News

Open Source Tool Detects 'Shadow' Cloud Admin Accounts

• By David Ramel
• 07/29/2020

Cybersecurity specialist CyberArk is publicizing the problem of "Shadow Admins" -- or hidden admin users -- on cloud platforms, introducing an open source tool to combat the problem.

That problem, the company said, is that attackers can use hidden admin accounts to escalate their privileges and damage an organization’s network.

The company said it has been focusing on the problem for years, first in an on-premises context and then in the cloud.

"Shadow Admins are stealthy user entities that have specifically sensitive permissions granting them the ability to escalate privileges in cloud environments," the company said in a recent blog post. "These entities, which often arise from misconfigurations or lack of awareness, can be targeted by attackers, putting the entire environment at risk. "While organizations may be familiar with their list of straightforward admin accounts, Shadow Admins are much more difficult to discover due to the thousands of permissions that exist in standard cloud environments. (AWS and Azure each have more than 5,000 different permissions.) As a result, there are many cases where Shadow Admins can be created."

The focus on Amazon Web Services (AWS) and Microsoft's Azure cloud isn't by accident, as CyberArk introduced the open source tool SkyArk with two modules designed to discover the most privileged entities in the respective cloud platforms.

The company said organizations can increase their security posture by using the tools to discover the entities (users, groups and roles) who have the most sensitive and risky permissions while also regularly scanning their environments to search for suspicious deviations in their privileged entities list.

The scanning tool only required read-only permissions to query cloud entities and their assigned permissions and then perform analysis and provide the results.

"Attackers are increasingly targeting cloud environments and Shadow Admins are becoming a primary way for them to gain a foothold, escalate privileges and ultimately to do some serious damage," the company said. "So, while securing admin users is the first key element in securing cloud environments, it’s impossible to secure these admins if you don’t know they exist -- and that’s the true problem with Shadow Admins. SkyArk was developed to help make the challenge of finding and securing all your most privileged users (including Shadow Admins) easier and to make your cloud environments more secure."