Adversaries may create cloud instances in unused geographic service regions in order to evade detection. Access is usually obtained through compromising accounts used to manage cloud infrastructure.
Cloud service providers often provide infrastructure throughout the world in order to improve performance, provide redundancy, and allow customers to meet compliance requirements. Oftentimes, a customer will only use a subset of the available regions and may not actively monitor other regions. If an adversary creates resources in an unused region, they may be able to operate undetected.
A variation on this behavior takes advantage of differences in functionality across cloud regions. An adversary could utilize regions which do not support advanced detection services in order to avoid detection of their activity.
An example of adversary use of unused AWS regions is to mine cryptocurrency through Resource Hijacking, which can cost organizations substantial amounts of money over time depending on the processing power used.(Citation: CloudSploit - Unused AWS Regions)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| IAM-16 | Authorization Mechanisms | mitigates | T1535 | Unused/Unsupported Cloud Regions |
Comments
This control requires both CSP and CSC to independently enforce formal approval processes for user access, implement dynamic and explicit authorization mechanisms. The guidance focuses on implementing technical measures to verify authorization and prevent unauthorized access and execution.
References
|
| UEM-05 | Endpoint Management | mitigates | T1535 | Unused/Unsupported Cloud Regions |
Comments
This control provides for the implementation of best practices for endpoint management. Cloud service providers may allow customers to deactivate unused regions to help mitigate the risk of adversaries creating resources in unused regions.
References
|
| UEM-14 | Third-Party Endpoint Security Posture | mitigates | T1535 | Unused/Unsupported Cloud Regions |
Comments
This control provides for the implementation of best practices for third-party endpoint management. Cloud service providers may allow customers to deactivate unused regions to help mitigate the risk of adversaries creating resources in unused regions.
References
|
| AIS-06 | Automated Secure Application Deployment | mitigates | T1535 | Unused/Unsupported Cloud Regions |
Comments
This control applies to the secure deployments of applications and emphasizes the prevention of misconfigurations and malicious deployment activities. Adversaries may create cloud instances in unused geographic service regions in order to evade detection. Deployment templates and IaC scripts enforce which regions a deployment can occur and mitigate the ability of a compromised deployment to occur in an unused/unsupported region.
References
|