A recent report from Sophos revealed details of a new Cloud Snooper attack that breached a cloud services firewall to gain remote access and control over the victim's servers.
Sophos discovered the breach while inspecting infected Linux and Windows EC2-based cloud infrastructure servers running in Amazon Web Services (AWS). The attack was said to be the work of nation-state cybercriminals seeking to take control of the network and exploit data. The AWS perimeter firewall was breached, and no firewalls were on the machines in AWS, so SSH and sudoers were exploited, then a RAT (Remote Access Trojan) was installed.
It appears that the VPN into the internal networks may have been exploited to ultimately take control of servers both inside and outside the corporate network that were used in the AWS instance, according to the report. The attack used a Linux rootkit to get remote access and elevated permissions, as well as to deploy malware to communicate with command-and-control servers.
This allowed remote control of the servers. It also allowed data to be infiltrated and delivered to remote servers outside corporate control, and then it cleaned up after itself to evade detection.
This type of attack is much broader than AWS, the report said. It represents a method of piggybacking command-and-control server traffic "in a way that can bypass many, if not most, firewalls," SophosLabs said.
Having seen and examined all kinds of attacks from some of the most sophisticated APT (advanced persistent threat) groups in my 25 years in the industry, this new exploit is exactly the type of hack that I warn our customers about every day—a new and unknown advanced exploit.
Here are key steps you can take to implement a zero-trust approach to avoid this type of attack.
Extend what you already have
Consider implementing an Active Directory bridge to extend your existing security and configuration policies to your cloud-based resources. Many organizations have already invested heavily in Active Directory Group Policy to ensure that consistent security controls are in place across on-premises Windows resources.
Having the right Group Policy Objects (GPOs) in place can prevent and detect attacks like this. But the challenge is that GPOs do not extend natively to on-premises Linux/UNIX or cloud-based servers. You will need a bridging system to accomplish this—but it can be done.
Not only can this help prevent breaches, but it is also a comprehensive way to meet compliance and governance requirements and to simplify and unify your compliance auditing capabilities.
Layer security measures and lock them down
The key to preventing data breaches of your cloud-based infrastructure is implementing a multilayered security approach. You need more than just a perimeter firewall. Every organization should think about extra security measures at the server level, especially when it comes to resources in a cloud provider or off-site data center.
Too many organizations have existing processes and policies in place, but lack the ability to ensure they are enforced across a hybrid environment. A Cloud Snooper will take advantage of any gaps in security configuration or policy, and the next thing you know, the next report will be about your data breach.
Enforce the law of the land in the cloud
In addition to extending your existing policies to the cloud at the server level, be sure that your solution will continually audit and monitor your cloud servers in real time to ensure that policies are enforced.
Then, if those policies are violated by a system administrator doing something outside of policy or a bad actor looking to infiltrate your network, you should remediate security policies at all levels within your systems, services, and applications.
Your Active Directory bridge software should identify an unauthorized change in violation of policy, end the session, and immediately revert system and application configurations and services to the pre-event desired state configuration. The bridge should also kick off an event in your SEIM so the security team can investigate the attempted breach.
To better manage security and configuration in the cloud, your Active Directory bridge should extend to cloud-based resources. This allows security teams to not only identify a breach, but also prevent it from happening in the first place.
How a bridge could have helped
Here are the specific functions an Active Directory bridge could have helped with regarding this kind of exploit:
System configuration GPOs—These install and configure tight firewall rules on each machine based on its role, with very strict rules for inbound/outbound traffic allowed to and from that machine.
Strict SSH GPOs—These configure and offer persistent SSH, with tight controls over who can access the machines and from where, to prevent someone from gaining remote access from an unauthorized location or IP.
Strict sudoers GPOs—These configure and persistently offer very strict sudoers policies to prevent the installing of files/applications, the writing of files, and the execution of commands.
User management GPOs—These create rules for disabling local accounts, only allowing Active Directory user accounts to have logon access. Write strict local policies around privileged accounts and assigning UID/GID. This adds an additional layer of challenge/response via Active Directory User Group Permissions, coupled with strict local user policies and restricted execution of commands.
Policy enforcement—This enables real-time monitoring and enforcement of GPOs so desired state is enforced even when users with root access violate a security policy.
Event monitoring—This uses the syslog provider to forward any policy violation events to the security information and event management (SIEM) system.
Mind your security gaps
As the recent exploit demonstrates, there are significant challenges when it comes to managing perimeter firewalls and VPNs for cloud-based services such as AWS and Azure.
Yes, public cloud services have invested a lot in perimeter security and resource management, but often these management tools require some system-level security controls to be loosened or even disabled. This leaves a security gap that can be exploited if not addressed properly or managed through the proper access and configuration policies.
With a strong Active Directory bridge, a creative, security-conscious administrator can implement unlimited security measures through Group Policy, such as personalized controls, disabling use of DNS for non-approved services, disabling the creation of directories and files for non-approved applications, and other actions.
These APT groups will persist and continue to evolve in their efforts to breach your defenses and steal your critical data. Security professionals must adopt a zero-trust model that increases defenses at every level of their cloud and hybrid workflow stacks by implementing “Day 1” configuration and compliance policies. This should include real-time monitoring, enforcement, alerting, and automated remediation when a policy violation occurs, be it unintended by a system administrator or a bad actor looking to make you the next victim of data theft.
Keep learning
Learn from your SecOps peers with TechBeacon's State of SecOps 2021 Guide. Plus: Download the CyberRes 2021 State of Security Operations.
Get a handle on SecOps tooling with TechBeacon's Guide, which includes the GigaOm Radar for SIEM.
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed on cyber resilience with TechBeacon's Guide. Plus: Take the Cyber Resilience Assessment.
Put it all into action with TechBeacon's Guide to a Modern Security Operations Center.
