Adversaries may implant cloud or container images with malicious code to establish persistence after gaining access to an environment. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be implanted or backdoored. Unlike Upload Malware, this technique focuses on adversaries implanting an image in a registry within a victim’s environment. Depending on how the infrastructure is provisioned, this could provide persistent access if the infrastructure provisioning tool is instructed to always use the latest image.(Citation: Rhino Labs Cloud Image Backdoor Technique Sept 2019)
A tool has been developed to facilitate planting backdoors in cloud container images.(Citation: Rhino Labs Cloud Backdoor September 2019) If an adversary has access to a compromised AWS instance, and permissions to list the available container images, they may implant a backdoor such as a Web Shell.(Citation: Rhino Labs Cloud Image Backdoor Technique Sept 2019)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| STA-10 | Supply Chain Risk Management | mitigates | T1525 | Implant Internal Image |
Comments
The mitigative applications of this control relate to:
"(c) documentation and testing of the specific technical controls implemented to support the product or service (e.g., identity and access management, network design and security)"
"(e) software supply chain risk management practices for ensuring software integrity, traceability, and provenance (e.g., software build practices, component management, and use of Software Bill of Materials (SBOMs))"
Code Signing can ensure the authenticity and integrity of software by digitally signing executables, scripts, and other code artifacts.
References
|
| TVM-06 | External Library Vulnerabilities | mitigates | T1525 | Implant Internal Image |
Comments
This control requires both CSP and CSC to independently manage third-party and open-source libraries by maintaining accurate inventories, integrating with vulnerability databases, automating patching and updates, using dependency and scanning tools to mitigate risks from library vulnerabilities.
References
|
| AIS-06 | Automated Secure Application Deployment | mitigates | T1525 | Implant Internal Image |
Comments
This control applies to the secure deployments of applications and emphasizes the prevention of misconfigurations and malicious deployment activities. Adversaries may implant cloud or container images with malicious code to establish persistence after gaining access to an environment. Secure deployment templates and checking the integrity of images and containers used in cloud deployments to ensure they have not been modified to include malicious software may aid in mitigating this technique.
References
|