Chapter 2 - 07 - Understand IoT, OT, and Cloud Attacks - 04_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Cloud Hopper Attack 4 Cloud Hopper attacks are triggered at the managed service providers (MSPs) and their users g Attackers initiate spear-phishing emails with custom-made malware to compromise the accounts of staff or cloud service firms to obtain confidential information el MSP ‘7.... Provider Infiltrate MSPs and distribute malware for remote access............................................. o Attacker........ """" ez wa 27 1 o 3 MSP e Users _E-,l,z.\/ = | MSP Users Attacker extracts customer’s information from the MSP Cloud Hopper Attack Cloud hopper attacks are triggered at managed service providers (MSPs) and their customers. Once the attack is successfully implemented, attackers can gain remote access to the intellectual property and critical information of the target MSP and its global users/customers. Attackers also move laterally in the network from one system to another in the cloud environment to gain further access to sensitive data pertaining to the industrial entities, such as manufacturing, government bodies, healthcare, and finance. Attackers initiate spear-phishing emails with custom-made malware to compromise user accounts of staff members or cloud service firms to obtain confidential information. Attackers can also use PowerShell and PowerSploit command-based scripting for reconnaissance and information gathering. Attackers use the gathered information for accessing other systems connected to the same network. To perform this attack, attackers also leverage C&C to sites spoofing legitimate domains and file-less malware that resides and executes from memory. Attackers breach the security mechanisms impersonating a valid service provider and gain complete access to corporate data of the enterprise and connected customers. As shown in the figure, an attacker infiltrates target MSP provider and distributes malware to gain remote access. The attacker then accesses the target customer profiles with his/her MSP account, compresses the customer data, and stores them in the MSP. The attacker then extracts the information from the MSP and uses that information to launch further attacks on the target organization and users. Module 02 Page 376 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 MSP Provider P Infiltrate MSPs and distribute malware for remote access ssesasuers snussanesnss ik R ee Attacker Information from the MSP e e IR 144 4 - (L K13 L (44 E MSP Users mmw > MSP Users " Victim - MSP User Figure 2.75: Demonstration of cloud hopper attack Module 02 Page 377 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Cloud Cryptojacking QO Cryptojacking is the unauthorized use of the victim’s computer to stealthily mine digital currency QO Cryptojacking attacks are highly lucrative, which involve both external attackers and rogue insiders O To perform this attack, the attackers leverage attack vectors like cloud misconfigurations, compromised websites, and client or server-side vulnerabilities = sens Victim connects to the compromised cloud se: 5 s 4 Attacker compromising the cloud service :..... 9 Attacker A Victim starts mining the cryptocurrency. Attacker gains reward in cryptocurrency coins e, Cryptocurrency mining Copyright © by EC-L cll All Rights Reserved. Reproductionis Strictly Prohibited Cloud Cryptojacking Cryptojacking is the unauthorized use of the victim’s computer to stealthily mine digital currency. Cryptojacking attacks are highly lucrative, involving both external attackers and internal rogue insiders. To perform this attack, attackers leverage attack vectors like cloud misconfigurations, compromised websites, and client or server-side vulnerabilities. For example, an attacker exploits misconfigured cloud instances to inject malicious cryptomining payload into a web page or third-party library loaded by the web page. Then, the attacker lures the victim to visit the malicious web page and when the victim opens the web page, it automatically runs the crypto-miner in the victim’s browser using JavaScript. Using JavaScript-based crypto-miners, such as CoinHive and Cryptoloot, attackers can easily embed malicious crypto-mining scripts into legitimate websites using a link to CoinHive. Attackers make this attack more complex by hiding the malicious crypto-mining script using various hiding techniques, such as encoding, redirections, and obfuscation. The configuration for the payload is generally dynamic or hardcoded. Cryptojacking attacks can cause severe impact on web sites, endpoints, and even the whole cloud infrastructure. Steps of cloud cryptojacking attacks: = Step 1: An attacker compromises the cloud service by embedding a malicious cryptomining script. = Step 2: When the victim connects to the compromised cloud service, the crypto-mining script gets executed automatically. = Step 3: The victim naively starts mining the cryptocurrency on behalf of the attacker and adds a new block to the blockchain. Module 02 Page 378 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks = Exam 212-82 Step 4: For each new block added to the blockchain, the attacker gets a reward in the form of cryptocurrency coins illicitly. Victim connects to the compromised cloud se Victim Attacker compromising the cloud service Attacker A A...e,.> Victim starts mining the.......................................... Attacker gains reward in cryptocurrency o = cryptocurrency coins Cryptocurrency mining Figure 2.76: Demonstration of cryptojacking attack Module 02 Page 379 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Cloudborne Attack O Cloudborne is a vulnerability residing in a bare-metal cloud server that enables the attackers to implant a malicious backdoor in its firmware O The malicious backdoor can allow the attackers to bypass the security mechanisms and perform various activities such as watching new user’s activity or behavior, disabling the application or server, and intercepting or stealing the data Attacker injects malicious backdoor on bare-metal server e e l D o9 Ir Attacker exfiltrates customer’s data via persistent backdoor.] -\. _%_ Server assigned to new cust with persistent backdoor sieessssesaaesssaaatiseneetansiesnneriessennneed O I. = O @ o Attacker monitors customer activities Copyright © by EC New Customer il All Rights Reserved. Reproduction is Strictly Prohibited. Cloudborne Attack Cloudborne is a vulnerability residing in a bare-metal cloud server that enables attackers to implant malicious backdoor in its firmware. The installed backdoor can persist even if the server is reallocated to new clients or businesses that use it as an laaS. Physical servers are not confined to one client and can be moved from one client to another. During the reclamation process, if the firmware re-flash (factory default setting, complete erase of memory, etc.) is not properly implemented, the backdoors can stay active on the firmware and travel along the server. Attackers exploit vulnerabilities in super-micro baseboard management control (BMC) of a hardware bare-metal to overwrite the firmware server that is used for in the remote management activities, such as provisioning, reinstalling the operating system, and troubleshooting via the intelligent platform management interface (IPMI) without physical access. As the BMC has the power to control the servers remotely and provision the system to the new customers, attackers choose it as a primary target. Vulnerabilities in the bare-metal cloud server and inappropriate firmware re-flashing can pave the way for attackers to install and maintain backdoor persistence. Then, the malicious backdoors allow attackers to directly access the hardware and bypass the security mechanisms to perform activities such as monitoring new customer’s activities, disabling the application/server, and intercepting the data. These activities allow attackers to launch ransomware attacks on the target. Module 02 Page 380 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Attacker injects malicious Server assigned to new backdoor on bare-metal server Attacker Attacker exfiltrates customer’s data via persistent backdoor % (=] customer with persistent backdoor. Attacker monitors customer activities New Customer Figure 2.77: lllustration of cloudborne attack Module 02 Page 381 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.