Understand IoT, OT, and Cloud Attacks PDF

Summary

This document provides an overview of attacks on the IoT, OT, and cloud systems. It discusses different types of attacks including DDoS, rolling code, BlueBorne, and more. This covers various attacks that hackers can employ within different systems.

Full Transcript

Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Module Flow Understand Information Understand Social Engineering Security Attacks Attacks Describe Hacking Methodologies and Frameworks Understand Network-level Attacks Understand Wireless Network- specific Attacks 8 b fi ‘ ‘ Understand IoT, OT, and Cloud Attacks - Understand Cryptographic Attacks Understand Applicationlevel and OS-level Attacks Understand IoT, OT, and Cloud Attacks This section discusses various 10T, OT and cloud-specific attacks. Module 02 Page 358 Certified Cybersecurity Technician Copyright © by EC-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Information Security Attacks IoT and OT Specific Attacks Attackers implement various techniques to launch attacks on target loT devices or networks. With evolving security threats and security posture of organizations using OT, organizations need to attach the utmost importance to OT security and adopt appropriate strategies to address security issues due to OT/IT convergence. This section discusses various |oT and OT attacks such as rolling code attacks, BlueBorne attacks, and HMI-based attacks. Module 02 Page 359 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 DDos Attack () i Devices (botnets) > O Attacker initiates the attack by in the devices and installing a in their operating systems - _ Multiple infected IoT devices g : - are referred to as an : %] = r - S EEEEE— i : $§ g =l =3 & ’ = fi = Q | ' srrr: : % P11 naalnsd % control center Piiiltolaunch Pl atack \AAAAS. The target is attacked with a. = ‘ m : 4---.-.----;;;;-:;;. from mt{ltup!e loT devices present in different —— o - = Tasget Sasver locations DDoS Attack A distributed denial-of-service (DDoS) attack is an attack in which multiple infected systems are used to bombard a single online system or service, rendering the server useless, slow, or unavailable for a legitimate user for a short period of time. The attacker initiates the attack by first exploiting vulnerabilities in devices and then installing malicious software in their operating systems. These multiple compromised devices are referred to as an army of botnets. Once an attacker decides on his/her target, he/she instructs the botnets or zombie agents to send requests to the target server that he/she is attacking. The target is attacked by a large volume of requests from multiple IoT devices present in different locations. As a result, the target system is flooded with more requests than it can handle. Therefore, it either goes offline, suffers a loss in performance, or shuts down completely. Given below are the steps followed by an attacker to perform a DDoS attack on loT devices: = Attacker gains remote access to vulnerable devices = After gaining access, he/she injects malware botnets = Attacker uses a command and control center to instruct botnets and to send multiple into the IoT devices to turn them into requests to the target server, resulting in a DDoS attack = Target server goes offline and becomes unavailable to process any further requests Module 02 Page 360 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Compromised loT Devices (botnets) @ =& s Attacker gains remote access to the vulnerable devices mew %R , 7 \:'_""- _[ H: ' @ = malware into loT devices to turn o them into bots lgclll--ncnl----.l.l !.\ o o Z 2 ’._.:...' ) _| H : : C&C instruct botnets Command and Control Center /\! P 0_ ---e----.----------u..--lol'-: Attacker P * Attacker uses i : = e : : s &+ & & 1 tolaunch attack & & command and. control center YVYVVY k&\ - A Target Server (lllllllllll.'l.ll.l.l. Server goes offline and unable to process any further requests ‘ Mo........}ox On the second attempt by the victim, an attacker forwards the first code that unlocks the car the second code v - a: — v - — o m—s i Attacker with Jamming Device 'Ie'.'lllll.'lll.l.l.l..l...llll.") The recorded second code is used later by an attacker to. unlock and steal the vehicle Car Figure 2.71: lllustration of rolling-code attack Module 02 Page 363 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 BlueBorne Attack A BlueBorne attack is performed on ' and take full control of the target device After gaining access to a device, the attacker can penetrate any corporate network using that device to about the organization and to nearby devices Discover Bluetooth Device Retrieve MAC Address e Retrieve OS information BlueBorne - _.