Attackers are known to hop across accounts to escalate privileges and exfiltrate data. At Sweet, we excel in protecting against unified attacks using a combination of sensor data, cloud logs, and advanced baseline mechanisms that analyze your cloud environments.
In this blog, we’ll explore an attack recently seen in a customer’s environment involving cross-account role assumptions, detailing how our technologies work together to uncover and analyze such complex incidents.
What is a “Cross-Account Role Assumption”?
A cross-account role assumption is a method that allows one cloud account to access resources or perform actions as another account by assuming a specific role. For example, Account A creates a role (S3AccessRole) granting read access to an S3 bucket and allows Account B to assume the role.
In this particular mentioned attack, the adversary began by exploiting a weak link in the chain—an exposed token within a pod's configuration map. With this token, they assumed the identity of two distinct AWS cloud accounts in succession. Once entrenched with the privileges of the second account, the attacker accessed and exfiltrated sensitive information from an S3 bucket. But the breach didn’t stop there. The attacker then turned destructive, deleting a separate S3 bucket altogether. To mask their tracks and delay detection, they strategically deleted the activity logs tied to both compromised roles.
To summarize:
- The attack involved two separate accounts, leveraging their legitimate permissions to move laterally in the environment.
- The attacker targeted specific cloud resources, including EC2 instances and S3 buckets, and performed unauthorized deletions.
Multi-Layered Detection in Action: A Step-by-Step Analysis
Data from multiple sources—sensors and logs—played a crucial role in uncovering the details of this attack. By correlating activities across cloud accounts, roles, and resources, Sweet was able to identify and present the attack as a unified incident. Here is how Sweet’s platform analyzed the incident:
1. Identifying the Scope: Cross-Account Relationships
The first step in our detection process is understanding the breadth of the attack. Our system immediately flags that two accounts are involved. This insight is critical because cross-account activities often signal privilege escalation attempts or lateral movement, which are high-risk behaviors.
By analyzing the relationships between roles and accounts, our platform identifies:
- The roles used in each account and their respective permissions.
- The targets involved, such as EC2 instances and buckets, which give SecOps teams a clear understanding of what’s at stake.
2. Sensor and Log Correlation: Unifying Events Across Apps, Workloads, and Cloud
Sweet’s detection engine integrates data from two key sources:
- Sensors: Deployed at the workload and application level, our sensor monitors real-time activity. They detect suspicious processes, role usage, and other runtime behaviors.
- Logs: Cloud logs provide a historical record of actions like API calls, role assumptions, and resource modifications.
By correlating these two data streams, we ensure no detail is overlooked. For instance, while logs might show the role assumption, our sensor can provide additional context, such as the specific processes initiated by the attacker post-assumption.
3. Attack Path Visualization: Connecting the Dots
To make complex attack scenarios understandable, Sweet generates a detailed visual graph of each incident. This graph illustrates:
- Manual intervention: Identifying the user and roles involved, including their specific actions.
- Cross-account role usage: Highlighting how roles were assumed and used across accounts.
- Resource targeting: Displaying EC2 instances, S3 buckets, and other resources involved in the incident.
For example, in this scenario, the graph clearly shows how the attacker leveraged one role to assume another and subsequently targeted multiple resources.
4. Detailed Findings: Tracking the Attacker’s Actions
Sweet captures every action taken by the attacker, including:
- Role assumptions: The attacker’s ability to assume roles across accounts, a key step in privilege escalation.
- Resource modifications: Unauthorized deletions of EC2 instances and S3 buckets, likely intended to disrupt operations or cover tracks.
- Target mapping: A detailed view of all affected resources, helping prioritize response efforts.
Step 5: Resolve and Prevent Similar Attacks in the Future
To prevent and stop attacks like this, security teams need to first understand how the adversary infiltrated the environment and gained initial access. Whether it was a misconfigured pod, deployment, or AWS account, teams need to reinforce security controls around these entry points.
The root cause of this attack—an unmanaged, stolen token—was all it took for the adversary to enter the environment, move laterally, and delete cloud resources. Secrets like tokens must be carefully managed, encrypted, and rotated regularly, with exposure risks minimized through best practices. Sweet Security offers best-in-class detection and remediation assistance for such misconfigurations, ensuring your environment is fortified against future breaches.
A Complete Picture of Cloud Security
This cross-account role assumption attack showcases Sweet Security’s ability to detect, analyze, and visualize sophisticated breach attempts. By leveraging sensor data, logs, and advanced analytics, our platform provides unparalleled insights into cloud environments.
Why Sweet Stands Out
🍭 Holistic Visibility Across Accounts
Unified detection across cloud accounts ensures no malicious activity slips through the cracks. Our system connects seemingly unrelated actions, revealing how attackers exploit multi-account setups.
🍭 Correlated Multi-Layer Data
Combining real-time sensor data from your applications and workloads with cloud logs provides unmatched depth and accuracy in detection. This multi-layered approach ensures SecOps teams can detect, analyze, and respond with confidence.
🍭 Actionable Insights with Advanced Analytics
Our platform doesn’t just detect anomalies—it explains them. The combination of visual graphs, anomaly heat maps, and filtered findings empowers teams to act decisively.
🍭 Proactive Risk Management
Sweet Security highlights not just what the attacker did but also the potential risks and impacts, enabling proactive risk mitigation. For instance, by showing the roles involved, their permissions, and the targeted resources, teams can tighten controls to prevent future incidents.
Want to see how Sweet Security can help protect your organization from unified attacks like this? Contact us to schedule a demo or learn more about our unified detection capabilities. Together, we can secure your cloud environment against even the most complex threats.