In this episode of Threat Vector, host David Moulton is joined by Nathaniel Quist, Manager of Cloud Threat Intelligence at Palo Alto Networks’ Cortex. Together, they break down a large-scale cloud extortion campaign that exposed over 90,000 credentials across more than 1,100 cloud accounts. Quist shares how a single misconfiguration led to a wide-scale breach, why identity and access management remains a critical weak point, and how automation is changing the speed and style of cloud-native threats. Learn how to build a solid cloud posture, detect threats faster, and stay ahead of evolving extortion tactics.
From the show:
- Leaked Environment Variables Allow Large-Scale Extortion Operation in Cloud Environments
- Episode 36: Staying Ahead of Cloud Attacks RSAC Talk
Protect yourself from the evolving threat landscape – more episodes of Threat Vector are a click away
Transcript
[ Music ]
Nathaniel Quist: Identity is critical. We need to keep the visibility of identity and the runtime operations top of mind. Only the things that we should know should be running, especially in cloud because it's so machine-driven. Users don't have a lot of access to it. So identity will always be paramount. [ Music ]
David Moulton: Welcome to "Threat Vector," the Palo Alto Networks podcast, where we discuss pressing cybersecurity threats and resilience and uncover insights into the latest industry trends. I'm your host, David Moulton, Senior Director of Thought Leadership for Unit 42. [ Music ] And today, I'm speaking to someone who needs no introduction to our "Threat Vector" audience, Nathaniel Quist, or Q, Manager of Cloud Threat Intelligence at Palo Alto Networks Cortex and a key leader within Unit 42. If you've been listening for a while, you may remember our September 2024 conversation, "Staying Ahead of Cloud Attacks," where we dug into cloud-native threats and the evolving tactics adversaries are using to target public cloud environments. This is also where we coined a brand new term, a favorite of mine, "honeyified." [phonetic] If you missed the episode, you definitely need to go back and give it a listen. Today, we're picking up where that conversation left off. And we're diving into the details of a recent, large-scale cloud extortion campaign that exposed environment and variable files, resulting in the compromise of 90,000-plus credentials across more than 1,100 cloud accounts. This attack reveals just how devastating misconfigurations in modern cloud environments can be and how fast adversaries can move once they find an opening. From the investigation and the takedown efforts to the defensive strategies that work, we're going to explore how posture management, runtime security, and threat intelligence can help organizations detect, prevent, and recover from threats like this one. Here's our conversation. [ Music ] So a note for listeners: This is being recorded on location at RSA Conference. So we're not in the safe confines of the "Threat Vector" podcast studio. As a result, you may hear Dogstar warming up in the background. Apologies. Q, welcome back to "Threat Vector." As always, it's great to have you here.
Nathaniel Quist: Thank you, David. And I'm happy to be back on the show, looking forward to the conversation.
David Moulton: Last time you joined us, you introduced this concept of things being honeyified, and I'm still not over the term. We had a great conversation back then about the HoneyCloud and how your team uses deception to track attacker behavior. And today, we're going to pick up the thread and go deeper, especially into the research that you just presented at RSA on a massive cloud extortion campaign. I want to know, did anything in this campaign feel honeyified, or was this an entirely different class of threat?
Nathaniel Quist: I love these kind of abstract questions, where it's like, what is honeyified? And like now we have to -- like I created a term, and now I have to like figure out --
David Moulton: [laughs] You have to defend it.
Nathaniel Quist: Yeah, I keep going against this thing. Yeah, no, it's a real term. It works. Yes, there are several things that we found that held true within the last conversation when it came to how attackers automate operations and attacks, and then how these actors actually did something in real life that had a real consequence. And, you know, some of those honeyified components, well, they're real in this case. They're not really honey. They're actually a real event, you know, but the concepts behind it held true. That's interesting.
David Moulton: And so today, we're going to talk about this large-scale extortion campaign that targeted, exposed environment variable files and led to the exposure of over 90,000 credentials in more than 1,100 cloud accounts. I want to get into your perspective on the investigation, the takedown efforts, and what organizations need to do to defend themselves. This extortion campaign is massive. How did this come into your radar, and what was the scope when you first discovered it?