é- > Gains Access and Controls Printer " to access Corporate Network - (. - T— Bluetooth-enabled Printer Corporate Network Attack A BlueBorne attack is performed on Bluetooth connections to gain access to and take full control of the target device. Attackers connect to nearby devices and exploit the vulnerabilities of the Bluetooth protocol to compromise the devices. BlueBorne is a collection of various techniques based on the known vulnerabilities of the Bluetooth protocol. This attack can be performed on multiple loT devices, including those running operating systems such as Android, Linux, Windows, and older versions of iOS. In all operating systems, the Bluetooth process has high privileges. After gaining access to one device, an attacker can penetrate network using that device to steal critical information malware to nearby devices. from any corporate the organization and spread BlueBorne is compatible with all software versions and does not require any user interaction, precondition, or configuration except for Bluetooth being active. This attack establishes a connection with the target Bluetooth-enabled device without even pairing with the device. Using this attack, an attacker can discover Bluetooth-enabled devices, even though they are not in an active discovery mode. Once the attacker identifies any nearby device, he/she tries to extract the MAC address and OS information to perform further exploitation on the target OS. Based on the vulnerabilities present in the Bluetooth protocol, attackers can even perform remote code execution and man-in-the-middle attacks on the target device. This attack can be performed on various 10T devices, such as smart TVs, phones, watches, car audio systems, printers, etc. Steps to perform BlueBorne attack: = Attacker discovers active Bluetooth-enabled devices around him/her; all Bluetooth- enabled devices can be located even if they are not in discoverable mode Module 02 Page 364 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 = After locating any nearby device, the attacker obtains the MAC address of the device = Now, the attacker sends continuous probes to the target device to determine the OS = After identifying the OS, the attacker exploits the vulnerabilities protocol to gain access to the target device * Now the attacker can perform remote code execution or a man-in-the-middle attack and take full control of the device in the Bluetooth Discover Bluetooth Device......................................................... > Retrieve MAC Address — STl......................................................... > Retrieve OS information Gains Access and Controls Printer ‘ (' -—- > AR TILILIID 3 4 Bluetooth-enabled Printer Corporate Network to access Corporate Network Attacker Figure 2.72: lllustration of BlueBorne attack Module 02 Page 365 Certified Cybersecurity Technician Copyright © by EC-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 SDR-Based Attacks on IoT The attacker uses software defined radio (SDR) to examine the communication signals in the loT network and sends spam content or texts to the interconnected devices e o Replay Attack ‘ = Theattacker obtains the specific frequency used for sharing information between connected devices and captures the original data when a command is initiated by these devices = e The attacker segregates the command sequence and injects it into the 10T network P Cryptanalysis Attack = The attacker uses the same procedure as that followed in a replay attack, along with reverse engineering of the protocol = The attacker must be skilled in cryptography, communication theory, and modulation schemes to perform this attack to capture the original signal e o Reconnaissance Attack ‘ = The attacker obtains information about the target device from the device's specifications = The attacker then uses a multimeter to investigate the chipset and mark some identifications such as ground pins to discover the product ID and other information Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited \ SDR-Based Attacks on IoT Software-defined radio (SDR) is a method of generating radio communications and implementing signal processing using software (or firmware), instead of the usual method of using hardware. Using this software-based radio communication system (self-created SDRs), an attacker can examine the communication signals in 10T networks and send spam content or texts to interconnected devices. The SDR system can also change the transmission and reception of signals between devices, depending on their software implementations. The attack can be carried out on both full-duplex (two-way communication) and half-duplex (one-way communication) transmission modes. Types of SDR-based attacks performed by attackers to break into an loT environment: = Replay Attack This is the major attack described in IoT threats, in which attackers can capture the command sequence from connected devices and use it for later retransmission. An attacker can perform the below steps to launch a replay attack: o Attacker targets between devices o After obtaining the frequency, the attacker can capture the original data when the commands are initiated by the connected devices o Once the original the specified data frequency is collected, the that is required attacker uses free to share tools information such as URH (Universal Radio Hacker) to segregate the command sequence o Attacker then injects the segregated command sequence on the same frequency into the 10T network, which replays the commands or captured signals of the devices Module 02 Page 366 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Cryptanalysis Attack A cryptanalysis