MITRE ATT&CK® framework provides a comprehensive matrix detailing the tactics and techniques adversaries employ during cyber attacks on cloud environments
But as recent attacks illustrate, hackers no longer need to tread the long an winding path described by MITRE ATT&CK® framework. They can skip several steps and gain access to very sensitive information, all within short time frame and without requiring extensive “hacking” know-how. How? By obtaining and abusing user credentials.
According to The MITRE ATT&CK® framework, the first phase of the attack is Initial Access. The objective of this phase is to try and gain entry into the cloud environment. It is then followed by 8 steps (ranging from “Execution” to “Collection”) until the attackers can achieve their goal of exfiltrating data. However, recent attacks have shown that attackers can skip of these steps with a devastating impact on their victims. One example of a “shortened” attack path is the attack against the hotel management platform, Otelier. The attack occurred between July 2024 and October 2024 and resulted in 7.8 terabytes of customer data being stolen.
Analyzing this incident through the lens of the MITRE ATT&CK® Cloud Matrix reveals the following phases and techniques employed by the attackers:
- Initial Access: The attackers used Valid Accounts (T1078) technique: Attackers used compromised employee credentials to access Otelier’s systems.
- Credential Access: Credentials from Password Stores (T1555): After breaching the Atlassian server, attackers obtained credentials for Otelier’s Amazon S3 storage. According to reports, Otelier’s Atlassian instance contained stored credentials that provided direct access to their S3 storage, which housed millions of hotel guest records.
- Discovery: Cloud Service Discovery (T1526): Attackers identified and accessed various cloud services, including the S3 buckets containing sensitive data.
- Collection: Data from Cloud Storage Object (T1530): Attackers gathered data from the compromised S3 buckets, which included personal information and reservation details.
- Exfiltration: Exfiltration Over Web Service (T1567): The collected data, totaling 7.8 terabytes, was exfiltrated from the cloud storage (this is most likely how the data was exfiltrated. The actual method has not been published yet)
This sequence illustrates a common attack progression in cloud environments, emphasizing the ease of initial entry and data exfiltration.
Obtaining credentials for initial access is easier than you think
Looking at the full attack path suggested by MITRE, it seems like most of the attacker’s energy would be focused on lateral movement within the cloud environment, creating user accounts, evading detection, etc. But with the path and length of the attack (three months) shows that none of that was needed, with attackers spending most of their energy on obtaining credentials.
One of the techniques used for initial access is phishing: “Deceiving users into providing credentials or clicking malicious links, or granting attackers access to cloud accounts”. This is easier than most people think. Technology company GitLab ran an internal phishing campaign against GitLab employees with the intent of capturing GitLab.com credentials via a fake login page. According to the company, 20% of their employees were fooled by emails sent from a fake domain (gitlab.company), asking them to click on a link to accept an upgrade. The link took them to the fake gitlab.company website where they were asked to enter their login details. Since these are employees of a technology company with relatively high awareness levels, we can assume that the percentage of employees of other sectors, who would neglectfully hand out credentials to attackers would be even higher.
Simulating the ease of Obtaining credentials
While it might be impossible to secure all credentials, the organization must still work harder to secure its crown jewels. In the case of this attack, hotel guest records containing personal information, including names, email addresses, phone numbers, and addresses of millions of customers. We realize that companies might not be able to prevent credential theft, but what about the ease of obtaining credentials and then hoping to other systems? In this case, credentials for Otelier Amazon S3 storage, that were conveniently stored in its Atlassian server. How could companies prepare for such scenarios?
Skyhawk’s AI-based Autonomous Purple Team enables a proactive approach to Cloud Security for the very first time.
Skyhawk Security’s Continuous Proactive Protection helps organizations discover their crown jewel assets and then the GenAI-based red team and blue team see how defenses hold up against an attack. Since 70% of cyber attacks against cloud systems involve leaked or stolen credentials and access keys it is crucial to simulate the potential “Blast Radius” and prepare the proper controls and detections in advanced.
Recently announced, Interactive CDR adds another layer of control, an out of band verification by the cloud asset owner. It further improves cloud security operations with immediate verification of the alert.
Try Skyhawk Security for free today!
