{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/image-compromise/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Amazon Web Services","Azure","Google Cloud Platform"],"_cs_severities":["medium"],"_cs_tags":["cloud","compute-instance","image-compromise"],"_cs_type":"advisory","_cs_vendors":["Amazon","Microsoft","Google"],"content_html":"\u003cp\u003eThis alert focuses on detecting the creation of cloud compute instances using previously unseen images within a cloud environment. The use of a new or unknown image could signal various malicious activities, including unauthorized deployment of resources, use of compromised images containing malware, or attempts to bypass security controls. While the provided content does not specify a threat actor, a successful attack involving a rogue image can lead to significant data breaches, resource hijacking, and operational disruption. It is crucial for defenders to identify and investigate such instances promptly to prevent further damage. The scope of this alert is applicable to any cloud environment that supports compute instance creation from images.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to a cloud account or obtains valid credentials via credential stuffing or phishing.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads a malicious or compromised image to the cloud environment's image repository or leverages a publicly available, but malicious image.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the cloud provider's API or management console to initiate the creation of a new compute instance.\u003c/li\u003e\n\u003cli\u003eDuring instance creation, the attacker specifies the previously unseen image as the source image for the new instance.\u003c/li\u003e\n\u003cli\u003eThe cloud provider provisions the new compute instance using the specified image.\u003c/li\u003e\n\u003cli\u003eThe attacker connects to the newly created instance and executes malicious code or uses it for lateral movement within the cloud environment.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits resources within the compromised instance to steal sensitive data or compromise other cloud resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromised cloud compute instances can lead to data breaches, resource hijacking for cryptocurrency mining, and the deployment of malicious applications. A single compromised instance can serve as a beachhead for lateral movement, potentially impacting a large number of resources within the cloud environment. The use of rogue images bypasses standard image vetting procedures, increasing the likelihood of a successful attack.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement the provided Sigma rule \u003ccode\u003eCloud Instance Created with Unseen Image\u003c/code\u003e to detect when a new compute instance is created using an image that has not been previously observed in your environment. Tune the rule to your specific environment and baselines.\u003c/li\u003e\n\u003cli\u003eEnable and monitor cloud provider logs related to compute instance creation and image usage to provide the data source for the Sigma rule above (CloudTrail, Azure Activity Log, GCP Cloud Logging).\u003c/li\u003e\n\u003cli\u003eImplement strict image vetting procedures, including regular scanning for vulnerabilities and malware, to reduce the risk of deploying compromised images.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-25T12:00:00Z","date_published":"2024-01-25T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-25-cloud-instance-unseen-image/","summary":"A cloud compute instance was created with a previously unseen image, potentially indicating malicious activity such as unauthorized deployment or image compromise.","title":"Cloud Compute Instance Created with Previously Unseen Image","url":"https://feed.craftedsignal.io/briefs/2024-01-25-cloud-instance-unseen-image/"}],"language":"en","title":"CraftedSignal Threat Feed - Image-Compromise","version":"https://jsonfeed.org/version/1.1"}