----- ``` T D R 4 3 2 ### New tactics and techniques for proactive threat detection ###### Ben Fletcher Steve de Vera (he/him) (he/him) AWS EMEA CIRT LEAD AWS CIRT Manager Amazon Web Services Amazon Web Services ``` ----- ###### • About AWS CIRT • Statistics • Current threat actor tactics • New threat actor tactics • Security best practices ----- ##### THIS SESSION IS INTERACTIVE! Feel free to ask questions, make comments, participate ----- ### About AWS CIRT ----- ###### A specialized team that assists and advises customers during suspected active security events, on the customer’s side of the AWS Shared Responsibility Model Respond Recover Learn Educate Global team 24/7, follow- Assist and advise customers Assist in root cause Provide advice to the-sun model with active triage and analysis of a customer’s customers for long-term recovery from their security AWS service logs for their recovery from their event on AWS active security event active security event ----- ### Statistics ----- #### most often? ###### Cross-account Vulnerable Brute force permissions web apps #1 #2 #3 Lost/leaked access Open S3 buckets DDoS keys/credentials #4 #5 #6 ----- #### most often? ###### Lost/leaked access keys/credentials #4 ----- #### most often? # 66% ###### valid IAM credentials Lost/leaked access keys/credentials #4 ----- #### most often? # 66% ###### valid IAM credentials Lost/leaked access keys/credentials #4 # 1/3 ###### of those are root credentials [20% of all initial access method use] ----- #### most often? # 66% ###### valid IAM credentials Lost/leaked access keys/credentials #4 # 1/3 ###### of those are root credentials [20% of all initial access method use] # 13% ----- ###### Opportunistic Resource hijack Ransom events destruction A zero trust strategy ----- ###### Technique: Valid cloud credentials ----- #### are used? ###### ~Two weeks ~One week 24 hours #1 #2 #3 Minutes, if not 4 hours seconds #4 #5 ----- ###### Technique: Valid cloud credentials Minutes, if not seconds #5 ----- ### Current threat actor tactics ----- ##### DISCLAIMER: Tactics and techniques presented do not constitute vulnerabilities within AWS ----- ###### Tactic: Impact Technique: Resource hijacking 1) 2) 3) - - - 4) ----- ###### Tactic: Impact Technique: Resource hijacking 1) Threat actor obtains access to AWS account or hosted resource 2) 3) - - - 4) ----- ###### Tactic: Impact Technique: Resource hijacking 1) Threat actor obtains access to AWS account or hosted resource 2) Threat actor will mine cryptocurrency from the resource 3) - - - 4) ----- ###### Tactic: Impact Technique: Resource hijacking 1) Threat actor obtains access to AWS account or hosted resource 2) Threat actor will mine cryptocurrency from the resource 3) Resources created in AWS account: • RunInstances • CreateStack • CreateCluster 4) ----- ###### Tactic: Impact Technique: Resource hijacking 1) Threat actor obtains access to AWS account or hosted resource 2) Threat actor will mine cryptocurrency from the resource 3) Resources created in AWS account: • RunInstances • CreateStack • CreateCluster 4) Resources created in unused AWS Regions ----- ###### Tactic: Impact Technique: Resource hijacking • Use SCPs to prevent resource creation – especially in unused Regions • Apply principle of least privilege to assigned permissions ----- ###### Tactic: Impact Technique: Defacement 1) 2) 3) ----- ###### Tactic: Impact Technique: Defacement 1) Customer has CNAME pointing to a resource (S3 bucket, EC2 instance, Elastic IP) 2) 3) ----- ###### Tactic: Impact Technique: Defacement 1) Customer has CNAME pointing to a resource (S3 bucket, EC2 instance, Elastic IP) 2) The resource is deleted, but the CNAME still exists 3) ----- ###### Tactic: Impact Technique: Defacement 1) Customer has CNAME pointing to a resource (S3 bucket, EC2 instance, Elastic IP) 2) The resource is deleted, but the CNAME still exists 3) Threat actor creates a resource that the CNAME still points to ----- ----- ###### Customer ----- ###### S3 bucket Customer s3-newco-random ----- ###### S3 bucket S3 bucket configured as static