Today, we announce the release of a second version of the threat matrix for storage services, a structured tool that assists in identifying and analyzing potential security threats on data stored in cloud storage services. The matrix, first released in April 2021 as detailed in the blog post Threat matrix for storage services, lays out a rich set of attack techniques mapped to a well-known set of tactics described by MITRE’s ATT&CK® framework and comprehensive knowledge base, allowing defenders to more efficiently and effectively adapt and respond to new techniques.
今天,我们宣布发布存储服务威胁矩阵的第二个版本,这是一种结构化工具,可帮助识别和分析存储在云存储服务中的数据的潜在安全威胁。该矩阵于 2021 年 4 月首次发布,详见博客文章存储服务威胁矩阵,列出了一组丰富的攻击技术,映射到 MITRE 的 ATT&CK® 框架和综合知识库描述的一组众所周知的策略,使防御者能够更高效地适应和响应新技术。
Cybercriminals target cloud storage accounts and services for numerous purposes, such as accessing and exfiltrating sensitive data, gaining network footholds for lateral movement, enabling access to additional resources, and deploying malware or engaging in extortion schemes. To combat such threats, the updated threat matrix provides better coverage of the attack surface by detailing several new initial access techniques. The matrix further provides visibility into the threat landscape by detailing several novel attacks unique to cloud environments, including some not yet observed in real attacks. The new version of the matrix is available at: https://aka.ms/StorageServicesThreatMatrix
网络犯罪分子将云存储帐户和服务用于多种目的,例如访问和泄露敏感数据、获得横向移动的网络立足点、允许访问其他资源以及部署恶意软件或参与勒索计划。为了应对此类威胁,更新的威胁矩阵通过详细介绍几种新的初始访问技术来更好地覆盖攻击面。该矩阵通过详细介绍云环境特有的几种新颖攻击(包括一些尚未在实际攻击中观察到的攻击),进一步提供了对威胁形势的可见性。新版本的矩阵可在以下网址获得: https://aka.ms/StorageServicesThreatMatrix
Of the new techniques detailed in this blog, several noteworthy examples include:
在本博客中详细介绍的新技术中,有几个值得注意的例子包括:
- Object replication – Allows attackers to maliciously misuse the object replication feature in both directions by either using outbound replication to exfiltrate data from a target storage account or using inbound replication to deliver malware to the target account.
对象复制 – 允许攻击者使用出站复制从目标存储帐户泄露数据或使用入站复制将恶意软件传送到目标帐户,从而在两个方向上恶意滥用对象复制功能。 - Operations across geo replicas – Helps attackers evade defenses by distributing operations across geographical copies of storage accounts. Security solutions may only have visibility into parts of the attack and may not detect enough activity in a single region to trigger an alert.
跨异地副本的操作 – 通过在存储帐户的地理副本之间分布操作,帮助攻击者规避防御。安全解决方案可能只能查看部分攻击,并且可能无法检测到单个区域中的足够活动来触发警报。 - Static website – Allows attackers to exfiltrate data using the “static website” feature, a feature provided by major storage cloud providers that can often be overlooked by less experienced users.
静态网站 – 允许攻击者使用“静态网站”功能泄露数据,该功能由主要存储云提供商提供,通常不会被经验不足的用户所忽视。
In this blog post, we’ll introduce new attack techniques that have emerged since our last analysis and cover the various stages of a potential attack on cloud storage accounts.
在这篇博文中,我们将介绍自上次分析以来出现的新攻击技术,并涵盖对云存储帐户的潜在攻击的各个阶段。
New techniques in the matrix
矩阵中的新技术
1. Reconnaissance 1. 侦察
Reconnaissance consists of techniques that involve attackers actively or passively gathering information that can be used to support targeting.
侦测包括攻击者主动或被动收集可用于支持目标定位的信息的技术。
DNS/Passive DNS – Attackers may search for DNS data for valid storage account names that can become potential targets. Threat actors can query nameservers using brute-force techniques to enumerate existing storage accounts in the wild, or search through centralized repositories of logged DNS query responses (known as passive DNS).
DNS/被动 DNS – 攻击者可能会在 DNS 数据中搜索可能成为潜在目标的有效存储帐户名称。威胁参与者可以使用暴力技术查询名称服务器,以枚举野外的现有存储帐户,或搜索记录的 DNS 查询响应的集中存储库(称为被动 DNS)。
Victim-owned websites – Attackers may look for storage accounts of a victim enterprise by searching its websites. Victim-owned website pages may be stored on a storage account or contain links to retrieve data stored in a storage account. The links contain the URL of the storage and provide an entry point into the account.