Nathaniel Quist: Right. So this campaign -- To be clear, my team is a threat intel team. And so we provided enrichment to an incident response case that was already active. So we provided intel into it. But what made this case so interesting was unique in how the actor got into the environment and what they did, how they moved laterally, how they moved -- how they escalated their permissions. That was really interesting and allowed us some really unique vantage points into what the attacker, you know, did, how they performed, different insights onto what we see ransomware or how ransomware actually operates inside of cloud environments.
David Moulton: Q, were there any early indicators that stood out as red flags before the scale became clear? There were. We saw the like serverless functions being created and failing. We saw EC2 instances that were trying to be created and failing. Those types of operations are, you know, certainly, well, not always uncommon. But if we see them at scale or we see multiple events happening in a short period of time, those things do stand out. And they trigger us onto, you know, what this particular credential is doing or what, you know. So we've talked about environment variable files before. But can you explain what made this such a high-value target in the case?
Nathaniel Quist: So environment variables are sets of credentials that applications will use to communicate with other apps behind cloud, right? So if you have a web instance or a web host, let's say like a Tomcat Apache or something of that nature, and it needs to communicate to a back-end database, it needs to have credentials to do that. And we don't want to have those credentials hard-coded into the application because then an attacker can see those. So you use an environment variable file to store that credential. And that credential should be not exposed publicly. And so, you know, environment variables can hold keys to databases. They can have keys to other API systems or other applications that are in an environment. So they're very sensitive files. But they allow us to keep our system more secure if our exposed environment -- or if our environment variable files are not exposed.
David Moulton: And it's that sensitivity and the access that they provided that made them such a high-value target in this case?
Nathaniel Quist: Yes, it was. I mean, the attacker simply needed to go to that IP address or to that domain and say backslash dot env, and then they were able to access all of the environment variable files for that environment.
David Moulton: So for the lay listener, that's the like, the master key to the entire --
Nathaniel Quist: Well, no, it's not quite master key level. It is what that endpoint or what that web server that you're connecting to, what it can connect to.
David Moulton: Were these files being exposed in repositories, misconfigured services, or something else?
Nathaniel Quist: Yeah. So this is definitely a misconfiguration. It's the -- the application itself was misconfigured to allow exposure to this environment variable file.
David Moulton: Q, what was the attacker's playbook once these environment variables were discovered?
Nathaniel Quist: Yeah, so they start with discovery. You get the environment variable file. You get a credential inside of that. And you want to see what that has access to. So you want to enumerate, you know, the users, what virtual machines you have access to, what storage containers you have access to. It's all about discovery. We want to discover, or the attacker wants to discover what they're doing and what they have access to. From there, what they're doing is they're then trying to either modify or create users. So they want to, you know, create a user. They want to attach new policies to that user so they can, you know, elevate their privileges or try to perform additional actions inside of the environment. These actors specifically tried to laterally move into virtual machine space and create new virtual machines. They did fail on those aspects, which was great, but they were able to successfully create serverless functions, and that was a tipping function. So it goes from the environment variable file to discovery. Once you have discovery, then you're trying to modify or escalate permissions. And then once you can modify and escalate those permissions, then you're going to try to do whatever execution process, either create new services, create new resources, serverless functions, containers, those types of operations.
David Moulton: Can you describe how they moved from that initial access to exfiltration and then the ransomware demands?
Nathaniel Quist: Yeah. So, with their serverless functions, like I said, they did fail on creating virtual machines. And typically, so what these actors tried to do is they created a virtual machine. And they were going to perform a very minor crypto-mining operation, crypto-jacking operation. Those failed to take root. So then they created two serverless functions. One serverless function brought that cloud environment into what we found was a larger botnet operation where that victim environment then pulled down the execution, you know, code, the operations to have that victim environment then begin to scan for other exposed environment variable files for other victims and other IP addresses that they had lists for. And then their second serverless function then allowed for the exfiltration of data from that client environment. So they got, you know, usernames. They got additional credentials that they were able to access. They were able to upload data to that environment -- or to the attacker's information network.