website Customer s3-newco-random http://s3-newco-random .s3-website-us-east-1.amazonaws.com ----- ###### S3 bucket S3 bucket configured as static website CNAME pointing to S3 bucket configured as static website Customer s3-newco-random http://s3-newco-random CNAME: app1.newco.com .s3-website-us-east-1.amazonaws.com points to: http://s3-newco-random .s3-website-us-east-1.amazonaws.com ----- ###### S3 bucket S3 bucket configured as static website CNAME pointing to S3 bucket configured as static website ## X X ###### Customer s3-newco-random http://s3-newco-random CNAME: app1.newco.com .s3-website-us-east-1.amazonaws.com points to: http://s3-newco-random .s3-website-us-east-1.amazonaws.com ----- ###### S3 bucket S3 bucket configured as static website CNAME pointing to S3 bucket configured as static website ## X X ###### Customer s3-newco-random http://s3-newco-random CNAME: app1.newco.com .s3-website-us-east-1.amazonaws.com points to: http://s3-newco-random .s3-website-us-east-1.amazonaws.com Threat actor ----- ###### S3 bucket S3 bucket configured as static website CNAME pointing to S3 bucket configured as static website ## X X ###### Customer s3-newco-random http://s3-newco-random CNAME: app1.newco.com .s3-website-us-east-1.amazonaws.com points to: http://s3-newco-random .s3-website-us-east-1.amazonaws.com S3 bucket recreated Threat s3-newco-random actor ----- ###### S3 bucket S3 bucket configured as static website CNAME pointing to S3 bucket configured as static website ## X X ###### Customer s3-newco-random http://s3-newco-random CNAME: app1.newco.com .s3-website-us-east-1.amazonaws.com points to: http://s3-newco-random .s3-website-us-east-1.amazonaws.com S3 bucket S3 bucket configured as static website recreated with malicious content Threat s3-newco-random http://s3-newco-random actor .s3-website-us-east-1.amazonaws.com ----- ###### S3 bucket S3 bucket configured as static website CNAME pointing to S3 bucket configured as static website ## X X ###### Customer s3-newco-random http://s3-newco-random CNAME: app1.newco.com .s3-website-us-east-1.amazonaws.com points to: http://s3-newco-random .s3-website-us-east-1.amazonaws.com S3 bucket S3 bucket configured as static website recreated with malicious content Threat s3-newco-random http://s3-newco-random actor .s3-website-us-east-1.amazonaws.com ----- ###### • Review hosted zones and delete unused CNAMEs • When de-provisioning, remove CNAMEs first ----- ###### Tactic: Impact Technique: Data destruction 1) 2) 3) - - - - - - ----- ###### Tactic: Impact Technique: Data destruction 1) Threat actor obtains access to AWS account or resource (Amazon S3 or Amazon RDS) 2) 3) - - - - - - ----- ###### Tactic: Impact Technique: Data destruction 1) Threat actor obtains access to AWS account or resource (Amazon S3 or Amazon RDS) 2) Threat actor will attempt to delete resources or data 3) - - - - - - ----- ###### Tactic: Impact Technique: Data destruction 1) Threat actor obtains access to AWS account or resource (Amazon S3 or Amazon RDS) 2) Threat actor will attempt to delete resources or data 3) Resources deleted in AWS account: • DeleteBucket • DeleteObject • DeleteDBInstance • DeleteDBCluser • DeleteDBSnapshot • AuthorizeSecurityGroupIngress ----- ###### Tactic: Impact Technique: Data destruction • Apply and review policies (resource policies and lifecycle policies), S3 Object Lock • Principle of least privilege • Use and test backup methodologies ----- ###### Tactic: Credential access Technique: Unsecured credentials 1) 2) ----- ###### Tactic: Credential access Technique: Unsecured credentials 1) Threat actor obtains ability to obtain IMDSv1 credentials from resource 2) ----- ###### Tactic: Credential access Technique: Unsecured credentials 1) Threat actor obtains ability to obtain IMDSv1 credentials from resource 2) Threat actor exports and uses credentials ----- ###### AWS account Virtual private cloud (VPC) Public subnet Web application Attached Threat on EC2 role (webdev) actor ----- ###### AWS account Virtual private cloud (VPC) Public subnet Use SSRF to exploit web application vulnerability Web application Attached Threat on EC2 role (webdev) actor ----- ###### AWS account Virtual private cloud (VPC) Public subnet Use SSRF to exploit web application vulnerability Web application Attached Threat on EC2 role (webdev) actor Obtain credentials using IMDSv1 API ----- ###### AWS account Virtual private cloud (VPC) Public subnet Use SSRF to exploit web application vulnerability Web application Attached Threat on EC2 role (webdev) actor Obtain credentials using IMDSv1 API Use credentials to access AWS account ----- ----- ----- ----- ----- ----- ----- ----- ----- ###### Tactic: Credential access #### Mitigations Technique: Unsecured credentials - - - ----- ###### Tactic: Credential access #### Mitigations Technique: Unsecured credentials ###### • Use require IMDSv2 - - ----- ###### Tactic: Credential access #### Mitigations Technique: Unsecured credentials ###### • Use require IMDSv2 • Use principle of least privilege on EC2 instance profile - ----- ###### Tactic: Credential access #### Mitigations Technique: Unsecured credentials ###### • Use require IMDSv2 • Use principle of least privilege on EC2 instance profile • Use the ``` aws:EC2InstanceSourceVPC or aws:EC2InstanceSourcePrivate IPv4 global condition keys in Service Control Policies ``` ----- ###### Technique: Additional cloud credentials 1) Credentials exported ----- ###### 2) Federation token generated ----- ###### 3) Threat actor exports and assumes federation token credentials ----- ###### 4) Use exported credentials from federation token ----- ###### • The session name or ‘user name’ can be changed • Still need to review actions by ‘masked’ user ----- ###### • GetSessionToken also used • Generally considered unauthorized if observed • With both GetFederationToken and ``` GetSessionToken, you can delete the originating access key and the session will persist • Can delete/recreate the user ``` ----- ###### • Apply inline policy to IAM user (deny based on ``` aws:TokenIssueTime) ``` ----- ### Novel threat actor tactics ----- ###### Technique: Unused/unsupported cloud regions 1) Threat actor creates an account in an AWS organization 2) ----- ###### Technique: Unused/unsupported cloud regions 1) Threat actor creates an account in an AWS organization 2) Created account is used for defense evasion, resource hijacking ----- ###### Technique: Unused/unsupported cloud regions 1) Threat actor creates a standalone account with a stolen credit card 2) ----- ###### Technique: Unused/unsupported cloud regions 1) Threat actor creates a standalone account with a stolen credit card 2) Invites account to compromised AWS organization ----- ###### Technique: Unused/unsupported cloud regions 1) Threat actor can remove OrganizationAccountAccessRole 2) 3) ----- ###### Technique: Unused/unsupported cloud regions 1) Threat actor can remove OrganizationAccountAccessRole 2) Victim can apply SCPs, but this prevents new actions (existing threat actor resources not affected) 3) ----- ###### Technique: Unused/unsupported cloud regions 1) Threat actor can remove OrganizationAccountAccessRole 2) Victim can apply SCPs, but this prevents new actions (existing threat actor resources not affected) 3) May need support case to remove account ----- ###### Technique: Unused/unsupported cloud regions 1) Threat actor can remove OrganizationAccountAccessRole 2) Victim can apply SCPs, but this prevents new actions (existing threat actor resources not affected) 3) May need support case to remove account ----- ###### Technique: Unused/unsupported cloud regions • Create custom groups or roles • Use principle of least privilege to restrict account creation • Amazon CloudWatch alarm/SCP for ``` InviteAccountToOrganization API call ``` ----- ###### Tactic: Impact Technique: Data destruction 1) Threat actor uses S3 lifecycle policies to set parameters to delete objects within 1 day 2) 3) ----- ###### Tactic: Impact Technique: Data destruction 1) Threat actor uses S3 lifecycle policies to set parameters to delete objects within 1 day 2) 3) ----- ###### Tactic: Impact Technique: Data destruction 