受害者拥有的网站 – 攻击者可以通过搜索受害企业的网站来查找其存储帐户。受害者拥有的网站页面可能存储在存储帐户中,或包含用于检索存储帐户中存储的数据的链接。这些链接包含存储的 URL,并提供帐户的入口点。
2. Initial access 2. 初始访问
Initial access consists of techniques that use various entry vectors to gain their initial foothold on a storage account. Once achieved, initial access may allow for continued access, data exfiltration, or lateral movement through a malicious payload that is distributed to other resources.
初始访问包括使用各种入口向量在存储帐户上获得初始立足点的技术。一旦实现初始访问,可能允许通过分发到其他资源的恶意负载进行持续访问、数据泄露或横向移动。
SFTP credentials – Attackers may obtain and abuse credentials of an SFTP (Secure File Transfer Protocol) account as a means of gaining initial access. SFTP is a prevalent file transfer protocol between a client and a remote service. Once the user connects to the cloud storage service, the user can upload and download blobs and perform other operations that are supported by the protocol. SFTP connections require SFTP accounts, which are managed locally in the storage service instance, including credentials in the form of passwords or key-pairs.
SFTP 凭据 – 攻击者可能会获取和滥用 SFTP(安全文件传输协议)帐户的凭据,作为获取初始访问权限的一种手段。SFTP 是客户端和远程服务之间的常用文件传输协议。用户连接到云存储服务后,用户可以上传和下载 Blob,并执行协议支持的其他操作。SFTP 连接需要 SFTP 帐户,这些帐户在存储服务实例中本地管理,包括密码或密钥对形式的凭据。
NFS access – Attackers may perform initial access to a storage account using the NFS protocol where enabled. While access is restricted to a list of allowed virtual networks that are configured on the storage account firewall, connection via NFS protocol does not require authentication and can be performed by any source on the specified networks.
NFS 访问 – 攻击者可以使用已启用的 NFS 协议对存储帐户执行初始访问。虽然访问仅限于在存储帐户防火墙上配置的允许虚拟网络列表,但通过 NFS 协议的连接不需要身份验证,并且可以由指定网络上的任何源执行。
SMB access – Attackers may perform initial access to a storage account file shares using the Server Message Block (SMB) protocol.
SMB 访问 – 攻击者可以使用服务器消息块 (SMB) 协议对存储帐户文件共享执行初始访问。
Object replication – Attackers may set a replication policy between source and destination containers that asynchronously copies objects from source to destination. This feature can be maliciously misused in both directions. Outbound replication can serve as an exfiltration channel of customer data from the victim’s container to the adversary’s container. Inbound replication can be used to deliver malware from an adversary’s container to a victim’s container. After the policy is set, the attacker can operate on their container without accessing the victim container.
对象复制 – 攻击者可能会在源容器和目标容器之间设置复制策略,以异步将对象从源复制到目标。此功能可能会在两个方向上被恶意滥用。出站复制可以充当客户数据从受害者容器到对手容器的外泄通道。入站复制可用于将恶意软件从对手的容器传递到受害者的容器。设置策略后,攻击者可以在不访问受害容器的情况下对其容器进行操作。
3. Persistence 3. 坚持
Persistence consists of techniques that attackers use to keep access to the storage account due to changed credentials and other interruptions that could cut off their access. Techniques used for persistence include any access, action, or configuration changes that let them maintain their foothold on systems.
持久性包括攻击者用于保留对存储帐户的访问权限的技术,这些技术是由于凭据更改和其他可能切断其访问权限的中断而使用的。用于持久性的技术包括任何访问、操作或配置更改,这些更改允许它们在系统上保持立足点。
Create SAS Token – Attackers may create a high-privileged SAS token with long expiry to preserve valid credentials for a long period. The tokens are not monitored by storage accounts, thus they cannot be revoked (except Service SAS) and it’s not easy to determine whether there are valid tokens in the wild until they are used.
创建 SAS 令牌 – 攻击者可能会创建过期时间较长的高特权 SAS 令牌,以长期保留有效凭据。令牌不受存储帐户监视,因此无法吊销(服务 SAS 除外),并且在使用令牌之前,很难确定野外是否存在有效令牌。
Container access level property – Attackers may adjust the container access level property at the granularity of a blob or container to permit anonymous read access to data in the storage account. This configuration secures a channel to exfiltrate data even if the initial access technique is no longer valid.