David Moulton: So, as you mentioned before, this was part of a Unit 42 incident response effort. What does a take down look like in a cloud environment like this? And what partners or cloud providers were involved?
Nathaniel Quist: Yeah, so we worked specifically with AWS. We worked with AWS's threat intelligence team as well as their public relations team. So we worked hand in hand. As soon as we found that this was a larger-scale operation, like I said, over 1,000 clients or accounts were identified during the investigation of this operation, we immediately notified AWS. And we got the attacker's infrastructure shut down because they were also using AWS infrastructure. And then we -- since we, as Palo Alto, don't have access to who owns the accounts, but AWS owns -- knows who owns those accounts, we leaned on AWS to do the victim notification for those accounts that were compromised or potentially compromised.
David Moulton: Did you face any challenges in coordinating a response across the cloud platforms?
Nathaniel Quist: So within Unit 42 and in Cortex, we have been working to create a sustained operation -- a sustained relationship with AWS, as well as, you know, Google, Google Cloud threat intel teams and research teams as well, you know, Microsoft's Azure teams so we can, you know, ensure that we have a strong relationship if we find these types of operations. So it's a sustained, ongoing effort that we maintain at a regular pace, regular cadence. Within this particular operation, it was a multi-month, you know, every week, probably two or three times a week, we were talking with AWS to say, this is what we found. Have you found anything different? And it was a coordinated operation, which was really nice to see.
David Moulton: So several episodes ago, we talked to Wendi Whitmore about this idea of intelligence sharing and the culture and just a sort of a seismic shift in the willingness for different companies that compete on business to be willing to share in intel. I asked her what she thought drove it. She mentioned she thought that the catalyst was in and around the invasion of Ukraine. Have you seen that as well in your role? And do you think that that's one of the drivers? Or is it just a overall shift in the culture?
Nathaniel Quist: I am a huge fan of sharing. I love the idea of information sharing. I mean, we have a Cyber Threat Alliance that Palo Alto is a part of, which is, you know, the cooperative nature of all of our competitors. And we're working together to ensure that our customers are safe in a lot of, you know, various angles, you know, from cloud to on-prem. You know, but it takes effort and it takes work. It takes trust in each other that we're trying to do the best thing and not just trying to make money off of it. So there's a -- it's a fine line. But I think Wendi is right that when we have, you know, global events that are very sensitive and exacerbate issues of cyber sharing and, you know, what is good for, you know, protecting people, especially when it comes from, you know, going from digital to kinetic warfare operations. Yeah, I mean, it's now -- it's more important now than I think it's ever been. We need to share and we need to share more information, but more specialized and exacting information.
David Moulton: Yeah, I think her word was contextualized so that people could action on it rather than just like a total data dump.
Nathaniel Quist: Yeah, it's like if you just spending, you know, it's like so Palo Alto, we ingest, you know, petabytes of data, you know, a day, which is a massive amount of information. And you can't just turn around and share all of that. I mean, you have to contextualize. You have to put -- That's what my team does is create enrichment around data. If something happens, what does it mean, and how do we make it actionable in a very specific way to who needs to know?
David Moulton: Yep.
Nathaniel Quist: So it was interesting to go through this process and then work with cloud service provider like AWS to say, you know, this happened. Can we stop this from happening to other people? And can we, you know, let these other organizations know that they may have been compromised? It was very satisfying to see it.
David Moulton: So going back to that attack, it wasn't just opportunistic. It was automated, massively automated. So how does that automation change the nature of cloud of threats?
Nathaniel Quist: So I think I love this kind of question because cloud is specifically automation. It is dynamic, right? We no longer have to worry or to stress about an on-prem data center that we have to maintain servers and, you know, stand, you know, bare metal systems. If we want to have an application, we don't have to take a month to stand up a server and make sure it's connected and networked properly and, you know, up to date and patched. I mean, we can have a terraform template that --
David Moulton: You just push a button.
Nathaniel Quist: Yeah, exactly.
David Moulton: And then it's ready to go.
