What we can expect from advanced threat actor groups in the new year.
By Jason Martin, Co-founder and Co-CEO at Permiso Security
In 2023, we started to witness a change in the way both attackers and defenders thought about cloud security. The days when attackers target a single service and steal data from an S3 bucket are almost a long gone memory at this point – simpler times. Attackers got smart about who and what they targeted. Through initial recon, the help of credentials for purchase, and some masterful reconnaissance in SaaS environments, groups like LUCR-3 (Scattered Spider) were able to breach the environments of companies like MGM, Caesars, Clorox and others.
While advanced cloud threat actors showcased their skill at being able to gain access to cloud environments and move laterally, they also tipped their hand at what cloud supply chain attacks might look like in 2024.
Identity Providers Are Still the Bullseye for Cloud Attacks
Okta, Microsoft Entra ID (Azure AD) and JumpCloud all experienced breaches in 2023, with Okta perhaps suffering the brunt of customer exposure. Identity providers, while offering convenience of centralized authentication, have proven to be a security risk to many organizations. If a threat actor gains access to a victim’s IdP instance, the impact is multi-casted because of the access they now have to all of the applications that SSO through that IdP. If Okta themselves get breached, this multi-cast is magnified exponentially as the threat actor can now potentially access all of Okta’s customer environments. Adding to this risk is the increasing reliance on third-parties and outsourced technical support teams for core help desk services. Threat actors have found these organizations as prime targets to attack their downstream customer base and play a significant role in the increased risk associated with the cloud supply chain.
SaaS Providers Are Going to be Heavily Targeted in 2024
SaaS providers that have delegated access into customer environments via role assumption or persistent keys will see an increase in targeted attacks. Threat actors will continue to focus on cloud supply chain compromise to target downstream customers of those vendors. Similar to what we witnessed in Okta, other, non-IdP SaaS vendors present similar risks in the cloud’s supply chain. By compromising the vendor itself, threat actors can access all of the customer tenants they are managing in the environment. If a threat actor were able to gain access to Github’s platform, for instance, they could have access to code signing certificates for the millions of customers that use it. If they were to compromise Jira, this could lead to the compromise of sensitive data of hundreds of thousands of companies. Many SaaS infrastructure tools rely on access delegation, where the vendor is provided a credential within the customer environment which they can assume externally. In an instance where a threat actor was able to compromise one of these SaaS providers, they would gain access to those credentials, in the SaaS providers’ customer environments. These cloud SaaS vendors not only have tens of thousands of customers that would be impacted downstream, but they are historically overprivileged. The P0 labs team has found that more than 90% of the privileges granted to these vendors go unused, and attackers love nothing more than overprivileged accounts and identities. The stakes are high in SaaS.
Could A Major Cloud Service Provider Get Compromised?
If we think about the supply chain in the cloud, there are perhaps no greater stakes than the cloud service providers like AWS, Azure and GCP. While these providers invest heavily in staff and tooling to secure their platforms, they can be just as vulnerable to the risk that lies in support entities and third-party contractors. It’s clear that threat groups are no longer interested in the diminishing returns of activities like crypto mining. Compromising a victim’s identity provider, SaaS applications or CI/CD instances allow threat actors to gain access to sensitive, valuable data in as little time as possible. If they’re able to compromise cloud vendors themselves, the supply chain impact would be disastrous. If they can compromise the cloud service providers themselves, the downstream impact would be catastrophic.
Enterprises Will Start to Seriously Rethink Their MFA
If advanced threat actor groups like LUCR-3 taught us anything in their attacks on cloud environments, it’s that MFA doesn’t provide the security guarantees we’d like to think it does. Through SIM swapping, phishing, and push fatigue, MFA has been something advanced threat actors have found ways around over the last few years, especially with those victim organizations that allow SMS as a second factor. We’re likely to see more companies move away from SMS based authentication and accelerate movement toward solutions that rely on biometrics or hardware keys as MFA bypass techniques will continue to innovate. Facial biometric technology and hardware keys such as Yubikeys, for example, offer better security guarantees and make it significantly more difficult to bypass. So how will threat actors adapt?
Threat Actor Groups Will Continue to Leverage AI for Evil
With the increase in the adoption of biometric security for MFA, there will be a growth in the availability of toolkits to create deepfakes for purposes of voice or video-based verification and in social engineering personnel involved in credential reset workflows. These toolkits, like many others today, will be easily available in underground markets for purchase. These deepfake assets will be critical to help the threat actors orchestrate sophisticated impersonation in social engineering attacks as part of their larger campaigns. Groups continue to be bolder and more sophisticated with their social engineering attacks and driven by the success in exploiting the human factor in enterprises they will continue to do so. Many commercial platforms have gone to great lengths to prohibit the abuse of LLM models; however, this will create high demand by threat actors for nefarious Chat-GPT equivalent solutions without such safeguards. With the release of powerful open-source models and the acceleration in public domain research the barrier to creating, training, and maintaining bad actor LLMs has never been lower.
In short, the attack patterns we saw in 2023 are most likely to continue into 2024. Modern cloud threat actors are moving away from activities like cryptomining that have proven to be less profitable in the last year or so and are gravitating toward more lucrative endeavors such as ransomware and extortion. Because MFA bypass has been a critical piece to gaining access into an environment, expect threat actors TTPs to keep up with the measures put in place for more secure MFA such as hardware keys and biometrics. It would appear that many advanced threat actor groups are starting to understand cloud and the resources available to them that can be leveraged for their own gain. They will continue to orchestrate more elaborate campaigns against SaaS and Cloud Service Providers that will yield larger gains than typical attacks against a single victim or tenant. As always, it’s the responsibility of security teams to account for how threat actors’ TTPs are evolving and construct policies and plans that will better address those threats.
About the Author
Jason Martin and I am the Co-founder and Co-CEO at Permiso Security. 25+ years in cybersecurity. Conference organizer (Shakacon), author, investor, and formerly EVP, Products & Engineering at FireEye/Mandiant. I can be reached on LinkedIn and at our company website permiso.io.
Source: www.cyberdefensemagazine.com