FOCUS MODE
EXTRACT IOC
Threat Research

Tracking cloud-fluent threat actors – Part two: Behavioral cloud IOCs

admin
Tracking cloud-fluent threat actors – Part two: Behavioral cloud IOCs
Behavioral IOCs are critical indicators that reveal patterns of activity suggesting malicious intent, focusing on how attackers exploit systems. This article discusses the behavioral IOCs associated with an opportunistic threat actor known as “Bapak,” who abuses exposed keys. The discussion includes a method for detecting such attacks through fingerprinting. Affected: cloud environments

Keypoints :

  • Behavioral IOCs highlight patterns of activity rather than just tools used by attackers.
  • They are derived from runtime telemetry and activity logs, enabling complex detections.
  • The article examines the malicious activities of a threat actor named “Bapak.”
  • Bapak exploits exposed keys and conducts systematic scanning of credentials.
  • Behavioral IOCs can indicate specific actions or series of actions linked to known actors.
  • Detection methods involve monitoring API calls and correlating them with geographical metadata.
  • Cloud honeypots are utilized to observe and analyze the behavior of threat actors.
  • Organizations should implement monitoring, threat intelligence sharing, and regular updates to behavioral baselines.

MITRE Techniques :

  • TA0001: Initial Access – Use of stolen cloud credentials to gain unauthorized access.
  • TA0002: Execution – API calls to CreateUser and ImportKeyPair to execute malicious actions.
  • TA0003: Persistence – Establishing unauthorized access through repeated calls to CreateUser.
  • TA0004: Privilege Escalation – Calling GetCallerIdentity and ListAttachedUserPolicies to enumerate permissions.
  • TA0005: Defense Evasion – Using VPNs to mask the activity of the threat actor.

Indicator of Compromise :

  • [file name] cluster/bapak1
  • [file name] appek
  • [file name] appes
  • [file name] dfgfg
  • [file hash] 3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFDOFQ0b1hQKytvZzVFNkg1R1VIRkg2ZHpKaFREcTFwZ1RWYzQ5Ylc3VUhES21LTkorbWlaS3ZLRzFUbHhVaDRLVTZaaWE0SncxN2l1WnVUN2VmSzN3Ym9SQ2Y5bytzY0J6ZGVnWlZoUitTMEdrVGVIVlJYT2lmYisyUUhjMklwK2w0MHhNd3hmbDIzRXJPNDU2RGkxdGQzdlBOVUFZNDFtaEZzcWhxZFRuM0pGWm4vK01qZ0d6dHF0V1g5NG81V2p4UkFFQlJDVTN0NHJzYUkrSFFTQWNncm9YTjVBeUFOcEhLZ292RGFmNVh1WUc4cUlVd0M2eHZxbktLbENnK29kSlhxckhpVzhVM0J3MlBLaTBaNVVzcElLMEdwUGJnU3I5bWovdzU3WXhJWWd2VnZLWlpMYWt6K3NqUW1reGNMSk15ckxRU29wTWlFa1NoUDltRlZOdEwgcm9vdEBsb2NhbGhvc3QK
  • Check the article for all found IoCs.


Full Research: https://www.wiz.io/blog/detecting-behavioral-cloud-indicators-of-compromise-iocs

Views: 2

Tags: EXPLOIT, PRIVILEGE, INITIAL ACCESS, DEFENSE EVASION, CLOUD, PERSISTENCE