Nathaniel Quist: Yeah. So you have a terraform template where you do, you just push that button, and within minutes, you have a whole app and infrastructure set up. That's fantastic. That's amazing. So it's good for us as dynamic, you know, building and pushing new technologies. But threat actors like that, too, because they can also just push a button and automate an attack. We've seen, and I think I may have mentioned this in the last podcast, like from detection of an identity access management credential to execution and malicious usage of that credential was four minutes, you know. So this attack is similar to that attack in that -- well, it didn't take four minutes. It was definitely two days, you know, 48 hours, between the initial attack to, you know, ransomware-level, you know, data exfiltrating out of that environment. So it's very interesting to see that automation is making things faster.
David Moulton: I want to follow up on that question with something about tools. Were there specific tools or frameworks that you've seen threat actors using to accelerate their attacks?
Nathaniel Quist: So interestingly enough, threat actors currently are using a lot of living off the land techniques. So they are using, you know, cloud-internal tools. They are using, you know, like WinSCP to assist with file transfers. They are using, you know, Boto3, which is a S3 browser in order to have, essentially, a UI, a user interface, that they can move data from one account to another account. And they're using tools that are legitimate and accurate that we all use, you know. And so they're using a lot of those kind of tools. So we're in a very interesting, I won't say wild, wild west sort of component, but our ability to contextualize what is happening and make that determination if it's malicious or benign. It's tricky right now. But there are definitely indicators on what to look for.
David Moulton: Yeah, it's kind of the old analogy of the sheep. It's the old analogy of the wolf in sheep's clothing, right?
Nathaniel Quist: Right.
David Moulton: It looks right. And it's supposed to be there. But underneath, something isn't right.
Nathaniel Quist: Oh, exactly. If you're seeing this identity access management credential being used or a service account that is being used, but it's being used from, you know, a different country or a different region or something of that nature. It's definitely very suspicious. Like service accounts are very -- a key factor in a lot of our investigations because it's a service account is supposed to be used by a machine. But and if it's being used to perform code execution and a remote code execution, that's probably not supposed -- that's probably not what it's designed to do. So it gives us a trigger or a key to look into that.
David Moulton: You've emphasized the importance of cloud posture and runtime security. What does good posture look like when defending against a campaign like this?
Nathaniel Quist: So I want to be very clear that I kind of sense that there is almost a, I don't want to say, a battle between posture, cloud posture, security and then runtime security. Both of them are critical, but it's not one or the other. You have to have good posture in order to move into good runtime. So I like to equate posture, cloud posture is like the foundation of a house. You want to build a house directly onto the dirt. You need to have a solid foundation that can withstand water and wind and hail and tornadoes and all of these things. That's what makes the house more solid, more secure, is a solid foundation. Cloud posture is that same idea. We need to ensure that the systems that are being built into your cloud are free of misconfigurations. They're not exposed directly to the Internet if they don't have to be. They don't have hard-coded credentials built into them. You know, they are data. So DSM capabilities, being able to secure the data flow from our storage containers, ensure that only those components or those applications that need to access that data is allowed to access that data. So posture is ensuring that the wheels run smoothly and that they are running accurately and truly to, you know, you know, just to ensure that this is how it's supposed to run, when it's supposed to run, and it's secure. And then runtime comes in after that is, after it's built if it ever changes in some way, then runtime security comes in and says, oh, this changed here, this changed here, this changed here.
David Moulton: In your research, you've mentioned identity and access management as a critical weakness. What are the most common IAM missteps that we're seeing right now?
Nathaniel Quist: Yes. To me, identity is the -- it is the perimeter of cloud. To me, identity will always be the major goal of protection and security in cloud environments. So naturally, hard coded credentials, you know, overly permissive roles, these two things are very, you know, tantamount to a good posture. We want to ensure that we don't have hard-coded credentials anywhere. We don't -- Though, if we do have hard-coded credentials there, they are, you know, hidden away from public exposure, those types of components. We're still seeing about 64% of cloud repos having hard-coded credentials in their cloud storage repositories. It's just we need to keep pulling it down. It's better than it was, but we need to keep pulling it down, right? And then I've mentioned service accounts, seeing service accounts performing operations that they're not supposed to be doing because they're supposed to be a machine. But if they're starting to perform user behavior operations, we should definitely take a look at those pieces.
