HITCON 2021 空降危機:雲端攻防的二三事 筆記

Speaker

奧義智慧
Boik Su、aka. Dange

Outline

  • Introduction
  • Case Study
    • AWS: Identity Perimeter
    • Azure: Network Perimeter
    • GCP: Hosted Application …
  • 藍隊工具

雲端服務的利用是新的標準

  • Shared Responsibility Model
    • Responsibility always retained by the customer
    • Responsibility varies by type
    • Responsibility transfers to cloud provider

Through 2025 , more than 99% of cloud breaches will have a root cause of preventalbe …

雲端威脅 – CSA 的觀點

共11點

  1. Data Breaches
  2. Misconfiguration and Inadequate Change Control
  3. Lack of Cloud Security

Identity Perimeter

  • 身份與存取管理系統(IAM)過於複雜
  • 平台預設權限過高
  • CSA Ref
    • Data breaches
    • Insufficient identity, Credential, access and key management
    • account hijacking
    • limited cloud …

雲端事件統計

Initial Access

  • Vaild Accounts 佔最多
  • Trusted Relationshop
  • Phishing
  • Exploit Public-Facing Application
  • Drive-by Compromise

Escalation/ Persistence

IAM > EC2

2020 幾乎都在IAM,而且埋後門比較划算

Network Perimeter

  • 企業防禦邊界模糊化
  • 雲地混合,信任關係
  • CSA Ref:
    • Data Braches
    • Lack of Cloud Security Architecture and Strategy
    • Insufficient Identity …

Hosted Applications/Services

  • 複雜的應用程式設定
  • 非原生雲端應用程式與雲端整合的問題(K8s)
  • CSA Ref:
    • Data Breaches
    • Misconfiguration

AWS Identity and Access Management

  • Identity
    • User
    • Group
    • Service Account
  • Permission
    • Owner
    • Editor
    • Reader
  • Resource
    • VM
    • Bucket

三大平台IAM差異

  • AWS
    • IAM Group
    • IAM Role
  • GCP
    • google group
    • google workspace domain
    • cloud identity domain
    • service account
  • Azure

Attack Mindset

  • Credentials Harvest

Credentials Harvest

  • Internet-Facing Sensitive Data (goolge hacking)
  • Config Files on Disk
  • Control Files on Disk
  • Control Plane Interface
  • Codebase
  • Environmental Variables

Cloud Matrix 對於 IAM的利用過於粗略

  • Initial Access
    • Vaid Accounts

Cloud Matrix is big 方向的建議

IAM Attack Pattern

Identity -> Permission -> Resource -> Permission -> Identity

S3 Resource Exposure / Sub-Domain Takeover

Credentials Harvest + LM

hacker assumrole succeeded -> Cloud Platform
提升手法用PassRole 到 Lamda 至 Role 2

修改自身 Permission

  • Shadow Admin
    • setDefaultPolicy to Role
    • Admin Access

透過本身權限修改另一個權限提權

IPI

  • 導出別的使用者access key

Privilege Escalation

  • hacker access group …

ROI

SSRF to metadata Service

Sub-Domain Takeover + SSRF

Normal Request -> VM Instance -> External Site

Private, Public and Hybrid Cloud

關鍵基礎設施

  • Hybrid Identity for
    • Cross-realm application Access
    • Simplified account access and management

Active Directory vs. Azure AD

Active DirectoryAzure AD
LDAPREST API’s

… 太快寫不完

Password hash synchronization (PHS)

Attack – DCSync

  • On-Prem 密碼砸受同不需要特定權限
    • DS-Replication-Get-Changes
    • DS-Replication-Get-Changes-All
  • DCSync 攻擊的必備條件

Real Workd Case

  • Microsoft Security Advisory 4056318

Guidance for securing AD DS account used by Azure …

Pass-through authentication(PTA)

  • “Azure Agent” On-Prem
  • PKI (encrypt/decrypt)
  • LogonUserW API

LogonUserW

BOOL LogonUserW
輸入是明碼唷!

Attack – 密碼竊聽

Attack – Azure Skeleton Key

Federation (AD FS)

大部分企業會選得方案

Federation (AD FS)

  • 微軟跨雲端、地端的身份驗證機制
  • 原生支援SAML 2.0

SAML 2.0

  • 開放式聯合標準

Attack – Golden SAML

  • 攻擊者若能拿下AD FS hosts,that it can sign any SAML Response and 偽造 to any user

Real World Case – Solorigate

Reak World Case – FoggyWeb

Best Practice

微軟說現在不推薦AD FS
應改用Azure AD

GCP – Hosted Applications/Services

Service Side Request Forgery

Hacker use SSRF to Metadata Service if access Denied

Root Cause

  • Oracle( Instance Metadata Service) 缺乏身份驗證

Kubernetes

  • Master(control Plane)
  • Worker(Node) ,Container Runtime, Pod

Kuberneters on GCP

  • GCP GKE Service (GCP代理k8s)
  • GCP Compute Engine

Instance Metadata Service ?

無法區分請求

Secret in Metadata Service

  • Kube-env
    • KUBELET_CERT
    • KUBELET_KEY

TLS bootstrapping

Instance Meta data Service ?

透過上述方法讓node 可以擴展一個惡意的container

Real World Case

SSRF in Exchange leads to ROOT access in all instances

how to prevnet in GCP

  • DEST: avoid pods get Boot…

Metadata concealment & Workload Identity

Workload identity

container auth 會向gcp IAM Service 要資料
Pod -> Daeminset

Misconfig (Host Network ) -> Bypass

Pod container to Metadata Service

Shielded GKE nodes

  • Shielded VMs: use vTPM to authorize intergity of VM
    • prevent rootkit

放棄治療

Google 沒提到的限制 但是我們發現的問題

如果tpm不小心給了太高的權限或把他mount到其他地方,那還是能被碰到meta data

config 出錯

Demo

取得key cert

ls /var/lib/kubelet/pli

kubelet-client.lock

lubectl --certificate-authority ...

Defense

NIST CSF _ the five function

  • Identify
    • Rule
      • Scount Suite
      • SkyArk
      • Cloudsplaining
      • Prowler
    • Graph
      • Principal Mapper
      • CloudMapper
      • awspx
    • SAST for IaC
      • terrascan
      • checkov
  • Protect
    • MFA
    • fail2ban
    • IAM
      • Policy Sentry
      • IAM Access Analyzer
      • iamlive
      • Repokid
  • Detect
    • Falco
      • API Log
        • AWS CloudTrail
        • CloudTracker
      • Config
        • Security
        • Monkey
      • AWS Config
  • Resonse
    • SOAR
    • IR Tool
  • Recover
    • AWS Backup

IAM attack Pattern & awspx

  • awspx 堪稱 aws 的 blood…

好文推薦

  • Cloud Security Orienteering
    How to rapidly understand and secure a cloud environment

Conclusion

  • Identity Perimeter
  • Network Perimeter
  • Hosted Applications/Services
  • 以NIST CSF為基準提供藍隊工具

發佈留言

發佈留言必須填寫的電子郵件地址不會公開。 必填欄位標示為 *

5 × four =

Back To Top
error: Content is protected !!