3.6 Attacks & exploits: Cloud attacks

Question 1

Attacking the Cloud: what are the ways to attack the cloud (4)?

Answer 1

• Malware Injection Attack
• Side-Channel Attack
• Direct-To-Origin (D2O) Attack
• Denial of Service (DoS) Attack

Question 2

Attacking the Cloud: explain Malware Injection Attack

Answer 2

▪ Attempts to add an infected service implementation module to the cloud service
▪ The attacker is attempting to insert malicious code into a cloud service or server

Question 3

Attacking the Cloud: explain Side-Channel Attack and how to prevent from it (3)

Answer 3

▪ Aims to measure or exploit the indirect effects of a system instead of targeting the code or program directly
▪ Prevention:
● Data encryption
● Multi-factor authentication
● Routine monitoring and auditing

Question 4

Attacking the Cloud: explain Direct-To-Origin (D2O) Attack and explain step-by-step how it happens (3)

Answer 4

▪ Attempts to bypass reverse proxies to directly attack the original network or IP address of the cloud-based server:
1- Attacker launch the attack to the reverse proxy that fwd it to the origin server
2- The reverse proxy disclause

Question 5

Attacking the Cloud: explain Denial of Service (DoS) Attack and Resource Exhaustion Techniques

Answer 5

Used to attack any protocol, device, operating system, or service to try and disrupt the services it provides to its users.
Resource Exhaustion Techniques:
● Amplification/Volumetric Attack: Used to saturate the bandwidth of a given network resource
● Fragmentation of Requests: Sending multiple fragmented HTTP requests to a server

Question 6

Attacking the Cloud: what are the other DoS Attacks (6)

Answer 6

● Packet flood
● SYN flood
● HTTP flood
● DNS flood
● DNS amplification
● NTP amplification

Question 7

Credential Harvesting: what is it?

Answer 7

Any attack designed to steal usernames and passwords

Question 8

Credential Harvesting: list the different way to harvest from credentials (3)

Answer 8

o Account Takeover
o Privilege Escalation
o Vulnerabilities to Exploit

Question 9

Credential Harvesting: what is Account Takeover type of doing credential harvesting? Is it easily detected?

Answer 9

▪ Attackers silently embed themselves within an organization to slowly gain additional access or infiltrate new organizations
▪ Account takeovers are very hard to detect

Question 10

Credential Harvesting: what is Privilege Escalation type of doing credential harvesting? Name to 2 types of doing privilege escalation?

Answer 10

Occurs when an attacker gains the rights of another user or an administrator:
● Vertical: User to admin/root account
● Horizontal: User to another user account

Question 11

Credential Harvesting: what are the Vulnerabilities to Exploit to do credential harvesting (7)?

Answer 11

▪ Security Account Manager (SAM) File: Contains the hashed passwords of every user on a given Windows system or domain
▪ Windows UAC
▪ Weak Process Permissions
▪ Shared folders: Many organizations do not enable access controls to their files and folders on a shared drive
▪ Dynamic Link Library (DLL): A library file that contains code that can be used or referenced by more than one program
▪ Writable services: Writeable services and unquoted service paths can be used to inject a malicious application that will be launched during startup
▪ Missing patches

Question 12

Misconfigured Assets: what is a misconfigured cloud asset?

Answer 12

Account, storage, container, or other cloud-based resource that is vulnerable to attack because of its current configuration

Question 13

Misconfigured Assets: what is Cloud Federation? How can you prevent misconfigured cloud federation?

Answer 13

▪ The combination of infrastructure, platform services, and software to create data and applications that are hosted by the cloud
▪ Identify who’s responsible for the approval of new services and servers, as well as for their vulnerability and patch management

Question 14

Misconfigured Assets: what is Identity and Access Management (IAM)?

Answer 14

Defines how users and devices are represented in the organization and their associated permissions to resources within the organization’s cloud federation

Question 15

Misconfigured Assets: what are the assets types to be configured in IAM (5)? How should they be configured?