1) Threat actor uses S3 lifecycle policies to set parameters to delete objects within 1 day 2) Form of data destruction 3) ----- ###### Tactic: Impact Technique: Data destruction 1) Threat actor uses S3 lifecycle policies to set parameters to delete objects within 1 day 2) Form of data destruction 3) Bypasses permissions and detections against ``` DeleteObject ``` ----- ###### Tactic: Impact Technique: Data destruction • Apply SCPs to prevent use of PutBucketLifecycle • Use principle of least privilege • AWS Config rule for s3-lifecycle-policy-check ----- ###### Tactic: Impact Technique: Resource hijacking 1) Threat actor obtains block of high rate SMS phone numbers from telecom provider 2) Threat actor identifies service that sends SMS text messages 3) Service used to send numerous text messages ----- ###### Tactic: Impact Technique: Resource hijacking 4) Amazon Cognito used 5) ----- ###### Tactic: Impact Technique: Resource hijacking 4) Amazon Cognito used 5) APIs observed are SignUp or ``` ResendConfirmationCode ``` ----- ###### Tactic: Impact Technique: Resource hijacking • Change attribute verification and user account confirmation • Apply AWS WAF to present CAPTCHA • Apply web ACL rule to inspect request body and match the SMS area code • Amazon Fraud Detector (may require rearchitected solution) ----- ###### Tactic: Defense evasion Technique: Indicator removal 1) Threat actor attempts to leave an AWS organization 2) 3) ----- ###### Tactic: Defense evasion Technique: Indicator removal 1) Threat actor attempts to leave an AWS organization 2) 3) ----- ###### Tactic: Defense evasion Technique: Indicator removal 1) Threat actor attempts to leave an AWS organization 2) Prevents SCPs from being applied, used for resource hijacking 3) ----- ###### Tactic: Defense evasion Technique: Indicator removal 1) Threat actor attempts to leave an AWS organization 2) Prevents SCPs from being applied, used for resource hijacking 3) Form of defense evasion, AWS billing reports migrate ----- ###### Tactic: Defense evasion Technique: Indicator removal • Apply SCPs to prevent LeaveOrganization API call in member account • Use principle of least privilege to limit use of ``` RemoveAccountFromOrganization in management account ``` ----- ###### Tactic: Persistence #### Premise Technique: Create account ###### 1) Threat actor gains access to an AWS organization 2) 3) ----- ###### Tactic: Persistence #### Premise Technique: Create account ###### 1) Threat actor gains access to an AWS organization 2) AWS IAM Identity Center enabled to provision access to accounts 3) ----- ###### Tactic: Persistence #### Premise Technique: Create account ###### 1) Threat actor gains access to an AWS organization 2) AWS IAM Identity Center enabled to provision access to accounts 3) Adds extra steps to containment ----- ###### Tactic: Persistence #### Alternative Technique: Create account ###### 3) Access to a specific account/s within an AWS organization 4) 5) ----- ###### Tactic: Persistence #### Alternative Technique: Create account ###### 3) Access to a specific account/s within an AWS organization 4) IAM used to add a SAML or OpenIDC provider 5) ----- ###### Tactic: Persistence #### Alternative Technique: Create account ###### 3) Access to a specific account/s within an AWS organization 4) IAM used to add a SAML or OpenIDC provider 5) Look for CreateSAMLProvider or CreateOIDCProvider events in AWS CloudTrail ----- ###### Tactic: Persistence #### Mitigations Technique: Create account ###### • Remove identity provider from IAM Identity Center or IAM - ----- ###### Tactic: Persistence #### Mitigations Technique: Create account ###### • Remove identity provider from IAM Identity Center or IAM • Use Amazon EventBridge to watch for StartSSO, ``` CreateSAMLProvider or CreateOIDCProvider events in CloudTrail ``` ----- ###### Technique: Exploit public-facing application #### Premise 1) - - 2) 3) ----- ###### Technique: Exploit public-facing application #### Premise ###### 1) Threat actor identifies vulnerable version of Laravel • CVE-2021-3129 • Debug mode 2) 