| ID | Name |
|---|---|
| T1537.001 | 多云账户数据分片聚合 |
传输数据至云账户是指攻击者利用云服务提供商的原生功能,将窃取的数据转移至其控制的云账户。该技术通过滥用云平台的数据共享API、备份服务及跨账户传输机制,规避传统基于网络边界监控的数据渗出检测。防御措施主要包括监控账户间的异常数据共享行为、分析云日志中的可疑API调用(如AWS CloudTrail的ModifySnapshotAttribute事件)以及审查临时访问凭证的签发记录。
为应对云环境数据渗出检测能力的提升,攻击者发展出高度隐蔽的数据传输技术,通过深度适配云服务架构特性、严格遵循协议规范以及利用加密通信机制,将恶意渗出行为隐匿于海量合法云操作中,形成"形神皆合"的数据窃取新模式。
当前云账户数据传输匿迹技术的核心创新在于对云服务生态的逆向利用与协议级仿冒。攻击者通过多个维度的技术演进实现隐蔽渗出:其一,协议合规重构,精确模拟云平台SDK的API调用模式,使恶意请求在认证机制、参数结构等方面与合法操作完全一致;其二,传输路径内化,利用云服务商内部网络基础设施(如AWS PrivateLink、Azure VNet对等连接)进行数据传输,避免触发互联网出口监控;其三,任务调度融合,结合云原生编排工具(如Kubernetes CronJob、AWS Step Functions)实现渗出任务的自动化调度,使其行为特征与企业DevOps流程相符。这些技术共同构建出深度契合云环境特性的隐蔽渗出通道。
匿迹技术的演进迫使防御方必须突破传统网络层监控范式,转向云原生日志的深度行为分析。需构建跨账户、跨服务的关联审计能力,开发基于云API调用序列异常检测的防护模型,并加强对临时访问凭证签发周期的监控,方能在复杂云环境中有效识别隐蔽数据传输行为。
| 效应类型 | 是否存在 |
|---|---|
| 特征伪装 | ✅ |
| 行为透明 | ❌ |
| 数据遮蔽 | ❌ |
| 时空释痕 | ✅ |
攻击者通过严格遵循云服务商API规范,使数据传输请求在协议结构、认证令牌格式、加密算法等方面与合法操作完全一致。例如使用官方SDK生成标准化的HTTPS请求,或模仿企业常规运维中的备份任务执行模式。这种深度协议仿冒使得渗出流量在传输层与应用层均呈现合法业务交互特征,有效规避基于API指纹识别的检测系统。
通过多云账户分片传输和低频调度策略,攻击者将集中式数据渗出行为拆解为多个低强度、长周期的分散任务。例如每周通过不同云账户传输加密数据片段,利用云服务商内部网络的高带宽特性快速完成传输,使得单次行为特征被稀释在正常的跨云业务流量中。这种时空分散策略显著增加了防御方进行行为关联分析的难度。
| ID | Name | Description |
|---|---|---|
| G1032 | INC Ransom |
INC Ransom has used Megasync to exfiltrate data to the cloud.[1] |
| G1039 | RedCurl |
RedCurl has used cloud storage to exfiltrate data, in particular the megatools utilities were used to exfiltrate data to Mega, a file storage service.[2][3] |
| ID | Mitigation | Description |
|---|---|---|
| M1057 | Data Loss Prevention |
Data loss prevention can prevent and block sensitive data from being shared with individuals outside an organization.[4] [5] |
| M1037 | Filter Network Traffic |
Implement network-based filtering restrictions to prohibit data transfers to untrusted VPCs. |
| M1054 | Software Configuration |
Configure appropriate data sharing restrictions in cloud services. For example, external sharing in Microsoft SharePoint and Google Drive can be turned off altogether, blocked for certain domains, or restricted to certain users.[6] [7] |
| M1018 | User Account Management |
Limit user account and IAM policies to the least privileges required. |
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0015 | Application Log | Application Log Content |
Monitor logs for SaaS applications to detect instances of data being shared inappropriately. For example, in Microsoft 365, file sharing events will appear in Audit logs under the event names |
| DS0010 | Cloud Storage | Cloud Storage Creation |
Monitor account activity for attempts to create and share data, such as snapshots or backups, with untrusted or unusual accounts. |
| Cloud Storage Metadata |
Periodically baseline cloud storage infrastructure to identify malicious modifications or additions. |
||
| Cloud Storage Modification |
Monitor for anomalous file transfer activity between accounts and/or to untrusted/unexpected VPCs. |
||
| DS0029 | Network Traffic | Network Traffic Content |
Monitor network traffic content for evidence of data exfiltration, such as gratuitous or anomalous internal traffic containing collected data. Consider correlation with process monitoring and command lines associated with collection and exfiltration. |
| DS0020 | Snapshot | Snapshot Creation |
Monitor account activity for attempts to create and share data, such as snapshots or backups, with untrusted or unusual accounts. |
| Snapshot Metadata |
Periodically baseline snapshots to identify malicious modifications or additions. |
||
| Snapshot Modification |
Monitor account activity for attempts to share data, snapshots, or backups with untrusted or unusual accounts on the same cloud service provider. Monitor for anomalous file transfer activity between accounts and to untrusted VPCs. |