🌩️ Into the Cloudiverse: Multi-Cloud Attacks Exposed 🤺

Transcript

1. Into the Cloudiverse: Multi-Cloud Attacks Exposed ! 1

2. @run2obtain Multi-Cloud Attacks: Introduction Multi-cloud attacks are the new norm;

   attackers increasingly launch attacks that span across two or more cloud service provider platforms e.g. AWS, Azure and GCP. These attacks, often implemented by APTs and threat groups like the infamous Scattered Spider, use several known MITRE ATT&CK techniques. However, despite public knowledge of these techniques, defensive visibility remains non-existent, thereby making attack detection and countermeasures even more challenging. 2

3. @run2obtain But guess what … Most security measures are still

   stuck in the single cloud era: pentesting, red/purple teaming, threat detection, incident response etc. 3 80% companies leverage multiple public clouds ! Multi-Cloud Defenses: State-of-the-Art

4. @run2obtain Defenders think in lists. Attackers think in graphs. As

   long as this is true, attackers win. 4 Burst the MISCONCEPTION Effective multi-cloud is about testing the interactions between the underlying cloud infrastructure and not testing them in in parallel, sequence or isolation

5. @run2obtain 5 Let’s quickly consider an example attack scenario -->

   Backdoor Data Exfiltration. This attack scenario demonstrates how attackers move laterally from AWS accounts into Azure subscriptions. This attack scenario is one of many in the Mitigant Cloud Attack Emulation. Backdoor Data Exfiltration Multi-Cloud Lateral Movement (AWS -> Azure): Backdoor Data Exfiltration

6. @run2obtain 6 Backdoor Data Exfiltration (AWS -> Azure): Attack Chain

7. @run2obtain 7 With a focus on Azure, we can get

   some insights from Azure activity logs. The following KQL query allows us to filter the calls from AWS against the storage account: StorageBlobLogs | where UserAgentHeader has "aws" We see the the CallerIPAddress (54.174.122.31) is owned by AWS by x-checking it against the list of AWS IP address range https://ip-ranges.amazonaws.com/ip-ranges.json Backdoor Data Exfiltration (AWS -> Azure): Detection & Investigation

8. @run2obtain 8 Backdoor Data Exfiltration (AWS -> Azure): Detection &

   Investigation We can go further by inspecting the value of the UserAgentHeader AZURECLI/2.77.0 (DEB) azsdk-python-storage-blob/12.16.0 Python/3.13.7 (Linux- 6.8.0-1030-aws-x86_64-with-glibc2.39) Here is the breakdown, showing that the call was indeed made from an EC2 instance: o AZURECLI/2.77.0: Azure CLI, version 2.77.0 o DEB: CLI package was installed using a Debian o azsdk-python-storage-blob/12.16.0: Azure SDK for Python specifically for Azure Blob storage. Version 12.16.0 o Python/3.13.7: Indicates Python version used to run the CLI and SDKs. o Linux-6.8.0-1030-aws-x86_64-with-glibc2.39: Linux kernel 6.8.0- 1030, tailored for AWS EC2 x86_64 with glibc2.39: Uses GNU C library https://www.mitigant.io/en/blog/feature-release-multi-cloud-attack-emulation#multi-cloud-attacks

9. @run2obtain 9 Backdoor Data Exfiltration (AWS -> Azure): Detection &

   Investigation Now about detection opportunities, there several points in the attack chain where the attack can be detected. However, it makes sense to understand usage patterns to prevent alert fatigue while allowing for precise alerting. Practising with adversary emulation helps here ! For example, calls from AWS to Azure might be legitimate. However, the UserAgentHeader could be distinct allowing for establishing baseline behavior. Conversely, attacker might use a different user-agent hence deviating from the baseline. - https://www.mitigant.io/en/blog/ultimate-combo-cloud-attack-emulation-meets-microsoft-sentinel

10. Mitigant Cloud Attack Emulation Leverage the attacker’s advantage for effective

    defense 10 https://www.mitigant.io/en/platform/cloud-attack-emulation

11. https://www.mitigant.io/en/sign-up Sign Up for Your FREE TRIAL 11 Take Charge

    of Your Multi-Cloud Security Posture TODAY !