Cybersecurity researchers have identified a concerning trend where threat actors are exploiting cloud logging services to evade detection and maintain persistent access within compromised environments. These services, integral to monitoring and securing cloud infrastructures, are being manipulated to create blind spots, hindering defenders’ visibility.
Cloud logging platforms, such as AWS CloudTrail and Google Cloud Logging, are essential for tracking activities across cloud environments. Security teams depend on these logs to power Security Information and Event Management (SIEM), Security Orchestration, Automation, and Response (SOAR), and Cloud Security Posture Management (CSPM) tools. However, attackers with sufficient permissions can manipulate these systems to disrupt visibility or even exfiltrate logs for their own monitoring purposes.
Defense Evasion Tactics
Researchers have categorized these attacks into two primary tactics: defense evasion and continuous visibility. In defense evasion scenarios, attackers focus on disabling or tampering with logging mechanisms to avoid detection.
One straightforward technique involves stopping log collection entirely. In AWS, adversaries with CloudTrail: StopLogging permissions can halt logging via API calls, instantly blinding monitoring systems. Similarly, in Google Cloud, attackers can disable logging sinks using logging.sinks.Update permissions.
Another common technique is deleting log storage destinations. For example, attackers with s3:DeleteBucket permissions can remove CloudTrail log buckets, erasing forensic evidence. In Google Cloud, log buckets can also be deleted, but they enter a delayed-deletion state, providing a limited recovery window.
More advanced attackers may impair logging by manipulating encryption keys. By replacing legitimate AWS Key Management Service (KMS) keys with attacker-controlled keys and then revoking access, logs become unreadable or fail to be written entirely. A similar attack is possible in Google Cloud using customer-managed encryption keys (CMEK), effectively locking defenders out of their own logs.
Continuous Visibility Exploitation
Beyond evasion, attackers are also leveraging logging systems for continuous visibility. Instead of triggering alerts with active reconnaissance, adversaries can configure new log routing mechanisms to send copies of logs to attacker-controlled environments. In AWS, this involves creating new CloudTrail trails pointing to external S3 buckets, while in Google Cloud, attackers abuse logging sinks to redirect logs.
Log redirection is particularly dangerous, as it silently streams real-time activity data, including Identity and Access Management (IAM) changes, virtual machine deployments, and data access events, to threat actors. This enables long-term surveillance and strategic lateral movement without raising immediate alarms.
These findings underscore the critical need for organizations to implement stringent access controls and continuously monitor their cloud logging configurations. Regular audits and anomaly detection mechanisms are essential to identify and mitigate unauthorized changes to logging services, ensuring the integrity and security of cloud environments.
As cloud infrastructures become increasingly complex, the exploitation of logging services highlights the evolving tactics of cyber adversaries. Organizations must prioritize the security of their monitoring tools, recognizing that these systems are not only vital for defense but also attractive targets for attackers seeking to conceal their activities and maintain persistent access.
