzes and and uh other CSPMs, right? can can help with that as well, you know, with the blast radius and some of the other stuff. Uh, attack path mapping, etc. Those are all really useful complements to this for where do I want to poison that potential attack path uh for the uh for the threat actor.

>> Yes, sir.

>> Delete imitations. uh because what you'll find is often they will create additional accounts and other groups and other things for themselves and then they want to get rid of the record of all of that creation, right? They want to create uh persistence in these environments like they would anywhere else. >> Yes, sir.

So, uh, let me recap your question, make sure I'm catching it right. So AWS has a specific role designed for uh isolating uh uh identities that have been compromised. Um I would always go out and look and see what that identity's done in addition to assigning it that role for sure. Right? You know, if you know that identity has been compromised, then I would look at things like, well, what other identities and groups would is it a member of it have access to any kind of cloud trail uh logging around use of that identity. um you know a lot of the the interesting vehicles more interesting uh incidents I've seen have involve not just direct

access to the crunch uh to the uh credentials as as in what I'm trying to articulate here not very well think not just logging in directly from these credentials say you're running uh application X and turns out application X has some sort of a vulnerability that they can take advantage of to gain access to the instance that that application is la is running as right then being able to chain that into running additional instances and etc. So, so the the use of identity shouldn't be thought of in cloud from my perspective as just direct interaction but also inferred interaction through essentially supply chain challenges as well if that makes sense. Absolutely. Any other questions? All right, we've got one more giveaway.

Any idea on uh questions we should ask for this last one? I'm brain blanking on a question. >> All right, great. What's my favorite color? I'll go.

>> Green. I heard a green. That was the first green I heard. Green is my favorite color. >> All right. Thank you so much, team. >> Hey, thank you everybody for attending. They miss. >> Welld deserved. Welld deserved. >> Thank you very much.