From the Trenches: Common-Sense Measures to Prevent Cloud Incidents - Part 1
Written by Omri Segev Moyal & Brenton Morris, Profero - Rapid IR
As an incident response team, we see a lot of cloud breaches that could have been prevented. Adequate protection requires in-depth knowledge of the cloud provider and its APIs and ample preparation. In cases when a company faces time constraints, or its engineers have not received up-to-date training after a cloud migration, vulnerabilities open up. Whatever the reason, many cloud attacks can be easily avoided—in the following case studies, we offer advice on how.
This post is by no means a comprehensive guide to creating secure cloud environments. Rather, the examples included illustrate common weaknesses we encounter during our engagements, and steps companies can take to bolster their defenses.
SystemdMiner running in GCP
A healthcare provider contacted us after they received a GCP alert about one of their Linux instances. We carried out a forensic analysis of the instance in question and found a variant of SystemdMiner running on the machine. This miner consists of a series of obfuscated bash scripts and uses a cronjob to achieve persistence, and contains a few other tricks to squeeze as much mining power out of an organization as possible before detection.
SystemdMiner attempts to use SaltStack as a means to spread throughout an organization. If it is executed on a host which acts as a salt master node, it will execute a base64 encoded payload on every node to which the machine has access. It does this by running the salt command line:
Included in this next stage is a snippet of code that uses a list of DNS over HTTPS services to resolve the relay.tor2socks.in domain, a service which this malware uses to communicate with .onion hidden services hosting its C2 servers on the Tor network: