Cloud Shadow Admins Revisited in Light of Nobelium

November 3, 2021 Asaf Hecht

A recently detected attack campaign involving threat actor Nobelium has caught our attention due to an attack vector our team has previously researched – Cloud Shadow Admins – that the adversary may have sought to exploit. Security teams need to be aware.


As Microsoft published earlier this week, they detected an attack campaign made by a nation-state threat actor that is tracked with the name Nobelium. According to Microsoft, the threat actor attempted to gain unauthorized access to customers of multiple cloud service providers (CSP), managed service providers (MSP) and other IT services organizations. As part of their role, these service providers often have privileged access to customer environments, making them prime targets for attackers looking to leverage the supply chain and cause maximum damage.

The attackers reportedly used simple attack techniques like password spray and phishing, as opposed to often complex zero or one-days. But as we’ve seen in numerous public breaches, simple attack methods can lead to large damage.

The important part

The interesting part is what the attackers did after gaining the initial foothold in the target organizations. Microsoft observed that Nobelium targeted privileged accounts of service providers to move laterally in cloud environments, leveraging trusted relationships to gain access. This is why it’s vital to protect your privileged accounts and have well-defined and secured privilege access procedures.

The overlooked threat in this story — Cloud Shadow Admins

Microsoft recommends that all organizations track and detect the creation of highly privileged users and detect changes in privileged user role assignments. We absolutely agree with this recommendation. Moreover, parts of their disclosure of the attack highlight a possible major threat concept that we researched and published in the past: Cloud Shadow Admins.

Shadow Admins are stealthy user entities that have specifically sensitive permissions granting them the ability to escalate privileges in cloud environments. These entities, which often arise from misconfigurations or lack of awareness, can be targeted by attackers, putting the entire environment at risk.

While organizations may be familiar with their list of straightforward admin accounts, Shadow Admins are much more difficult to discover because of the thousands of permissions that exist in standard cloud environments, and can include shadow admin users, roles and applications. (AWS and Azure each have several thousands of different permissions.) As a result, there are many cases in which Shadow Admins can be created. In fact, we’ve discovered several Shadow admin entities in all large cloud environments we’ve researched so far.

Despite the appearance of limited permissions, a Shadow Admin with just a single permission has the ability to gain the equivalent power of a full admin.

We’ve spent quite a significant amount of time researching the threat of Shadow Admins in Azure (link from 2020), in AWS (link from 2018) and in on-prem networks (link from 2017).

A needed paradigm shift

It’s possible for attackers to find and abuse non-trivial and presumably “limited” permissions to escalate their privileges and become full cloud admins. They can also easily use these permissions to hide stealthy shadow entities that remain hidden until they are used as backdoor accounts allowing access to the network.

Here in the Nobelium case, the same is true. We can assume a similar technique might have been used in the attack phases of these service providers. Shadow Admins are places for potential privilege escalation and can be easily used as a persistence method.

Because of this threat of Cloud Shadow Admins, we at CyberArk added dedicated features to our products for mitigating this attack surface. But not only that, it’s why we also developed and released a free open-source tool called “SkyArk” that has helped organizations worldwide and improved enterprise security as a whole.

Stealthy and undercover cloud admins may reside in every public cloud platform, and SkyArk helps mitigate the risk in AWS and Azure clouds. We recommend in any penetration testing engagements and risk assessment procedures that you do, address the threat and validate that all your privileged entities are indeed well secured, including the hidden Shadow Admins.

Believe in the research work you read previous example

Another example is when we highlighted a specific unique threat that we researched and published in 2017 “Golden SAML” (link). Then, after three years, this threat became super famous because of the attack campaign around SolarWinds. Only when this attack technique was used and caught, the Golden SAML threat captured the world’s attention (and the senate’s).

Now it might be the same scenario all over again!

Final note

Attackers increasingly target cloud environments, and Shadow Admins are becoming a primary avenue for them to gain a foothold, escalate privileges and ultimately do serious damage. So, while securing admin users is the first key element in securing cloud environments, it’s impossible to secure these admins if you don’t know they exist and that’s the true problem with Shadow Admins. CyberArk products and the open-source SkyArk tool can help make the challenge of finding and securing all your most privileged users (including Shadow Admins) easier and by doing so, make your cloud environments more secure.

Previous Article
Hook Heaps and Live Free
Hook Heaps and Live Free

I wanted to write this blog post to talk a bit about Cobalt Strike, function hooking and the Windows heap. ...

Next Article
Cracking WiFi at Scale with One Simple Trick
Cracking WiFi at Scale with One Simple Trick

How I Cracked 70% of Tel Aviv’s Wifi Networks (from a Sample of 5,000 Gathered WiFi). In the past seven yea...