Permission Slip Problems: How Attackers Exploit Overlooked Policies to Sneak into Your Cloud

...And 12 Cybersecurity Posts from around LinkedIn

In this Issue

Foreword | 12 Posts on Cyber |?Featured Leader | From Cyngular's Founder | Afterword

Foreword

We're excited to share 12 more posts about cybersecurity from across LinkedIn. Useful content this week includes two types of privacy risks, mobile malware's impact on data security, and the urgent need of cybersecurity in healthcare.

We highlight a Featured Leader again this week.

Finally, a piece from Cyngular Security 's research team on how attackers exploit gaps in resource policies to gain unauthorized access.

We're happy to send out our twenty-ninth issue, written to deliver content of value that is easily digestible.

We welcome all feedback, submissions, and input from our readers. If you have questions, submissions, or concerns, contact Rebecca Fera .

12 Posts on Cyber

Useful LinkedIn Posts This Week in Cybersecurity

The critical role of cybersecurity in shaping modern international relations was discussed by Joseph N. Mtakai

Amaka Ibeji, FIP, AIGP, CIPM, CISA, CISM, CISSP, DDN QTE underscored and shared her recent presentation deck on operationalizing AI Governance

??AIT ICHOU MUSTAPHA summarized a guide on windows hardening at different levels

Miroslaw Lerch detailed key elements to watch out for when detecting email phishing attempts

Andrey Prozorov underscored two types of privacy risks in a helpful document

7 things to know on Nmap scanning in industrial (ICS/OT) networks, discussed by Mike Holcomb

Boikokobetso Makhetloane highlighted open source intelligence in his latest Cyber Terms Monday

Shivakanth Pavan Kumar, CISSP? dives into mobile malware's effect on data security

A document introducing the different types of malware was highlighted and shared by Rajneesh G.

An article titled, "Exploring the Steps of a Cyberattack" was broken down by Imane Akhamal

Richard Staynings underscored the urgent need of cybersecurity in healthcare as the industry faces rises in cyberattacks

A paper that emphasizes the importance of integrating OT security for operational resilience and compliance within industry standards was highlighted by Samah Almotiri

Featured Leader

Hemant Daukar

Hemant Daukar honed his technical and cyber skills over a three year span thriving as a software specialist and became acquainted with the intricacies of the US Healthcare System until he eventually broadened his horizons into cyber analysis, the field in which he is currently employed as a Cyber Security Analyst, at one of India's largest public sector banks. At Canara Bank , Hemant is responsible for spearheading the bank's cybersecurity frontline defending against evolving threats through proactive assessments, swift incident response, and vigilant alert monitoring. Beyond his official roles, Hemant has ventured into Android App Development, a realm that fascinates him tremendously. Hemant is responsible for crafting a standalone application as a part of a project work for "Diploma in Banking Technology".

In a recent post made by Hemant on LinkedIn, he shares a comprehensive guide to Identifying Web-Based Attacks Through Log Analysis. You can view the document and the full post here.

Hemant is another featured leader we are happy to share with you this week!

From Cyngular's Research Team

In cloud environments, attackers often exploit overlooked resource policies to gain unauthorized access. This blog delves into how attackers use backdoor resource policies to infiltrate cloud environments by manipulating trust policies, bucket permissions, snapshots, and other critical assets.

Understanding the Threat

In many cloud environments, attackers exploit gaps in resource policies such as IAM roles, S3 bucket policies, RDS snapshots, and other configurations, creating a stealthy path to access sensitive data and execute unauthorized actions. They leverage misconfigurations to add unknown accounts, their accounts, to the policy, allowing them to assume roles and gain privileges.

What is a Policy and How Does It Look Like?

A policy?in cloud environments, and specifically in AWS,? is a document that defines permissions and access controls for resources. It dictates who (user/account) has access, what actions they can perform, and on which resources. Policies are typically written in JSON format and contain elements like Effect?(Allow/Deny), Action?(e.g., s3:GetObject), Resource?(e.g., specific S3 bucket), and Principal?(the account or user granted permissions).

In AWS, policies can be modified to grant access to other AWS accounts via the Principal?field. This field specifies who is allowed access, and it can include an AWS account ID, IAM user, role, or an entire organization. By modifying a policy to add another account’s ARN (Amazon Resource Name), you effectively grant that account permissions defined in the Action?and Resource?fields.

For example, adding "AWS": "arn:aws:iam::123456789012:root"?to a policy allows full access for that external account. Attackers exploit this mechanism to gain unauthorized access by adding their account ID into roles or bucket policies, effectively 'back-dooring' the resource.

The Mechanics of the Attack

IAM Role Trust Policy Manipulation - Privilege escalation?

Attackers target IAM roles by modifying trust policies, inserting their accounts, and gaining unauthorized access. By doing so, they can assume privileged roles, bypassing traditional access controls. A role trust policy?defines which entities (users, groups, or accounts) can assume an AWS IAM role. It controls who is allowed to access and use the role's permissions by specifying a Principal?in the policy. This policy is different from the permissions policy of the role, which defines what the action the role can perform, it defines who can assume it and use its permissions.

Example Attack Flow:

1. Gain initial access through phishing or compromised credentials.
2. Use IAM privileges to list roles and trust policies.
3. Modify the trust policy to include an attacker-controlled account.
4. Assume the modified role and gain access to resources.

S3 Bucket Policy Exploitation - Exfiltration

Attackers can add unauthorized accounts to bucket policies, enabling them to read, write, or even delete data. This method is particularly dangerous for sensitive logs or backups.

Example Attack Flow:

1. Discover misconfigured bucket policies allowing public access.
2. Modify bucket policy to grant access to an attacker's AWS account.
3. Retrieve, alter, or delete the data.

Snapshots and Backup Misuse

Snapshots of RDS, EBS, or other resources are often left unsecured. Attackers can copy or share these snapshots, exposing sensitive data or creating unauthorized clones.

Example Attack Flow:

1. List available snapshots using compromised credentials.
2. Modify the Snapshot Attributes, adding permissions to their account
3. Share or copy snapshots to an attacker's account.
4. Restore or analyze snapshots offline.

Backdoor resource policies represent a stealthy and dangerous attack vector in cloud environments. Understanding, investigating, and mitigating such threats are essential for maintaining a secure cloud infrastructure. By adopting robust monitoring, least privilege access, and proactive investigations, you can significantly reduce your exposure to these types of attacks.

Visit Our Website to See the Solution

Afterword

That's all for this week's newsletter. Our next issue will include another piece from Cyngular's Founder, a Featured Leader, and a new batch of 12 useful posts. Connect with us if you have anything to submit for our next issue or want to know more about Cyngular.

Notice:

The posts in this issue reflect the views only of the individual LinkedIn users and do not reflect the views of Cyngular Security, its employees, or any other entities. The links shared in this issue were written by LinkedIn users and do not constitute an endorsement of Cyngular Security, any other entities, or this newsletter by those users, entities, or the "Featured Leader."

Reach out to Rebecca Fera if you have any concerns about CISO Signal.