Description
Adversaries may implant cloud or container images with malicious code to establish persistence after gaining access to an environment. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be implanted or backdoored. Unlike Upload Malware, this technique focuses on adversaries implanting an image in a registry within a victim’s environment. Depending on how the infrastructure is provisioned, this could provide persistent access if the infrastructure provisioning tool is instructed to always use the latest image.(Citation: Rhino Labs Cloud Image Backdoor Technique Sept 2019)
A tool has been developed to facilitate planting backdoors in cloud container images.(Citation: Rhino Labs Cloud Backdoor September 2019) If an adversary has access to a compromised AWS instance, and permissions to list the available container images, they may implant a backdoor such as a Web Shell.(Citation: Rhino Labs Cloud Image Backdoor Technique Sept 2019)
Platforms
Mitigations (3)
Code SigningM1045
Several cloud service providers support content trust models that require container images be signed by trusted sources.(Citation: Content trust in Azure Container Registry)(Citation: Content trust in Docker)
Privileged Account ManagementM1026
Limit permissions associated with creating and modifying platform images or containers based on the principle of least privilege.
AuditM1047
Periodically check the integrity of images and containers used in cloud deployments to ensure they have not been modified to include malicious software.
References
- Rhino Labs. (2019, August). Exploiting AWS ECR and ECS with the Cloud Container Attack Tool (CCAT). Retrieved September 12, 2019.
- Rhino Labs. (2019, September). Cloud Container Attack Tool (CCAT). Retrieved September 12, 2019.
Frequently Asked Questions
What is T1525 (Implant Internal Image)?
T1525 is a MITRE ATT&CK technique named 'Implant Internal Image'. It belongs to the Persistence tactic(s). Adversaries may implant cloud or container images with malicious code to establish persistence after gaining access to an environment. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cl...
How can T1525 be detected?
Detection of T1525 (Implant Internal Image) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1525?
There are 3 documented mitigations for T1525. Key mitigations include: Code Signing, Privileged Account Management, Audit.
Which threat groups use T1525?
While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.