Description
Adversaries may exfiltrate data by transferring the data, including through sharing/syncing and creating backups of cloud environments, to another cloud account they control on the same service.
A defender who is monitoring for large transfers to outside the cloud environment through normal file transfers or over command and control channels may not be watching for data transfers to another account within the same cloud provider. Such transfers may utilize existing cloud provider APIs and the internal address space of the cloud provider to blend into normal traffic or avoid data transfers over external network interfaces.(Citation: TLDRSec AWS Attacks)
Adversaries may also use cloud-native mechanisms to share victim data with adversary-controlled cloud accounts, such as creating anonymous file sharing links or, in Azure, a shared access signature (SAS) URI.(Citation: Microsoft Azure Storage Shared Access Signature)
Incidents have been observed where adversaries have created backups of cloud instances and transferred them to separate accounts.(Citation: DOJ GRU Indictment Jul 2018)
Platforms
Mitigations (4)
Data Loss PreventionM1057
Data loss prevention can prevent and block sensitive data from being shared with individuals outside an organization.(Citation: Microsoft Purview Data Loss Prevention) (Citation: Google Workspace Data Loss Prevention)
User Account ManagementM1018
Limit user account and IAM policies to the least privileges required.
Software ConfigurationM1054
Configure appropriate data sharing restrictions in cloud services. For example, external sharing in Microsoft SharePoint and Google Drive can be turned off altogether, blocked for certain domains, or restricted to certain users.(Citation: Google Workspace External Sharing) (Citation: Microsoft 365 External Sharing)
Filter Network TrafficM1037
Implement network-based filtering restrictions to prohibit data transfers to untrusted VPCs.
Threat Groups (3)
| ID | Group | Context |
|---|---|---|
| G1053 | Storm-0501 | [Storm-0501](https://attack.mitre.org/groups/G1053) has copied data from the victims environment to their own infrastructure leveraging AzCopy CLI.(Ci... |
| G1032 | INC Ransom | [INC Ransom](https://attack.mitre.org/groups/G1032) has used Megasync to exfiltrate data to the cloud.(Citation: Secureworks GOLD IONIC April 2024) |
| G1039 | RedCurl | [RedCurl](https://attack.mitre.org/groups/G1039) has used cloud storage to exfiltrate data, in particular the megatools utilities were used to exfiltr... |
References
- Amazon Web Services. (n.d.). Share an Amazon EBS snapshot. Retrieved March 2, 2022.
- Clint Gibler and Scott Piper. (2021, January 4). Lesser Known Techniques for Attacking AWS Environments. Retrieved March 4, 2024.
- Delegate access with a shared access signature. (2019, December 18). Delegate access with a shared access signature. Retrieved March 2, 2022.
- Microsoft Azure. (2021, December 29). Blob snapshots. Retrieved March 2, 2022.
- Microsoft. (2023, June 7). Grant limited access to Azure Storage resources using shared access signatures (SAS). Retrieved March 4, 2024.
- Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved November 17, 2024.
Frequently Asked Questions
What is T1537 (Transfer Data to Cloud Account)?
T1537 is a MITRE ATT&CK technique named 'Transfer Data to Cloud Account'. It belongs to the Exfiltration tactic(s). Adversaries may exfiltrate data by transferring the data, including through sharing/syncing and creating backups of cloud environments, to another cloud account they control on the same service. A de...
How can T1537 be detected?
Detection of T1537 (Transfer Data to Cloud Account) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1537?
There are 4 documented mitigations for T1537. Key mitigations include: Data Loss Prevention, User Account Management, Software Configuration, Filter Network Traffic.
Which threat groups use T1537?
Known threat groups using T1537 include: Storm-0501, INC Ransom, RedCurl.