Cloud Heist: How Hackers Lock Accounts and Drain Wallets

Cloud environments have changed how organizations manage their infrastructure, offering flexibility and scalability. But these benefits also bring new risks, and even small mistakes in cloud security can have serious consequences. For example, Google Cloud once accidentally deleted data from a $125 billion Australian pension fund due to a simple configuration error. Although this wasn’t a cyberattack, it shows how vulnerable these systems can be.

Now, imagine if hackers took advantage of similar flaws. Such actions can lead an attacker to perform a “Cloud Heist.”

This post explains what a Cloud Heist is, how it works, and the methods attackers use to carry out these attacks.

What is a Cloud Heist and How is it Different from Traditional Ransomware?

A Cloud Heist occurs when threat actors gain unauthorized access to cloud environments through compromised credentials or unpatched vulnerabilities. Unlike traditional ransomware, which typically involves encrypting data to demand a ransom, a Cloud Heist focuses on taking over cloud accounts. Once in control, attackers may steal sensitive data, delete important files, or misuse cloud resources for their gain, such as cryptomining—all without needing to encrypt anything.

Techniques to Perform Cloud Heists

Attackers employ various methods to carry out a Cloud Heist:

• Credential Theft: Attackers often start by obtaining credentials through phishing, social engineering, or exploiting vulnerabilities. This serves as the initial entry point into the cloud environment.
• Exploiting Weak IAM Policies: Organizations sometimes fail to implement the principle of least privilege, allowing attackers to exploit overly permissive roles and escalate their privileges within the cloud.
• API Abuse: Attackers misuse or compromise API keys to manipulate cloud resources, exfiltrate data, or carry out other malicious actions. APIs are integral to cloud management, and their exploitation often bypasses traditional security controls.
• Reconnaissance: Once inside, attackers scan the environment to identify valuable resources such as storage buckets, databases, or high-privilege user accounts. This information guides their next steps.
• Privilege Escalation: Attackers elevate the privileges of compromised accounts or create new users with administrative access to gain broader control over the environment.

What Attackers Might Do When They Lock the Account

Once attackers lock legitimate users out of their cloud accounts, they can execute several malicious activities:

• Data Exfiltration: Attackers may download sensitive data and delete the original files, often leaving a ransom note demanding payment for data recovery.
• Cryptomining: High-performance instances are exploited to run crypto mining software, draining the victim’s financial resources.
• Ransom Demands: Similar to traditional ransomware, attackers might demand a ransom in exchange for returning access to the cloud account or for not leaking stolen data.
• Destruction of Resources: Critical resources such as databases, virtual machines, or backups might be deleted, causing significant operational disruption.
• Setting Up Backdoors: Attackers create backdoor accounts or roles to ensure they can regain access even if the initial breach is detected and closed.

Real-World Example: The Lapsus$ Group Attacks

In 2022, the Lapsus$ group carried out a series of high-profile cloud attacks, targeting companies like Okta, Microsoft, and Nvidia. They used social engineering and credential theft to gain unauthorized access to cloud environments. For example, they breached Okta by compromising a third-party support engineer’s account, which allowed them to access sensitive customer data. Similarly, they infiltrated Microsoft and Nvidia, stealing employee credentials and proprietary data. Once inside, they leaked the stolen data and demanded ransoms.

Demonstrating an Account Lock on GCP: A Step-by-Step Attack Scenario

To provide a practical example, let’s walk through a simulated attack scenario where an attacker, starting with minimal permissions, escalates their access and eventually locks the legitimate user out of their GCP account.

Step 1: Set Up a Vulnerable Jenkins Environment

The first step is setting up the environment by deploying a vulnerable Jenkins instance on a virtual machine (VM).

Step 2: Exploiting Jenkins (Initial Access via CVE-2024-43044)

Once the Jenkins environment is deployed, the attacker can exploit a known vulnerability (such as CVE-2024-43044) to gain initial access. This allows the attacker to execute commands remotely, leading to the compromise of the system.

At this point, the attacker has initial access to the system through Jenkins and can begin to exploit other services and resources in GCP.

Step 3: Create a Victim Service Account

To simulate an attacker targeting a user, we’ll first create a service account representing a victim with minimal permissions:

gcloud iam service-accounts create victim-service-account \ --display-name "Victim"

This service account represents an employee whose user will be locked.

Step 4: Compromised Credentials – Targeting the Compute Engine Default Service Account

The attacker, having compromised a low-privilege account, might attempt to find the Compute Engine default service account. This service account is automatically created by GCP and often has Editor permissions, providing the attacker an opportunity for privilege escalation.

Step 4.1: Find the Compute Engine Default Service Account

To identify the default service account used by Compute Engine, the attacker lists all service accounts attached to the virtual machine (VM).

gcloud iam service-accounts list

gcloud compute instances describe [INSTANCE_NAME] --zone=[ZONE] 
--format="value(serviceAccounts)"

The output will include the default service account email, which typically follows this format:

[PROJECT_NUMBER][email protected]

Step 4.2: Fetch the Compute Engine Default Service Account Token

Using the service account email, the attacker retrieves the OAuth token associated with the default service account:

curl "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/{SERVICE_ACCOUNT_EMAIL}/token" -H "Metadata-Flavor: Google"


OR


gcloud auth print-access-token

This OAuth token allows the attacker to make authenticated API requests as the Compute Engine service account.

Step 5: API Requests to Escalate Privileges

Now that the attacker has the necessary credentials, they can interact with GCP’s IAM API to disable the victim’s service account or perform other malicious actions.

curl -X POST \
"https://iam.googleapis.com/v1/projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_ID}:disable" \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d ""

This command disables the legitimate service account, preventing the victim from regaining access.

Defending Against Cloud Heists

To counter the growing threat of Cloud Heists, organizations must implement proactive security measures:

• Implement Strong Access Controls: Use multi-factor authentication (MFA) for all cloud accounts, enforce strong password policies, and regularly rotate credentials. Limit access by applying the principle of least privilege to minimize potential damage.
• Monitor and Audit Cloud Activity: Continuously monitor cloud environments for unusual activity, such as abnormal login attempts or API calls. Regular audits of configurations and permissions help ensure alignment with security best practices.
• Secure API Endpoints: Ensure API endpoints are protected, with access limited to authorized users only. Implement rate limiting and logging to detect and respond to potential abuses.
• Data Encryption and Backup: Encrypt sensitive data at rest and in transit. Maintain regular backups in a secure location to prevent data loss in case of a breach.

Upwind provides real-time protection against Cloud Heists by baselining resource behaviors and automatically alerting you to deviations that could indicate suspicious or malicious behavior, as well as monitoring network and API traffic in real time.

To learn more about how Upwind protects your environment against Cloud Heists, contact us at [email protected] or schedule a demo.