MITRE ATT&CK T1562.007 Impair Defenses: Disable or Modify Cloud Firewall

Disable or Modify Cloud Firewall is a defense evasion technique that adversaries use to manipulate cloud-based firewall configurations to bypass security controls and enable malicious activity. Cloud firewalls, often implemented as security groups, network access control lists (NACLs), or virtual firewall appliances, are designed to regulate network traffic, prevent unauthorized access, and enforce segmentation within cloud environments. By disabling or modifying these protections, attackers can create unauthorized pathways for lateral movement, data exfiltration, and command-and-control (C2) communication.

In this blog post, we explain the T1562.007 Disable or Modify Cloud Firewall technique of the MITRE ATT&CK® framework and explore how adversaries employ Disable or Modify Cloud Firewall with real-world attack examples in detail.

What is a Cloud Firewall?

Cloud firewalls are designed to safeguard digital assets and data hosted in cloud environments. It controls and monitors incoming and outgoing network traffic, acting as a barrier between a trusted internal network and external, potentially untrusted networks, such as the Internet. Cloud firewalls operate based on predefined rules and policies, allowing or blocking specific types of traffic based on criteria such as IP addresses, protocols, and port numbers. 

Adversary Use of Disable or Modify Cloud Firewall

In cloud environments, organizations often implement restrictive security groups and firewall rules to control and secure network traffic. These rules are designed to permit only authorized communication from trusted IP addresses through specified ports and protocols. However, adversaries alter these configurations to potentially open a gateway for unauthorized access and malicious activities within the victim's cloud environment using the Disable or Modify Cloud Firewall technique. This technique can have severe consequences, ranging from data breaches to the compromise of critical infrastructure and services hosted in the cloud.

Adversaries often employ this technique by manipulating the existing firewall rules. For instance, they use scripts or utilities capable of dynamically creating new ingress rules within the established security groups. These rules could be crafted to allow any TCP/IP connectivity, essentially removing the previously imposed restrictions and creating a vulnerability that enables unimpeded access. In the Capital One data breach, adversaries exploited a misconfigured web application firewall (WAF) to gain unauthorized access to sensitive customer data stored in the cloud. By modifying firewall configurations, the adversary successfully bypassed security measures, emphasizing the critical importance of robust firewall management in cloud security.

Moreover, the technique facilitates lateral movement within the cloud environment. By disabling or modifying firewall rules, adversaries can move laterally across systems and servers, potentially escalating their privileges and expanding their foothold within the compromised infrastructure. 

Adversaries can leverage the altered firewall configurations to create covert channels for communication between compromised systems and external servers under their control. This enables them to maintain a persistent presence, execute commands, and receive instructions without detection. In a crypto miner attack, adversaries were able to compromise a Google Cloud App Engine Service account and change the cloud firewall configuration to allow any traffic prior to deploying hundreds of VM for crypto mining [1].

Ready to Simulate Real-World Threats from Red Report 2025?

References

[1] D. Alon, "Compromised Cloud Compute Credentials: Case Studies From the Wild," Unit 42. https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/