Cyber attackers are increasingly targeting cloud logging services like AWS CloudTrail and Google Cloud Logging to conceal their activities and exfiltrate sensitive data. These services, designed to provide comprehensive visibility into cloud environments by recording API calls, resource changes, and user actions, are being manipulated to undermine security operations.
According to Unit 42 researchers, attackers employ two primary strategies: defense evasion and continuous visibility. In defense evasion, they disable or corrupt logs to avoid detection. For instance, in AWS, an attacker with sufficient permissions can execute the stop-logging API call to halt log recording to an S3 bucket. Similarly, in Google Cloud, disabling a log sink stops log entries from reaching their destination. Attackers may also delete storage buckets or alter encryption keys to render logs inaccessible.
Continuous visibility involves redirecting logs to attacker-controlled infrastructure, allowing them to monitor a victim’s cloud environment without detection. This tactic enables adversaries to gather intelligence on security measures and operational activities, facilitating further exploitation.
The implications are severe. Security tools like SIEM platforms, SOAR systems, and cloud security posture management products rely on accurate log data. When logs are tampered with or rerouted, these tools lose effectiveness, leaving organizations blind to malicious activities within their cloud environments.
To mitigate these risks, organizations should implement stringent access controls, regularly audit logging configurations, and monitor for anomalies in log data. Ensuring the integrity and availability of logging services is crucial for maintaining robust cloud security.
Source: Cyber Security News