attack is another type of substantial attack on loT devices. In this attack, the procedure used by the attacker is the same as in a replay attack except for one additional step, i.e., reverse-engineering the protocol to obtain the original signal. To accomplish this task, the attacker must be skilled in cryptography, communication theory, and modulation scheme (to remove noises from the signal). This attack is practically not as easy as a replay attack to launch, yet the attacker can try to breach security using various tools and procedures. Reconnaissance Attack This is an addition to a cryptanalysis attack. In this attack, information can be obtained from the device’s specifications. All loT devices that run through RF signals must be certified by their country’s authority, and then they officially disclose an analysis report of the device. Designers often prevent this kind of analysis by obscuring any identification marks from the chipset. Therefore, the attacker makes use of multimeters to investigate the chipset and mark out some identifications, such as ground pins, to discover the product ID and compare it with the published report. Module 02 Page 367 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 HMI-based Attacks ( Attackers often try to compromise the HMI system as it is the core hub that controls the critical infrastructure g Attackers gain access to the HMI systems to cause physical damage to the SCADA devices or collect sensitive information related to the critical architecture SCADA vulnerabilities exploited by attackers to perform HMI-based attacks: Memory Corruption.d Lack of Authorization/Authentication and Insecure Defaults h‘ Credential Management. Code Injection HMI-based Attacks Attackers often try to compromise an HMI system as it is the core hub that controls critical infrastructure. If attackers gain access over HMI systems, they can cause physical damage to the SCADA devices or collect sensitive information related to the critical architecture that can be used later to perform malicious activities. Using this information, attackers can disable alert notifications of incoming threats to SCADA systems. Discussed below are various SCADA vulnerabilities exploited by attackers to perform HMI-based attacks on industrial control systems: = Memory Corruption The vulnerabilities in this category are code security issues that include out-of-bound read/write vulnerabilities and heap- and stack-based buffer overflow. In an HMI, memory corruptions take place when the memory contents are altered due to errors residing in the code. When these altered memory contents are used, the program crashes or performs unintended executions. Attackers can accomplish memory corruption tasks simply by overwriting the code to cause a buffer overflow. Sometimes, the unflushed stack can also allow attackers to use string manipulation to abuse the program. = Credential Management The vulnerabilities in this category include the use of hard-coded passwords, saving credentials in simple formats such as cleartext, and inappropriate credential protection. These vulnerabilities can be exploited by the attackers to gain admin systems and alter system databases or other settings. Module 02 Page 368 access to the Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Lack of Authorization/Authentication and Insecure Defaults The vulnerabilities in this category include transmission of confidential information in cleartext, insecure defaults, missing encryption, and insecure ActiveX controls used for scripting. An authentic SCADA solution administrator can view and access the passwords of other users. Attackers can exploit these vulnerabilities to gain illegal access over the target system, and further record or manipulate the information being transmitted or stored. Code Injection The vulnerabilities in this category include common code injections such as SQL, OS, command, and some domain-specific injections. Gamma script is one of the prominent domain-specific languages for HMIs that is prone to code injection attacks. This script is designed to develop fast phase Ul and control applications. An EvalExpression (Evaluate, compile, and execute code at runtime) vulnerability in Gamma script can be exploited by attackers to send and execute controlled arbitrary scripts or commands on the target SCADA system. Module 02 Page 369 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Information Security Attacks Cloud-specific Attacks Most organizations adopt cloud technology because it reduces the cost via optimized and efficient computing. Robust cloud technology offers different types of services to end-users; however, many people are concerned about critical cloud security risks and threats, which attackers may take advantage of to compromise data security, gain illegal access to networks, etc. This section covers cloud-based attacks such as man-in-the-cloud attacks, cloud hopper attacks, and cloud cryptojacking. Module 02 Page 370 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Cloud-based vs. On-premises Attacks o Cloud is not always the solution g Cloud-based security reduces cost but increases risk Probability of redirection