Answer 15

▪ Personnel Type: Used in IAM to define identities for an organization’s employees. An organization should ensure they are providing good end-user security training
▪ Endpoint Type: Used for resources and devices that are used by personnel to gain legitimate access to the network. Use centralized EMS. Validate endpoints
▪ Server Type: Used for mission-critical systems that provide a service to other users and endpoints. Encryption schemas. Digital certificates. Configuration hardening
▪ Software Type: Used by IAM to uniquely identify a software’s provenance prior to installation. A public key infrastructure should be used to provide higher levels of authentication and authority
▪ Role Type: Used to support the identities of various assets and associated permission and rights to the roles or functions of those resources

Question 16

Misconfigured Assets: what is a Privileged Account?

Answer 16

Allows the user to perform additional tasks, such as installing software, upgrading operating system, modifying configurations, and deleting software or files

Question 17

Misconfigured Assets: what is a Shared Account?

Answer 17

Any account where the password or authentication credential is shared between more than one person

Question 18

Misconfigured Assets: what is a Object Storage? How yo configure it?

Answer 18

▪ Bucket: Amazon Web Services
▪ Blob: Microsoft Azure
▪ An object is the equivalent of a file, and a container is the folder
▪ Object ACLs
▪ Container policies
▪ Access management authorizations

Question 19

Misconfigured Assets: what is a Cross-Origin Resource Sharing (CORS) Policy? How yo configure it?

Answer 19

▪ Allows objects to be read from multiple domain names and displayed properly in the end user’s browser
▪ OWASP Top 10 lists CORS policy misconfiguration under “Broken Access Control”

Question 20

Misconfigured Assets: what is a Container? What are the vulnerabilities a containers can have (5)?

Answer 20

▪ An image that contains everything needed to run a single application or microservice
▪ Vulnerabilities:
● Embedded malware
● Missing critical security updates
● Outdated software
● Configuration defects
● Hard-coded cleartext passwords

Question 21

Metadata Service Attack: what is a Metadata Service? Why are they a cybersecurity risk?

Answer 21

▪ Used to provide data about an organization’s instances so that they can configure or manage their running instances
▪ Some big breaches were tied back to attacks against the metadata service as the initial attack vector

Question 22

Metadata Service Attack: explain Server-Side Request Forgery (SSRF) and what data you can retrieve from this attack?

Answer 22

A type of attack that takes advantage of the trust relationship between the server and the other resources it can access:
● Exploits vulnerable applications
● Communicates with the Metadata Service
● Extracts credentials
● Pivots into cloud account

Question 23

Metadata Service Attack: why SSRF and Metadata Service Attack are related?

Answer 23

Metadata service attack is a form of server-side request forgery attack that focuses on taking metadata about the instances

Question 24

Software Development Kit (SDK): what is it and why can the have vulnerabilities?

Answer 24

▪ A package of tools dedicated to a specific programming language or platform commonly used by developers when creating apps
▪ SDKs can contain vulnerabilities if the author who built those functions didn’t do a good job.
SDK libraries are designed to be consistent, approachable, diagnosable, dependable, and idiomatic

Question 25

Auditing the Cloud: what is ScoutSuite?

Answer 25

An open-source tool written in Python that can be used to audit instances and policies created on multicloud platforms by collecting data using API calls

Question 26

Auditing the Cloud: what is Prowler?

Answer 26

▪ An open-source security tool used for security best practices assessments, audits, incident response, continuous monitoring, hardening, and forensics readiness for AWS cloud services
▪ Prowler is a command-line tool that can create a report in HTML, CSV, and JSON formats

Question 27

Auditing the Cloud: what is Pacu?

Answer 27

An exploitation framework used to assess the security configuration of an Amazon Web Services (AWS) account

Question 28

Auditing the Cloud: what is CloudBrute?

Answer 28

Used to find a target’s infrastructure, files, and apps across the top cloud service providers, including Amazon, Google, Microsoft, DigitalOcean, Alibaba, Vultr, and Linode

Question 29

Auditing the Cloud: what is Cloud Custodian?

Answer 29

▪ An open-source cloud security, governance, and management tool designed to help admins create policies based on different resource types
▪ Cloud Custodian is a stateless rules engine used to manage AWS environments by validating and enforcing the environment against set standards