3) ----- ###### Technique: Exploit public-facing application #### Premise ###### 1) Threat actor identifies vulnerable version of Laravel • CVE-2021-3129 • Debug mode 2) Debug mode allows access to .env file 3) ----- ###### Technique: Exploit public-facing application #### Premise ###### 1) Threat actor identifies vulnerable version of Laravel • CVE-2021-3129 • Debug mode 2) Debug mode allows access to .env file 3) .env configured with AWS credentials ----- ###### Technique: Exploit public-facing application #### Premise ###### 3) For server in debug mode, specific data sent generates a debug file 4) ----- ###### Technique: Exploit public-facing application #### Premise ###### 3) For server in debug mode, specific data sent generates a debug file 4) File contains .env variables including AWS credentials ----- ###### Technique: Exploit public-facing application #### Mitigations ###### • Confirm Laravel is up-to-date and fully patched • Disable debug mode in production – set APP_DEBUG = FALSE • Use principle of least privilege for credentials in Laravel .env • AWS Secrets Manager for hardcoded secrets ----- ###### Tactic: Defense evasion #### Premise Technique: Impair defenses ###### 1) Threat actor gains access to AWS account 2) 3) ----- ###### Tactic: Defense evasion #### Premise Technique: Impair defenses ###### 1) Threat actor gains access to AWS account 2) Modifies CloudTrail using ``` PutEventSelectors ``` 3) ----- ###### Tactic: Defense evasion #### Premise Technique: Impair defenses ###### 1) Threat actor gains access to AWS account 2) Modifies CloudTrail using ``` PutEventSelectors 3) Prevents logging of mutating events ``` ----- ###### Tactic: Defense evasion #### Alternative Technique: Impair defenses ###### 1) Threat actor gains access to AWS account 2) Modifies CloudTrail using ``` PutEventSelectors ``` 3) ----- ###### Tactic: Defense evasion #### Alternative Technique: Impair defenses ###### 1) Threat actor gains access to AWS account 2) Modifies CloudTrail using ``` PutEventSelectors 3) Prevents logging of management events ``` ----- ###### Tactic: Defense evasion #### Alternative Technique: Impair defenses ###### 1) Threat actor gains access to AWS account 2) Modifies CloudTrail using ``` PutEventSelectors 3) Prevents logging of management events ``` ----- ###### Tactic: Defense evasion #### Mitigations Technique: Impair defenses ###### • Use SCPs to restrict CloudTrail modification including use of PutEventSelectors API • Consider AWS Config remediation rules for CloudTrail ----- ###### Tactic: Impact Technique: Resource hijacking 1) Threat actor obtains access to AWS account 2) 3) - - 4) ----- ###### Tactic: Impact Technique: Resource hijacking 1) Threat actor obtains access to AWS account 2) Threat actor enables access to LLMs through Amazon Bedrock 3) - - 4) ----- ###### Tactic: Impact Technique: Resource hijacking 1) Threat actor obtains access to AWS account 2) Threat actor enables access to LLMs through Amazon Bedrock 3) - - 4) ----- ###### Tactic: Impact Technique: Resource hijacking 1) Threat actor obtains access to AWS account 2) Threat actor enables access to LLMs through Amazon Bedrock 3) Models used and prompts sent: • InvokeModel • InvokeModelWithResponseStream 4) ----- ###### Tactic: Impact Technique: Resource hijacking 1) Threat actor obtains access to AWS account 2) Threat actor enables access to LLMs through Amazon Bedrock 3) Models used and prompts sent: • InvokeModel • InvokeModelWithResponseStream 4) Can be performed in unused AWS Regions ----- ###### Tactic: Impact #### Mitigations Technique: Resource hijacking ###### Use SCPs to limit access to Amazon Bedrock using • Specific principals • Specific Regions ----- ### Security best practices ----- ###### A failure cannot be traced back to a single root cause; accidents are often the result of a combination of factors ----- ###### Inaccurate AWS account Unintended disclosure of contact information credentials and secrets Ineffective response to Lack of continuous detective controls vulnerability management Insecure AWS resource configuration -----