risks Lower detection capability in the cloud On-premises security increases productivity and availability L* n Lack of on-premises infrastructure reduces cloud view Cloud-based vs. On-premises Attacks Organizations and security professionals who decide to shift their IT infrastructure from onpremises to the cloud need to assess the security risks and benefits before deploying cloud services. = Cloud is not always the solution Some organizations believe that cloud is the best solution for efficient cyber threat management. Although cloud services provide a comprehensive security strategy for organizations, it still includes inherent weaknesses that make them less preferable for organizations that require complete protection. * Cloud-based security reduces cost but increases risk Organizations utilizing security infrastructure party cloud provider. organization by adding = cloud-based security are not required to maintain dedicated and data centers, as all these facilities are provided by the thirdIn other words, on-premises-based security can burden the the cost of data centers and infrastructure to its expenses. Probability of redirection risks Although forwarding potentially malicious network traffic away from on-premises infrastructure has benefits, it still has some implications that require consideration. Always-on cloud services require the full-time redirection and monitoring of traffic from a remote security center. This type of redirection can increase the network latency and degrade the performance of the applications used by end customers. For the efficient management of application infrastructure, many applications expect minimal latency. Therefore, organizations that use always-on and cloud-only cyber security protection Module 02 Page 371 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 must assess risks such as the risk of a targeted attack on a growing customer base that can compromise the security of all customers. Organizations that leverage both cloud-based and on-premises infrastructure do not have such types of risks and can easily detect evolving threats and attacks without switching the traffic between on-premises and cloud infrastructure. * Lower detection capability in the cloud For organizations that need cloud services providing cyber-attack protection, speed and accuracy in detection are major considerations. Many cloud-based security solutions advertise that they are very efficient in detecting various attack vectors and can further identify and isolate malicious traffic from legitimate traffic efficiently. However, these security solutions detect attacks by monitoring network traffic using network monitoring tools that detect malicious traffic based on specific traffic patterns and thresholds, instead of performing deep packet inspection to identify malicious behaviors that lead to an attack. * On-premises security increases productivity and availability Organizations maintaining cyber-security teams on-premises can ensure the security of all the resources round the clock. These teams can conduct frequent security checks on the IT infrastructure. Conversely, on-premises security can result in additional maintenance and equipment costs. * Lack of on-premises infrastructure reduces cloud view Many cloud solutions redirect traffic from target resources to a security center for identifying malicious traffic and implementing mitigation strategies. This processing increases the latency and reduces the speed of mitigation. Alternatively, hybrid solutions that utilize both on-premises infrastructure and cloud resources have the benefit of advanced attack visibility. Module 02 Page 372 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Side-Channel Attacks or Cross-guest VIVI Breaches O The attacker compromises the cloud by placing a a side-channel attack near to a target cloud server and then launches O In a side-channel attack, the attacker i i takes advantage of the shared physical resources (processor cache) to 0 Side-channel attacks can be implemented by any i i ine (cryptographic keys) from the victim due to the vulnerabilities in shared technology resources Multi-tenant Cloud Cache (RO > (ol > Attacker impersonates and Timing Attack D E Data Remanence """. Victim’s VM.................................. N 88 Cryptographic Keys/ : 'y DDDA Plain Text Secrets Acoustic Cryptanalysis - Power Monitoring Attack Steals victim's 2 credentials - i J : i o Attacker A Differential Fault Analysis ¢ Side-Channel Attacks or Cross-guest VM Breaches Attackers can compromise the cloud by placing a malicious virtual machine near a target cloud server and then launch a side-channel attack. The below figure shows how an attacker can compromise the cloud by placing a malicious VM near a target cloud server. The attacker runs the VM on the same physical host as the target VM and takes advantage of the shared physical resources (processor cache). Then, he launches side-channel attacks (timing attack, data remanence, acoustic cryptanalysis, power monitoring attack, and differential fault analysis) to extract cryptographic keys/plain text secrets to steal the victim’s credentials. Side-channel attacks can be implemented by any co-resident user and are mainly related to vulnerabilities in shared technology resources. Finally, the attacker uses the stolen credentials to impersonate the victim. E Multi-tenant.............................. Cloud - User ey 0 : -------------- A Cryptographic Keys/ Plain Text Secrets Attacker impersonates victim using the stolen credentials........................ s — Victimls R S, L — s Y - Y—— ge : : V i Attacker’s > N é................. A Steals victim’s credentials VM VM. OO OO OO L g Attacker Figure 2.73: Example of Side-Channel attacks Module 02 Page 373 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Man-in-the-Cloud (MITC) Attack MITC attacks are an advanced version of Man-in- the-middle (MITM) attacks. The attacker tricks the victim into installing a malicious code, which plants the attacker’s synchronization token on the victim’s drive 3 Then, the attacker steals the victim’s synchronization token and uses the stolen token to gain access to the victim’s files Later, the attacker restores the malicious token with \q the original synchronized token of the victim, thus returning the drive application to its original state — -— — 0 and stays undetected L All Rights Reserved. Reproduction s Strictly Prohibited. | | Man-in-the-Cloud (MITC) Attack MITC attacks are an advanced version of MITM attacks. In MITM attacks, an attacker uses an exploit that intercepts and manipulates the communication between two parties, while MITC attacks are carried out by abusing cloud file synchronization services, such as Google Drive or DropBox, for data compromise, command and control (C&C), data exfiltration, and remote access. Synchronization tokens are used for application authentication in the cloud but cannot distinguish malicious traffic from normal traffic. Attackers abuse this weakness in cloud accounts to perform MITC attacks. / |\\ \N —=) *%1 0 q / N | | (2 |\ (S / | | Figure 2.74: Example of Man-in-the-Cloud attacks Module 02 Page 374 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 As shown in the figure, the attacker tricks the victim to install attacker’s synchronization token on the victim’s drive. Then, synchronization token and uses it to gain access to the victim’s the malicious token with the original synchronized token of application to its original state and stays undetected. Module 02 Page 375 a malicious code that plants the the attacker steals the victim’s files. Later, the attacker restores the victim, returning the Drive Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Cloud Hopper Attack 4 Cloud Hopper attacks are triggered at the managed service providers (MSPs) and their users g Attackers initiate spear-phishing emails with custom-made malware to compromise the accounts of staff or cloud service firms to obtain confidential information el MSP ‘7.... Provider Infiltrate MSPs and distribute malware for remote access............................................. o Attacker........ """" ez wa 27 1 o 3 MSP e Users _E-,l,z.\/ = | MSP Users Attacker extracts customer’s information from the MSP Cloud Hopper Attack Cloud hopper attacks are triggered at managed service providers (MSPs) and their customers. Once the attack is successfully implemented, attackers can gain remote access to the intellectual property and critical information of the target MSP and its global users/customers. Attackers also move laterally in the network from one system to another in the cloud environment to gain further access to sensitive data pertaining to the industrial entities, such as manufacturing, government bodies, healthcare, and finance. Attackers initiate spear-phishing emails with custom-made malware to compromise user accounts of staff members or cloud service firms to obtain confidential information. Attackers can also use PowerShell and PowerSploit command-based scripting for reconnaissance and information gathering. Attackers use the gathered information for accessing other systems connected to the same network. To perform this attack, attackers also leverage C&C to sites spoofing legitimate domains and file-less malware that resides and executes from memory. Attackers breach the security mechanisms impersonating a valid service provider and gain complete access to corporate data of the enterprise and connected customers. As shown in the figure, an attacker infiltrates target MSP provider and distributes malware to gain remote access. The attacker then accesses the target customer profiles with his/her MSP account, compresses the customer data, and stores them in the MSP. The attacker then extracts the information from the MSP and uses that information to launch further attacks on the target organization and users. Module 02 Page 376 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 MSP Provider P Infiltrate MSPs and distribute malware for remote access ssesasuers snussanesnss ik R ee Attacker Information from the MSP e e IR 144 4 - (L K13 L (44 E MSP Users mmw > MSP Users " Victim - MSP User Figure 2.75: Demonstration of cloud hopper attack Module 02 Page 377 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Cloud Cryptojacking QO Cryptojacking is the unauthorized use of the victim’s computer to stealthily mine digital currency QO Cryptojacking attacks are highly lucrative, which involve both external attackers and rogue insiders O To perform this attack, the attackers leverage attack vectors like cloud misconfigurations, compromised websites, and client or server-side vulnerabilities = sens Victim connects to the compromised cloud se: 5 s 4 Attacker compromising the cloud service :..... 