Full Report
Discover how behavioral cloud IOCs can expose malicious activity as we break down real-world examples to reveal actionable detection techniques.
Analysis Summary
# Tool/Technique: Bapak Threat Actor Activity (Case Study)
## Overview
"Bapak" is an opportunistic threat actor group primarily focused on abusing publicly exposed cloud credentials. Their activity is characterized by systematic scanning, opportunistic exploitation, and distinctive behavioral patterns observed in cloud API logs, particularly those related to establishing persistence and reconnaissance.
## Technical Details
- Type: Threat Actor Group / Behavioral Pattern
- Platform: Cloud Environments (implied AWS due to API calls like `GetCallerIdentity`, `CreateUser`, etc.)
- Capabilities: Opportunistic credential exploitation, establishing footholds, key management persistence.
- First Seen: Not explicitly stated, but "in recent engagements."
## MITRE ATT&CK Mapping
The observed activities map primarily to initial access, reconnaissance, and persistence techniques common in cloud environments.
- **TA0001 - Initial Access (Cloud Accounts)**
- T1078.004 - Valid Accounts: Cloud Accounts
- **TA0010 - Exfiltration** (Though cryptomining intent is mentioned, the focus here is access/persistence)
- **TA0003 - Persistence**
- T1649.001 - Manage Sensitive Credentials: Cloud Accounts (Implied by API usage targeting access mechanisms)
- **TA0008 - Lateral Movement** (Implied by establishing new access mechanisms)
- **TA0044 - Command and Control** (Implied by subsequent actions after accessing the environment)
Specific observable behaviors relate to:
- **Reconnaissance (TA0043)**: Listing identities and policies (`GetCallerIdentity`, `ListAttachedUserPolicies`)
- **Persistence/Defense Evasion**: Importing SSH keys (`ImportKeyPair`)
## Functionality
### Core Capabilities
- Systematically scanning for exposed cloud credentials.
- Establishing initial footholds upon successful unauthorized access.
- Using a consistent set of API calls for reconnaissance and setup.
### Advanced Features
- Reusing the exact same *public key material* across multiple distinct incidents to establish persistence via `ImportKeyPair`, which served as a strong linking indicator for the actor.
- Operations largely originate from a suspicious ASN located in Indonesia, with naming schemes suggesting an Indonesian origin.
## Indicators of Compromise
The article emphasizes **Behavioral IOCs** rather than traditional atomic file hashes, though some API sequences are actor-specific.
- File Hashes: N/A (Focus is on cloud activity)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Activity frequently originates from IP addresses associated with a suspicious ASN in **Indonesia**. VPNs may occasionally be used to obfuscate origin.
- Behavioral Indicators:
- **Actor-Specific Sequence:**
1. Calls `GetSendQuota` (Mentioned in the AndroxGh0st example reference, but the Bapak sequence starts with key import).
2. Calls `CreateUser` with the name `ses_xcatze` (Mentioned in the AndroxGh0st reference, but used here as an example of specific IOC patterns).
3. **Bapak Specific:** Calls `ImportKeyPair` immediately after initial access to establish SSH access paths.
4. Use of the same unique SSH public key material across multiple victims.
- **Generic TTP Pattern:** Multiple successive calls to `GetCallerIdentity` and `ListAttachedUserPolicies` using the `Boto3` user agent, indicating scripted enumeration.
## Associated Threat Actors
- Bapak (Opportunistic group, potentially operating out of Indonesia).
## Detection Methods
Detection relies heavily on cloud activity logs (e.g., AWS CloudTrail) correlated against behavior and context.
- Signature-based detection: Not directly applicable for pure behavior, but can be used for checking known malicious user agent strings (`Boto3` in suspicious sequences).
- Behavioral detection: Prioritized through correlation of API sequences (`ImportKeyPair` followed by likely instance creation/use) and monitoring for connections originating from the suspicious Indonesian ASN or use of previously seen C2 keys.
- YARA rules: N/A (Not applicable for cloud API behavior analysis).
## Mitigation Strategies
Mitigation involves reducing the attack surface for credential exposure and monitoring post-compromise activity.
- Prevention measures: Secure cloud credentials diligently to prevent exposure and unauthorized access. Implement robust identity and access management (IAM) policies (Least Privilege).
- Hardening recommendations:
- Implement allowlisting for container images and Lambda layers.
- Monitor for unusual subscription changes (enabling regions, modifying security settings).
- Monitor for privileged role assignment to non-privileged or unknown external users/subscriptions.
- Analyze API call context for unusual locations (TOR, unusual VPNs, unexpected geographic locations).
## Related Tools/Techniques
- **Tools used for similar automated IAM reconnaissance:** Quiet Riot, Pacu.
- **Related Behavior:** Generic behavioral sequences involving `GetCallerIdentity` and `ListAttachedUserPolicies` (indicating reconnaissance).