David Moulton: So you've mentioned a couple.
Nathaniel Quist: Yeah.
David Moulton: Is there one specific thing that if you had the easy button, you'd push it, and that would just go away, and you'd never see it again? What's the first one?
Nathaniel Quist: Hard-coded credentials. That's the first one.
David Moulton: My man. [laughter] So you've talked -- So you've previously shown how fast attackers can act sometimes within literally minutes of credential exposure. Did this campaign have a similar velocity?
Nathaniel Quist: It is. It was not minutes. It wasn't four minutes. It was more like 48 hours.
David Moulton: But still, it's really fast.
Nathaniel Quist: It's really fast, right? Exactly. So one thing that was interesting is, we're seeing within cloud, we're seeing attackers use automation and automation to perform that discovery phase. The lateral movement and the escalation operations, those are very automated functionality. But when it comes to the exfiltration of data or the actual ransomware operation itself, it's still a hands-on keyboard. And that takes a little bit more time to, you know, to operate, so.
David Moulton: What can defenders do to defend when the window to react is so short before real damage has been done?
Nathaniel Quist: That secure posture from the very beginning. Ensure that the -- that they are free of vulnerabilities, they're free of misconfigurations to ensure that, you know, we have service accounts that are not exposed publicly. If they are exposed publicly, alerts happen. You know, we need to ensure that we start from a good, solid base to begin with. The next thing that we need to do is ensure we have visibility into those cloud systems to ensure that if something were to happen, we can at least see it, notify it, and hopefully prevent it before something, you know, goes sideways.
David Moulton: You know, to me, it feels like we're at this turning point with cloud extortion having evolved beyond traditional ransomware. Do you think that we're entering a new era of cloud-native extortion?
Nathaniel Quist: I think so. And I think it's -- I think you hit it right there where it's cloud ransomware when we're changing that word ransomware to extortion.
David Moulton: Right.
Nathaniel Quist: In the past, and I think probably for the past four or five years, we've seen a lot of theoretical attacks on cloud environments. Like this is what a ransomware attack will look like or could look like. And it followed very similar patterns to what ransomware attacks occur on on-prem environments, where it's a series of encryptions over and over and over and over and over again against, you know, thousands of files within whatever storage container. In cloud, we're, and this case proves it, is that we're not seeing encryptions over and over and over and over and over again. So we're actually just seeing data sync or data copy from that environment to some other environment. And that's very different, one line of data sync or data copy versus a thousand lines of encryption. It's harder to see it, right, in cloud. But it also makes it faster for attackers just to move it away. You know, they just, you know, copy the data and put it somewhere else and then delete everything and leave a ransom note. So it's really not ransoming. You're not ransoming. There is no ransom event. It is extorting because --
David Moulton: Yeah, there's no encryption event. It's just theft.
Nathaniel Quist: Yeah, it's straight up.
David Moulton: It's just gone. And if you want it back and you want us to keep quiet about it, then you can pay that ransom. And that extortion can go very quickly and at massive, massive scale. And it feels like it's a different beast for an organization to plan against and to defend against and respond to.
Nathaniel Quist: It does. But we have the tools.
David Moulton: That's right.
Nathaniel Quist: And I think that's really key is we have tools to protect ourselves. We have the ability to -- You know, data versioning. If the data was removed, and granted, it's terrible that your data is now somewhere else that you can't control. And that's -- that is bad. But you're not at a loss. You can keep all of the data. Just revert back to a known good state or the before it was gone, just revert it back. And then you have all your data back. So then you don't have to pay the extortion. But, you know, they kind of -- they kind of catch you a little bit where it's like, well, now we're going to expose this, and you lose reputation, and you lose credibility, and those aspects. So, you know, they kind of hit you twice. But at least we have the tools to ensure that we can keep working. We can keep production quality going.