9 Attacker A Victim starts mining the cryptocurrency. Attacker gains reward in cryptocurrency coins e, Cryptocurrency mining Copyright © by EC-L cll All Rights Reserved. Reproductionis Strictly Prohibited Cloud Cryptojacking Cryptojacking is the unauthorized use of the victim’s computer to stealthily mine digital currency. Cryptojacking attacks are highly lucrative, involving both external attackers and internal rogue insiders. To perform this attack, attackers leverage attack vectors like cloud misconfigurations, compromised websites, and client or server-side vulnerabilities. For example, an attacker exploits misconfigured cloud instances to inject malicious cryptomining payload into a web page or third-party library loaded by the web page. Then, the attacker lures the victim to visit the malicious web page and when the victim opens the web page, it automatically runs the crypto-miner in the victim’s browser using JavaScript. Using JavaScript-based crypto-miners, such as CoinHive and Cryptoloot, attackers can easily embed malicious crypto-mining scripts into legitimate websites using a link to CoinHive. Attackers make this attack more complex by hiding the malicious crypto-mining script using various hiding techniques, such as encoding, redirections, and obfuscation. The configuration for the payload is generally dynamic or hardcoded. Cryptojacking attacks can cause severe impact on web sites, endpoints, and even the whole cloud infrastructure. Steps of cloud cryptojacking attacks: = Step 1: An attacker compromises the cloud service by embedding a malicious cryptomining script. = Step 2: When the victim connects to the compromised cloud service, the crypto-mining script gets executed automatically. = Step 3: The victim naively starts mining the cryptocurrency on behalf of the attacker and adds a new block to the blockchain. Module 02 Page 378 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks = Exam 212-82 Step 4: For each new block added to the blockchain, the attacker gets a reward in the form of cryptocurrency coins illicitly. Victim connects to the compromised cloud se Victim Attacker compromising the cloud service Attacker A A...e,.> Victim starts mining the.......................................... Attacker gains reward in cryptocurrency o = cryptocurrency coins Cryptocurrency mining Figure 2.76: Demonstration of cryptojacking attack Module 02 Page 379 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Cloudborne Attack O Cloudborne is a vulnerability residing in a bare-metal cloud server that enables the attackers to implant a malicious backdoor in its firmware O The malicious backdoor can allow the attackers to bypass the security mechanisms and perform various activities such as watching new user’s activity or behavior, disabling the application or server, and intercepting or stealing the data Attacker injects malicious backdoor on bare-metal server e e l D o9 Ir Attacker exfiltrates customer’s data via persistent backdoor.] -\. _%_ Server assigned to new cust with persistent backdoor sieessssesaaesssaaatiseneetansiesnneriessennneed O I. = O @ o Attacker monitors customer activities Copyright © by EC New Customer il All Rights Reserved. Reproduction is Strictly Prohibited. Cloudborne Attack Cloudborne is a vulnerability residing in a bare-metal cloud server that enables attackers to implant malicious backdoor in its firmware. The installed backdoor can persist even if the server is reallocated to new clients or businesses that use it as an laaS. Physical servers are not confined to one client and can be moved from one client to another. During the reclamation process, if the firmware re-flash (factory default setting, complete erase of memory, etc.) is not properly implemented, the backdoors can stay active on the firmware and travel along the server. Attackers exploit vulnerabilities in super-micro baseboard management control (BMC) of a hardware bare-metal to overwrite the firmware server that is used for in the remote management activities, such as provisioning, reinstalling the operating system, and troubleshooting via the intelligent platform management interface (IPMI) without physical access. As the BMC has the power to control the servers remotely and provision the system to the new customers, attackers choose it as a primary target. Vulnerabilities in the bare-metal cloud server and inappropriate firmware re-flashing can pave the way for attackers to install and maintain backdoor persistence. Then, the malicious backdoors allow attackers to directly access the hardware and bypass the security mechanisms to perform activities such as monitoring new customer’s activities, disabling the application/server, and intercepting the data. These activities allow attackers to launch ransomware