# HITCON 2021 空降危機-雲端攻防的二三事 筆記 ## Speaker 奧義智慧 Boik Su、aka. Dange ## Outline * Introduction * Case Study * AWS: Identity Perimeter * Azure: Network Perimeter * GCP: Hosted Application ... * 藍隊工具 ## 雲端服務的利用是新的標準 * Shared Responsibility Model * Responsibility always retained by the customer * Responsibility varies by type * Responsibility transfers to cloud provider > Through 2025 , more than 99% of cloud breaches will have a root cause of preventalbe .... ### 雲端威脅 - CSA 的觀點 共11點 1. Data Breaches 2. Misconfiguration and Inadequate Change Control 3. Lack of Cloud Security ... ### Identity Perimeter * 身份與存取管理系統(IAM)過於複雜 * 平台預設權限過高 * CSA Ref * Data breaches * Insufficient identity, Credential, access and key management * account hijacking * limited cloud ... ### 雲端事件統計 #### Initial Access * Vaild Accounts 佔最多 * Trusted Relationshop * Phishing * Exploit Public-Facing Application * Drive-by Compromise #### Escalation/ Persistence IAM > EC2 > 2020 幾乎都在IAM,而且埋後門比較划算 #### Network Perimeter * 企業防禦邊界模糊化 * 雲地混合,信任關係 * CSA Ref: * Data Braches * Lack of Cloud Security Architecture and Strategy * Insufficient Identity ... #### Hosted Applications/Services * 複雜的應用程式設定 * 非原生雲端應用程式與雲端整合的問題(K8s) * CSA Ref: * Data Breaches * Misconfiguration * ... ## AWS Identity and Access Management * Identity * User * Group * Service Account * Permission * Owner * Editor * Reader * Resource * VM * Bucket * ... ### 三大平台IAM差異 * AWS * IAM Group * IAM Role * GCP * google group * google workspace domain * cloud identity domain * service account * Azure * ... ### Attack Mindset * Credentials Harvest #### Credentials Harvest * Internet-Facing Sensitive Data (goolge hacking) * Config Files on Disk * Control Files on Disk * Control Plane Interface * Codebase * Environmental Variables ### Cloud Matrix 對於 IAM的利用過於粗略 * Initial Access * Vaid Accounts * ... ### Cloud Matrix is big 方向的建議 ## IAM Attack Pattern Identity -> Permission -> Resource -> Permission -> Identity > S3 Resource Exposure / Sub-Domain Takeover > ... Credentials Harvest + LM hacker assumrole succeeded -> Cloud Platform 提升手法用PassRole 到 Lamda 至 Role 2 #### 修改自身 Permission * Shadow Admin * setDefaultPolicy to Role * Admin Access > 透過本身權限修改另一個權限提權 ### IPI * 導出別的使用者access key * ... #### Privilege Escalation * hacker access group ... ### ROI SSRF to metadata Service #### Sub-Domain Takeover + SSRF Normal Request -> VM Instance -> External Site ## Azure - Network Perimeter #### Private, Public and Hybrid Cloud ### 關鍵基礎設施 * Hybrid Identity for * Cross-realm application Access * Simplified account access and management ### Active Directory vs. Azure AD | Active Directory | Azure AD| | -------- | -------- | | LDAP |REST API's | > ... 太快寫不完 ### Password hash synchronization (PHS) ### Attack - DCSync * On-Prem 密碼砸受同不需要特定權限 * DS-Replication-Get-Changes * DS-Replication-Get-Changes-All * DCSync 攻擊的必備條件 ### Real Workd Case * Microsoft Security Advisory 4056318 Guidance for securing AD DS account used by Azure ... ### Pass-through authentication(PTA) * "Azure Agent" On-Prem * PKI (encrypt/decrypt) * LogonUserW API #### LogonUserW BOOL LogonUserW 輸入是明碼唷! #### Attack - 密碼竊聽 #### Attack - Azure Skeleton Key ### Federation (AD FS) 大部分企業會選得方案 #### Federation (AD FS) * 微軟跨雲端、地端的身份驗證機制 * 原生支援SAML 2.0 #### SAML 2.0 * 開放式聯合標準 #### Attack - Golden SAML * 攻擊者若能拿下AD FS hosts,that it can sign any SAML Response and 偽造 to any user #### Real World Case - Solorigate #### Reak World Case - FoggyWeb ### Best Practice 微軟說現在不推薦AD FS 應改用Azure AD ## GCP - Hosted Applications/Services ### Service Side Request Forgery Hacker use SSRF to Metadata Service if access Denied ### Root Cause * Oracle( Instance Metadata Service) 缺乏身份驗證 ### Kubernetes * Master(control Plane) * Worker(Node) ,Container Runtime, Pod ### Kuberneters on GCP * GCP GKE Service (GCP代理k8s) * GCP Compute Engine ### Instance Metadata Service ? 無法區分請求 ### Secret in Metadata Service * Kube-env * KUBELET_CERT * KUBELET_KEY > TLS bootstrapping ### Instance Meta data Service ? 透過上述方法讓node 可以擴展一個惡意的container ### Real World Case SSRF in Exchange leads to ROOT access in all instances ### how to prevnet in GCP * DEST: avoid pods get Boot.... ### Metadata concealment & Workload Identity ### Workload identity container auth 會向gcp IAM Service 要資料 Pod -> Daeminset ### Misconfig (Host Network ) -> Bypass Pod container to Metadata Service ### Shielded GKE nodes * Shielded VMs: use vTPM to authorize intergity of VM * prevent rootkit > 放棄治療 ### Google 沒提到的限制 但是我們發現的問題 如果tpm不小心給了太高的權限或把他mount到其他地方,那還是能被碰到meta data > config 出錯 ### Demo 取得key cert ls /var/lib/kubelet/pli kubelet-client.lock lubectl --certificate-authority ... ## Defense ### NIST CSF _ the five function * Identify * Rule * Scount Suite * SkyArk * Cloudsplaining * Prowler * Graph * Principal Mapper * CloudMapper * awspx * SAST for IaC * terrascan * checkov * Protect * MFA * fail2ban * IAM * Policy Sentry * IAM Access Analyzer * iamlive * Repokid * Detect * Falco * API Log * AWS CloudTrail * CloudTracker * Config * Security * Monkey * AWS Config * Resonse * SOAR * IR Tool * Recover * AWS Backup ### IAM attack Pattern & awspx * awspx 堪稱 aws 的 blood... ### 好文推薦 * Cloud Security Orienteering How to rapidly understand and secure a cloud environment ## Conclusion * Identity Perimeter * Network Perimeter * Hosted Applications/Services * 以NIST CSF為基準提供藍隊工具