容器访问级别属性 – 攻击者可能会在 Blob 或容器的粒度上调整容器访问级别属性,以允许对存储帐户中的数据进行匿名读取访问。此配置保护通道以泄露数据,即使初始访问技术不再有效。
SFTP account – Attackers may create an SFTP account to maintain access to a target storage account. The SFTP account is local on the storage instance and is not subject to Azure RBAC permissions. The account is also unaffected in case of storage account access keys rotation.
SFTP 帐户 – 攻击者可能会创建 SFTP 帐户来保持对目标存储帐户的访问权限。SFTP 帐户是存储实例上的本地帐户,不受 Azure RBAC 权限的约束。在存储帐户访问密钥轮换的情况下,该帐户也不受影响。
Trusted Azure services – Attackers may configure the storage account firewall to allow access by trusted Azure services. Azure Storage provides a predefined list of trusted services. Any resource from that list that belongs to the same subscription as the storage account is allowed by the firewall even if there is no firewall rule that explicitly permits the source address of the resource.
受信任的 Azure 服务 – 攻击者可以将存储帐户防火墙配置为允许受信任的 Azure 服务进行访问。Azure 存储提供受信任服务的预定义列表。防火墙允许该列表中与存储帐户属于同一订阅的任何资源,即使没有明确允许资源的源地址的防火墙规则也是如此。
Trusted access based on a managed identity – Attackers may configure the storage account firewall to allow access by specific resource instances based on their system-assigned managed identity, regardless of their source address. The resource type can be chosen from a predefined list provided by Azure Storage, and the resource instance must be in the same tenant as the storage account. The RBAC permissions of the resource instance determine the types of operations that a resource instance can perform on storage account data.
基于托管标识的受信任访问 – 攻击者可以将存储帐户防火墙配置为允许特定资源实例基于其系统分配的托管标识进行访问,而不考虑其源地址。可以从 Azure 存储提供的预定义列表中选择资源类型,并且资源实例必须与存储帐户位于同一租户中。资源实例的 RBAC 权限确定资源实例可以对存储帐户数据执行的操作类型。
Private endpoint – Attackers may set private endpoints for a storage account to establish a separate communication channel from a target virtual network. The new endpoint is assigned with a private IP address within the virtual network’s address range. All the requests sent to the private endpoint bypass the storage account firewall by design.
专用终结点 – 攻击者可能会为存储帐户设置专用终结点,以建立与目标虚拟网络不同的通信通道。将为新终结点分配虚拟网络地址范围内的专用 IP 地址。根据设计,发送到专用终结点的所有请求都会绕过存储帐户防火墙。
4. Defense evasion 4. 防御规避
The defense evasion tactic consists of techniques that are used by attackers to avoid detection and hide their malicious activity.
防御规避策略由攻击者用来避免检测和隐藏其恶意活动的技术组成。
Disable audit logs – Attackers may disable storage account audit logs to prevent event tracking and avoid detection. Audit logs provide a detailed record of operations performed on a target storage account and may be used to detect malicious activities. Thus, disabling these logs can leave a resource vulnerable to attacks without being detected.
禁用审核日志 – 攻击者可能会禁用存储帐户审核日志,以防止事件跟踪并避免检测。审核日志提供对目标存储帐户执行的操作的详细记录,可用于检测恶意活动。因此,禁用这些日志可能会使资源容易受到攻击而不会被检测到。
Disable cloud workload protection – Attackers may disable the cloud workload protection service which raises security alerts upon detection of malicious activities in cloud storage services.
禁用云工作负载保护 – 攻击者可能会禁用云工作负载保护服务,该服务在检测到云存储服务中的恶意活动时会发出安全警报。
Private endpoint – Attackers may set private endpoints for a storage account to establish a separate communication channel from a target virtual network. The new endpoint is assigned with a private IP address within the virtual network’s address range. All the requests sent to the private endpoint bypass the storage account firewall by design.
专用终结点 – 攻击者可能会为存储帐户设置专用终结点,以建立与目标虚拟网络不同的通信通道。将为新终结点分配虚拟网络地址范围内的专用 IP 地址。根据设计,发送到专用终结点的所有请求都会绕过存储帐户防火墙。
Operations across geo replicas – Attackers may split their requests across geo replicas to reduce the footprint in each region and avoid being detected by various rules and heuristics.
跨异地副本的操作 – 攻击者可能会跨异地副本拆分其请求,以减少每个区域中的占用空间,并避免被各种规则和启发式方法检测到。
5. Credential access 5. 凭据访问
Credential access consists of techniques for stealing credentials like account names and passwords. Using legitimate credentials can give adversaries access to other resources, make them harder to detect, and provide the opportunity to help achieve their goals.
