News

AWS and Azure at Risk for 'Shadow Admin' Attacks, Security Firm Warns

• By David Ramel
• 07/29/2020

Cloud giants Amazon Web Services (AWS) and Microsoft Azure are at particular risk for hidden admin users to take over customer accounts, according to a recent report by cybersecurity specialist CyberArk.

CyberArk dubs these hidden admin users "shadow admins," describing them in a blog post as "stealthy user entities that have specifically sensitive permissions granting them the ability to escalate privileges in cloud environments."

Shadow admins can use hidden admin accounts to escalate their privileges and damage an organization's network, the company said. "These entities, which often arise from misconfigurations or lack of awareness, can be targeted by attackers, putting the entire environment at risk."

The company said it has been focusing on the problem for years, first in an on-premises context and then in the cloud. It argues that AWS and Azure are at high risk for such attacks because of their sheer volume of permissions.

"While organizations may be familiar with their list of straightforward admin accounts, Shadow Admins are much more difficult to discover due to the thousands of permissions that exist in standard cloud environments. (AWS and Azure each have more than 5,000 different permissions.) As a result, there are many cases where Shadow Admins can be created."

To combat the problem, CyberArk introduced the open source tool SkyArk with two modules designed to discover the most privileged entities in AWS and Azure. The company said organizations can increase their security posture by using the tools to discover the entities (users, groups and roles) who have the most sensitive and risky permissions, while also regularly scanning their environments to search for suspicious deviations in their privileged entities list.

The scanning tool only requires read-only permissions to query cloud entities and their assigned permissions and then perform analysis and provide the results.

"Attackers are increasingly targeting cloud environments and Shadow Admins are becoming a primary way for them to gain a foothold, escalate privileges and ultimately to do some serious damage," CyberArk said. "So, while securing admin users is the first key element in securing cloud environments, it's impossible to secure these admins if you don't know they exist -- and that's the true problem with Shadow Admins. SkyArk was developed to help make the challenge of finding and securing all your most privileged users (including Shadow Admins) easier and to make your cloud environments more secure."