Adversaries may access data from cloud storage.
Many IaaS providers offer solutions for online data object storage such as Amazon S3, Azure Storage, and Google Cloud Storage. Similarly, SaaS enterprise platforms such as Office 365 and Google Workspace provide cloud-based document storage to users through services such as OneDrive and Google Drive, while SaaS application providers such as Slack, Confluence, Salesforce, and Dropbox may provide cloud storage solutions as a peripheral or primary use case of their platform.
In some cases, as with IaaS-based cloud storage, there exists no overarching application (such as SQL or Elasticsearch) with which to interact with the stored objects: instead, data from these solutions is retrieved directly though the Cloud API. In SaaS applications, adversaries may be able to collect this data directly from APIs or backend cloud storage objects, rather than through their front-end application or interface (i.e., Data from Information Repositories).
Adversaries may collect sensitive data from these cloud storage solutions. Providers typically offer security guides to help end users configure systems, though misconfigurations are a common problem.[1][2][3] There have been numerous incidents where cloud storage has been improperly secured, typically by unintentionally allowing public access to unauthenticated users, overly-broad access by all users, or even access for any anonymous person outside the control of the Identity Access Management system without even needing basic user permissions.
This open access may expose various types of sensitive data, such as credit cards, personally identifiable information, or medical records.[4][5][6][7]
Adversaries may also obtain then abuse leaked credentials from source repositories, logs, or other means as a way to gain access to cloud storage objects.
| 效应类型 | 是否存在 |
|---|---|
| 特征伪装 | ✅ |
| 行为透明 | ❌ |
| 数据遮蔽 | ✅ |
| 时空释痕 | ✅ |
攻击者通过深度模拟合法用户行为特征实现协议层隐匿。在多租户API调用混淆技术中,恶意请求被分割为符合不同租户业务特征的API调用序列,利用云服务标准接口的泛化性掩盖攻击意图。元数据伪装技术则通过篡改请求头部字段,使数据窃取操作在日志中呈现为配置管理事件,实现协议语义的特征混淆。
部分子技术(如低频分批次数据抽取)采用云服务商提供的传输加密功能(如TLS 1.3)或第三方加密工具对窃取数据进行端到端加密,使防御方无法通过流量分析获取有效内容。同时,攻击者可能利用云存储服务的数据分片机制,将敏感信息嵌入正常文件分块中,进一步增加内容识别难度。
通过低频分批次策略将集中式数据窃取任务分解为长周期、小批量的离散操作,结合跨时区节点调度使单次行为特征低于检测阈值。多租户API调用混淆技术利用云环境的全球分布式架构,使攻击流量在空间维度呈现多地域分散特征,破坏传统基于IP地理聚类分析的检测模型。
| ID | Name | Description |
|---|---|---|
| S0677 | AADInternals |
AADInternals can collect files from a user’s OneDrive.[8] |
| C0027 | C0027 |
During C0027, Scattered Spider accessed victim OneDrive environments to search for VPN and MFA enrollment information, help desk instructions, and new hire guides.[9] |
| G0117 | Fox Kitten |
Fox Kitten has obtained files from the victim's cloud storage instances.[10] |
| S1091 | Pacu |
Pacu can enumerate and download files stored in AWS storage services, such as S3 buckets.[11] |
| S0683 | Peirates |
Peirates can dump the contents of AWS S3 buckets. It can also retrieve service account tokens from kOps buckets in Google Cloud Storage or S3.[12] |
| G1015 | Scattered Spider |
Scattered Spider enumerates data stored in cloud resources for collection and exfiltration purposes.[13] |
| ID | Mitigation | Description |
|---|---|---|
| M1047 | Audit |
Frequently check permissions on cloud storage to ensure proper permissions are set to deny open or unprivileged access to resources.[1] |
| M1041 | Encrypt Sensitive Information |
Encrypt data stored at rest in cloud storage.[1][2] Managed encryption keys can be rotated by most providers. At a minimum, ensure an incident response plan to storage breach includes rotating the keys and test for impact on client applications.[14] |
| M1037 | Filter Network Traffic |
Cloud service providers support IP-based restrictions when accessing cloud resources. Consider using IP allowlisting along with user account management to ensure that data access is restricted not only to valid users but only from expected IP ranges to mitigate the use of stolen credentials to access data. |
| M1032 | Multi-factor Authentication |
Consider using multi-factor authentication to restrict access to resources and cloud storage APIs.[1] |
| M1022 | Restrict File and Directory Permissions |
Use access control lists on storage systems and objects. |
| M1018 | User Account Management |
Configure user permissions groups and roles for access to cloud storage.[2] Implement strict Identity and Access Management (IAM) controls to prevent access to storage solutions except for the applications, users, and services that require access.[1] Ensure that temporary access tokens are issued rather than permanent credentials, especially when access is being granted to entities outside of the internal security boundary.[15] |
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0025 | Cloud Service | Cloud Service Metadata |
Monitor M365 Audit logs for TeamsSessionStarted Operations against MicrosoftTeams workloads involving suspicious ClientIPs and suspect accounts (UserId). Analytic 1 - Sessions initiated from unusual IP addresses, high volume of sessions from a single account, sessions at unusual times
|
| DS0010 | Cloud Storage | Cloud Storage Access |
Monitor for unusual queries to the cloud provider's storage service. Activity originating from unexpected sources may indicate improper permissions are set and are allowing access to data. Additionally, detecting failed attempts by a user for a certain object, followed by escalation of privileges by the same user, and access to the same object may be an indication of suspicious activity. |