凭据访问包括用于窃取凭据(如帐户名和密码)的技术。使用合法凭据可以让攻击者访问其他资源,使其更难检测,并提供帮助实现其目标的机会。
Unsecured communication channel – Attackers may sniff network traffic and capture credentials sent over an insecure protocol. When a storage account is configured to support unencrypted protocol such as HTTP, credentials are passed over the wire unprotected and are susceptible to leakage. The attacker can use the compromised credentials to gain initial access to the storage account.
不安全的通信通道 – 攻击者可能会嗅探网络流量并捕获通过不安全协议发送的凭据。将存储帐户配置为支持未加密的协议(如 HTTP)时,凭据将通过不受保护的线路传递,并且容易受到泄漏。攻击者可以使用泄露的凭据获取对存储帐户的初始访问权限。
6. Discovery 6. 发现
Discovery consists of techniques attackers may use to gain knowledge about the service. These techniques help attackers observe the environment and orient themselves before deciding how to act.
发现包括攻击者可能用来获取有关服务的知识的技术。这些技术可帮助攻击者观察环境并在决定如何行动之前确定自己的方向。
Account configuration discovery – Attackers may leverage control plane access permission to retrieve the storage account configuration. The configuration contains various technical details that may assist the attacker in implementing a variety of tactics. For example, firewall configuration provides network access information. Other parameters may reveal whether access operations are logged. The configuration may also contain the backup policy that may assist the attacker in performing data destruction.
帐户配置发现 – 攻击者可以利用控制平面访问权限来检索存储帐户配置。该配置包含各种技术细节,可帮助攻击者实施各种策略。例如,防火墙配置提供网络访问信息。其他参数可能会显示是否记录了访问操作。该配置还可能包含可帮助攻击者执行数据销毁的备份策略。
7. Exfiltration 7. 渗透
Exfiltration consists of techniques that attackers may use to extract data from storage accounts. These may include transferring data to another cloud storage outside of the victim account and may also include putting size limits on the transmission.
外泄包括攻击者可能用来从存储帐户中提取数据的技术。这些可能包括将数据传输到受害者帐户之外的另一个云存储,还可能包括对传输进行大小限制。
Static website – Attackers may use the “static website” feature to exfiltrate collected data outside of the storage account. Static website is a cloud storage provider hosting capability that enables serving static web content directly from the storage account. The website can be reached via an alternative web endpoint which might be overlooked when restricting access to the storage account.
静态网站 – 攻击者可能会使用“静态网站”功能将收集的数据泄露到存储帐户之外。静态网站是一种云存储提供程序托管功能,可直接从存储帐户提供静态 Web 内容。可以通过备用 Web 终结点访问该网站,在限制对存储帐户的访问时可能会忽略该终结点。
Object replication – Attackers may set a replication policy between source and destination containers that asynchronously copies objects from source to destination. Outbound replication can serve as an exfiltration channel of customer data from a victim’s container to an adversary’s container.
对象复制 – 攻击者可能会在源容器和目标容器之间设置复制策略,以异步将对象从源复制到目标。出站复制可以充当客户数据从受害者容器到对手容器的外泄通道。
Conclusion 结论
As the amount of data stored in the cloud continues to grow, so does the need for robust security measures to protect it. Microsoft Defender for Cloud can help detect and mitigate threats on your storage accounts. Defender for Storage is powered by Microsoft Threat Intelligence and behavior modeling to detect anomalous activities such as sensitive data exfiltration, suspicious access, and malware uploads. With agentless at-scale enablement, security teams are empowered to remediate threats with contextual security alerts, remediation recommendations, and configurable automations. Learn more about Microsoft Defender for Cloud support for storage security.
随着存储在云中的数据量持续增长,对保护数据的强大安全措施的需求也在增加。Microsoft 适用于云的 Defender 可以帮助检测和缓解存储帐户上的威胁。Defender for Storage 由Microsoft威胁情报和行为建模提供支持,可检测异常活动,例如敏感数据泄露、可疑访问和恶意软件上传。通过大规模无代理支持,安全团队可以通过上下文安全警报、修正建议和可配置的自动化来修复威胁。详细了解Microsoft Defender for Cloud 对存储安全性的支持。
Evgeny Bogokovsky 叶夫根尼·博戈科夫斯基
Microsoft Threat Intelligence
Microsoft威胁情报
References 引用
原文始发于Microsoft Threat Intelligence:Cloud storage security: What’s new in the threat matrix
转载请注明:Cloud storage security: What’s new in the threat matrix | CTF导航