David Moulton: Yeah, you can keep the enterprise up and running, but it comes at the cost of that trust, the reputation.
Nathaniel Quist: Correct.
David Moulton: And you wonder where else have they been in your system. And it starts to pull focus from what you're setting out to do as an organization. Looking at the broader trend line, what's likely the next evolution of a cloud-focused attack?
Nathaniel Quist: So I believe that attackers follow the path of least resistance. And it's kind of a common term in security where, you know, attackers go where they have access. And, you know, so they go through this. Back in 2021, I released a blog that was talking specifically about malware focused on crypto-jacking. So it was, you know, performing specific exploitation events of applications. And it was all on a very malware-based, go-language-centric, you know, binary or malware sample. And I think that we're going to start to see that more. I think currently right now is actors, they don't have to create a whole bunch of malware in order to, you know, break or compromise a system. They can just go find an identity access management credential and script something really quickly. And now they have access. And they've escalated their privileges. And off they go. As attackers start, you know, realizing that we, us defenders, are closing down the avenues and we're making our systems more secure by having better posture, and, you know, we're, you know, narrowing the scope of the access that this particular account may have or, you know, we're doing our jobs, attackers will most likely start moving more into that malware variant. So we're going to start seeing more, you know, malware executive exploits against applications. We're going to start seeing more, you know, the exploitation of vulnerabilities on cloud-hosted environments. We're starting to see those more. So the next thing defenders can do is ensure that we have runtime monitoring agents in those cloud endpoints, on those API services, on those web-hosted applications that are hosted in-cloud, you know, ensure that we are able to see that if new processes or executables were executed or there is malware occurring or there's new network traffic, that we have an agent there to record that and to alert on it. And then, thank you for Cortex Cloud, we to have the ability to prevent it from even starting. It's like we see this execution happening. Let's stop it before network communication actually takes place, so.
David Moulton: What threat should defenders start preparing for now?
Nathaniel Quist: So I think I would answer that in two ways. I would say, initially, we're going to start seeing attackers using serverless accounts -- or not serverless. I'm sorry. You're going to start seeing attackers use more service accounts in order to perform operations. They have access to back-end systems. They have those types of, you know, credentials and permissions. Then we're going to start seeing, once credit access is narrowed and attacker -- or -- as defenders are making that attack service harder, you know, more secure, then we're going to start seeing attackers move more into targeting vulnerable applications hosted in-cloud. So we're going to start seeing more malware. We're going to start seeing more, you know, malicious type of operations from either servers, serverless functions, poisoned serverless functions, or, you know, compromised cloud instances, virtual machines, compute instances. So we as defenders need to start ensuring that we have visibility into our public endpoints to ensure that whatever API server or, you know, web hosting application and the compute system that it's running on being that serverless or, you know, a virtual machine is monitored and that its execution capability, its runtime executions are properly monitored to ensure that we have visibility. And then we can prevent things before they get too far. [ Music ]
David Moulton: So, Q, thanks for a great conversation and this breakdown of this cloud incident that you've shared and you're talking about here at RSA. I always look forward to our conversations. I think I've told you this, but one of my favorite things about being a podcast host here at Palo Alto is I get to learn from people that are world-class, incredibly smart. And once again, you know, I think I got more out of this podcast than you as a guest. So I hope you're okay with it. And I can't wait to have you back on again.
Nathaniel Quist: David, I love being on podcasts with you. I like your professionalism and how these podcasts just move, and they work. I like how it's organized. So I will keep coming back. I love having these conversations. Great questions.
David Moulton: Well, that's it for today. If you've liked what you've heard, please subscribe wherever you listen, and leave us a review on Apple Podcast or Spotify. Those reviews and your feedback really do help me understand what you want to hear about. If you want to reach out to me directly, email me at threatvector @paloaltonetworks.com. I want to thank our executive producer, Michael Heller, our content and production teams, which include Kenne Miller, Joe Bettencourt, and Virginia Tran. Elliott Peltzman edits the show and mixes the audio. We'll be back next week. Until then, stay secure, stay vigilant. Goodbye for now. [ Music ]
