{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/kubernetes-secrets/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["AWS Secrets Manager","Google Secret Manager","Azure Key Vault","Kubernetes Secrets"],"_cs_severities":["high"],"_cs_tags":["cloud","credential-access","kubernetes"],"_cs_type":"advisory","_cs_vendors":["AWS","Google","Microsoft","Kubernetes"],"content_html":"\u003cp\u003eThis detection identifies instances where a single source IP address accesses secret-management APIs across multiple cloud environments, including AWS Secrets Manager, Google Secret Manager, Azure Key Vault, and Kubernetes Secrets. This activity, occurring within a short timeframe, is indicative of potential credential theft, session hijacking, or token replay. Attackers with compromised credentials may attempt to rapidly retrieve secrets to expand access or exfiltrate sensitive information. The rule leverages data from AWS CloudTrail, Azure platform logs, GCP audit logs, and Kubernetes audit logs. Defenders should investigate unexpected cross-cloud secret retrieval, as it is uncommon and typically points to automation misuse or malicious activity. This detection helps identify and respond to threats involving stolen authenticated sessions used to harvest secrets across diverse cloud environments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access through credential theft, session hijacking, or token replay.\u003c/li\u003e\n\u003cli\u003eCompromised credentials are used to authenticate to one of the cloud provider environments (AWS, Azure, or GCP).\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised credentials to access the secret management service (e.g., AWS Secrets Manager, Azure Key Vault, Google Secret Manager).\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves secrets using API calls such as GetSecretValue (AWS), SecretGet/KeyGet (Azure), or AccessSecretVersion (GCP).\u003c/li\u003e\n\u003cli\u003eThe attacker pivots and uses the same compromised credentials or session to access secret management services in other cloud provider environments.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves secrets from the additional cloud environments, demonstrating cross-cloud access.\u003c/li\u003e\n\u003cli\u003eThe attacker may exfiltrate the harvested secrets or use them to escalate privileges within the compromised cloud environments.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistence and expands their access by leveraging the retrieved secrets to compromise additional resources and services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromised credentials and harvested secrets can lead to significant data breaches, unauthorized access to sensitive resources, and privilege escalation within cloud environments. Successful attacks can result in the exposure of sensitive data, including API keys, database passwords, and encryption keys, potentially impacting thousands of organizations. The Wiz.io blog post referenced in the rule, \u0026quot;Shai Hulud 2.0: Ongoing Supply Chain Attack,\u0026quot; underscores the potential for supply chain compromise through secret harvesting.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM and tune for your environment to detect suspicious cross-cloud secret retrieval activity.\u003c/li\u003e\n\u003cli\u003eEnable DATA_READ logging for the Secret Manager API service in GCP to provide the necessary data for detection.\u003c/li\u003e\n\u003cli\u003eEnable Diagnostic Logging for the Key Vault Service in Azure to capture secret access events.\u003c/li\u003e\n\u003cli\u003eReview IAM permissions and restrict secret access to least privilege across all cloud environments to limit the impact of credential compromise.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for users where applicable to enhance identity security and prevent credential theft.\u003c/li\u003e\n\u003cli\u003eRotate all accessed secrets and review other secrets the identity can access if compromise is suspected, as described in the rule's response and remediation steps.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-multi-cloud-secrets-access/","summary":"A single source IP accessing secret-management APIs across multiple cloud providers (AWS, GCP, Azure) and Kubernetes clusters within a short timeframe indicates credential theft or token replay for secret harvesting.","title":"Multiple Cloud Secrets Accessed by Source Address","url":"https://feed.craftedsignal.io/briefs/2024-01-multi-cloud-secrets-access/"}],"language":"en","title":"CraftedSignal Threat Feed - Kubernetes Secrets","version":"https://jsonfeed.org/version/1.1"}