attacks on the target. Module 02 Page 380 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Attacker injects malicious Server assigned to new backdoor on bare-metal server Attacker Attacker exfiltrates customer’s data via persistent backdoor % (=] customer with persistent backdoor. Attacker monitors customer activities New Customer Figure 2.77: lllustration of cloudborne attack Module 02 Page 381 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Supply Chain Attacks =) QO If an attacker is able to gain access to one of the links, the attacker can infect different parts of the supply chain without leaving any trace “_ O Adisruption in the chain may therefore lead to a loss of data privacy and integrity, as well as services unavailability, a violation of the SLA, and economic and reputational losses, which in turn results in the failure to meet customer demand and cascading Supply Chain Attacks A supply chain failure can be caused by incomplete and non-transparent terms of use, hidden dependencies created by cross-cloud applications, inappropriate CSP selection, lack of supplier redundancy, etc. Cloud providers outsource certain tasks to third parties. Thus, the security of the cloud is directly proportional to the security of each link and the extent of dependency on third parties. A disruption in the chain may lead to loss of data privacy and integrity, services unavailability, violation of the SLA, economic and reputational losses failing to meet customer demand, and cascading failure. Many organizations using cloud services trust third-party links for executing or fulfilling certain tasks. If an attacker is able to gain access to one of the links, the attacker can infect different parts of the supply chain without being traced. One attack on a specific link can compromise the security of the entire supply chain. The following are some defensive measures against supply-chain attacks: = Define a set of controls and policies to mitigate supply-chain risks. = Limit the supply chain to a small base. = Develop a containment plan to restrict the damage caused by the failure of a trusted counterparty. = Create visibility mechanisms to detect compromised elements of a supply chain. * Consider procuring third parties that offer information on the security posture of counterparties. Module 02 Page 382 Certified Cybersecurity Technician Copyright © by EC-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Exploiting Misconfigured AWS S3 Buckets Step 1: Identify S3 buckets Step 4: Configure aws-cli Attackers use tools such as S3Scanner, lazys3, Bucket Finder, and Go to the terminal and run the command Step 2: Setup AWS command-line interface Step 5: Identify vulnerable S3 buckets Install aws-c1i tocheck the version and create an account Run the command aws s3 1s s3://[bucket_name] Step 3: Extract access keys Step 6: Exploit S3 buckets @ Run the following commands to manipulate the files stored in the S3 buckets: s3-buckets-bruteforcer to find URLs of AWS S3 buckets Signinandgoto https://console.aws.amazon.com/iam/ aws configure € Select Users > Add User aws s3 mv FileName s3://[bucket @ Fillin the necessary details and click on the “Create User” button © Download the CSV file and extract your access keys aws s3 cp FileName s3://[bucket_name]/testfile.svg --no-sign-request aws s3 rm s3://[bucket_name)/test-file.svg -- file.txt --no-sign-request name]/test- no-sign-request L All Rights Reserved. Reproduction Is Strictly Prohibited Exploiting Misconfigured AWS S3 Buckets Follow the steps discussed below to exploit misconfigured AWS S3 buckets. = Step 1: Identify S3 buckets Attackers use tools, such as S3Scanner, lazys3, Bucket Finder, and s3-buckets- bruteforcer, to find the target AWS S3 buckets. Using these tools, attackers can gather the URLs of the identified buckets. For example, the URL of the identified S3 bucket is: http://[bucket = name].s3.amazonaws.com/ Step 2: Setup AWS command-line interface Install aws-c1i to check the AWS version and create an account. = = Step 3: Extract access keys o After creating an account, sign in, and go to o Select Users > Add User. o Fillin the necessary details and click on the “Create User” button. o Now, download the CSV file and extract your access keys. https://console.aws.amazon.com/iam/ Step 4: Configure aws-cli Go to the terminal and run the following command to configure aws-cli: aws configure Module 02 Page 383 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks = Exam 212-82 Step 5: Identify vulnerable S3 buckets Run the following command to identify exploitable S3 buckets: = aws s3 1ls s3://[bucket name] aws s3 1ls s3://[bucket name] --no-sign-request Step 6: Exploit S3 buckets Run the following commands to manipulate the files stored in S3 buckets: Reading Files > aws s3 1s s3://[bucket name] --no-sign-request Moving Files 2 aws s3 mv FileName s3://[bucket name]/test-file.txt Copying Files > aws s3 cp FileName s3://[bucket name]/test-file.svg Deleting Files > aws s3 rm s3://[bucket - -no-sign-request -no-sign-request name]/test-file.svg - --no-sign- request Figure 2.78: Screenshot of aws-cli Module 02 Page 384 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited.