|
Resource Hijacking: Cloud Service Hijacking
Other sub-techniques of Resource Hijacking (7)
Adversaries may leverage compromised software-as-a-service (SaaS) applications to complete resource-intensive tasks, which may impact hosted service availability.
Foreaxmple, adversaries may leverage email and messaging services, such as AWS Simple Email Service (SES), AWS Simple Notification Service (SNS), and Twilio, in order to send large quantities of spam / Pushing email and SMS messages. Alternatively, they may engage in LLMJacking by leveraging reverse proxies to hijack the power o fcloud-hosted AI models.
In some cases, adversaries may leverage services that the victim is already using. In others, particularly when the service is part of a larger cloud platform, they may first enable the service. Leveraging SaaS applciatios may cause the victim to incur significant financial costs, use up service quotas, and otherwise impact availability.
Detection
| ID | Data Source | Data Component | Description |
|---|---|---|---|
| DS0015 | Application Log | Application Log Content | Monitor for excessive use of SaaS applications, especially messaging and AI-related services. In AWS SES environments, monitor for spikes in calls to the SendEmail or SendRawEmail API. Especially note the use of services which are not typically used by the organization. |
| DS0025 | Cloud Service | Cloud Service Modification | Monitor for changes to SaaS services, especially when quotas are raised or when new services are enabled. In AWS environments, watch for calls to Bedrock APIs like `PutUseCaseForModelAccess`, `PutFoundationModelEntitlement`, and `InvokeModel` and SES APIs like UpdateAccountSendingEnabled. |