"When “getting pwned” doesn’t even fully describe what happened"When building your systems and infrastructure in the cloud, you should always consider the attack vectors you open yourself up to and to continually strive to proactively close them. It’s common knowledge that when bringing up cloud computing resources you should do things like preventing SSH logins as the root user, disable password authentication for all users, as well as do things like limit which IP addresses can talk to the different services on your virtual machines. In more recent years, as our usage of SaaS and IaaS has grown, the importance of securing employee credentials has become even more crucial. So in addition to securing the infrastructure, you require that all employees who need access to the control panel use multi-factor authentication (using TOTP, making sure it’s not SMS-based).By segmenting access, configuring an intrusion detection system, keeping the systems and packages up to date, and by implementing multiple factors of authentication for your cloud control panel you’re confident in the setup. You’re fairly certain that an alarm would go off if an attacker was able to gain access, and even then their access would be limited to an unprivileged user on only the infrastructure they have access to. But what happens if an employee’s credentials aren’t phished, and instead your infrastructure provider is compromised? Are your systems protected from that vector, and will your heuristics catch it? What can you do to protect yourself from this vector, and can you even reasonably do that?In this talk, we’ll tell a story from the not too distant past around a successful targeted attack against a company using infrastructure providers as the vector. Details surrounding the methods used by the attacker will be shared, and the explicit steps they took to attempt to cover their tracks. We’ll also look at the other things they did after the attack vector was closed, while attempting to regain access to the systems. Finally, we’ll look at what things you can do to help mitigate the risks you incur if your infrastructure provider is compromised.