Cloud-focused phishing techniques to bypass FIDO2 and WebAuthn

Slide 1

Slide 1 text

Slide 2

Slide 2 text

Slide 3

Slide 3 text

Copyright 2022 by Stage 2 Security https:// .Security Who Am I? Go From Zero to Cloud Admin! ● Globally Shared Resources ● SSO Tokens & Browser Cookies ● Cloud Native Phishing Agenda Privilege Escalation ● Graph Database Technologies ● IAM Roles ● iam:PassRole ● Basic Priv Esc Example via Graph DB ● Common Priv Esc Access Vectors Cloud Lab Envs ● Tools & Techniques

Slide 4

Slide 4 text

Slide 5

Slide 5 text

Copyright 2022 by Stage 2 Security https:// .Security Defense DHS SOC Offense NSA Red Team Adobe Digital Exp. (DX) Bryce Kunz; @TweekFawkes Services ● Hack (Pentest) ● Hunt (Splunk ES) ● Train (Cloud Sec.)

Slide 6

Slide 6 text

Copyright 2022 by Stage 2 Security https:// .Security AWS: ● Amazon Machine Images (AMI) Snapshots ● Elastic Block Storage (EBS) Snapshots ● Amazon Relational Database Service (RDS) Snapshots ● Serverless Application Repository Azure: ● Azure Compute Gallery …

Slide 7

Slide 7 text

Slide 8

Slide 8 text

Slide 9

Slide 9 text

Slide 10

Slide 10 text

Slide 11

Slide 11 text

Slide 12

Slide 12 text

Slide 13

Slide 13 text

Copyright 2022 by Stage 2 Security https:// .Security AWS Account External Resources Typical Steps: ● Exploit App ● Collect Creds ● Reuse Creds Elastic Block Store (EBS) Volume Snapshot Elastic Compute Cloud (EC2) Instance Instances AWS IAM Role AWS STS Temporary Credentials Temporary Credentials Policies Identities Global Cloud

Slide 14

Slide 14 text

Copyright 2022 by Stage 2 Security https:// .Security AWS Account Globally Shared Resources: ● EC2 AMIs ● EBS Snapshots ● RDS Snapshots ● etc… Elastic Block Store (EBS) Volume Snapshot Elastic Compute Cloud (EC2) Instance Instances Global Cloud Secrets

Slide 15

Slide 15 text

Copyright 2022 by Stage 2 Security https:// .Security AWS Account Client-Side Vectors: ● RCE ● Cookies ● Phishing ● AiTM ● Supply Chain ● Social Engineering ● Extensions ● etc… Elastic Block Store (EBS) Volume Snapshot Elastic Compute Cloud (EC2) Instance Instances AWS IAM Role AWS STS Temporary Credentials Policies Identities Global Cloud Admin

Slide 16

Slide 16 text

Slide 17

Slide 17 text

Copyright 2022 by Stage 2 Security https:// .Security Globally Public Resources AWS: ● Amazon Machine Images (AMI) Snapshots ● Elastic Block Storage (EBS) Snapshots ● Amazon Relational Database Service (RDS) Snapshots ● Serverless Application Repository Azure: ● Azure Compute Gallery https://github.com/SummitRoute/aws_exposable_resources

Slide 18

Slide 18 text

Copyright 2022 by Stage 2 Security https:// .Security Public Elastic Block Storage (EBS) Snapshots Dufflebag is a tool that searches through public Elastic Block Storage (EBS) snapshots for secrets that may have been accidentally left in. You may be surprised by all the passwords and secrets just laying around! https://github.com/BishopFox/dufflebag

Slide 19

Slide 19 text

Slide 20

Slide 20 text

Copyright 2022 by Stage 2 Security https:// .Security Overview Methods Include: ● Malicious Browser Extension ● Adversary-in-the-Middle (AiTM) Other Common Methods Include: ● Malicious Documents (e.g. Office Macros) ● Malicious Applications

Slide 21

Slide 21 text

Slide 22

Slide 22 text

Slide 23

Slide 23 text

Slide 24

Slide 24 text

Copyright 2022 by Stage 2 Security https:// .Security ChatGPT-4 Build me an Extension please! :) https://www.linkedin.com/posts/danielperjesi_how-i-created-a-chrome-extension-with-chatgpt-activity-7021098555054432256-W3Kl

Slide 25

Slide 25 text

Slide 26

Slide 26 text

Slide 27

Slide 27 text

Slide 28

Slide 28 text

Slide 29

Slide 29 text

Slide 30

Slide 30 text

Slide 31

Slide 31 text

Slide 32

Slide 32 text

Slide 33

Slide 33 text

Slide 34

Slide 34 text

Copyright 2022 by Stage 2 Security https:// .Security AiTM Evilginx2 https://github.com/kgretzky/evilginx2 https://github.com/drk1wi/Modlishka https://github.com/muraenateam/muraena https://github.com/ustayready/CredSniper Phishing GoPhish https://github.com/gophish/gophish https://github.com/pentestgeek/phishing-frenzy https://github.com/rsmusllp/king-phisher Red Team Toolkit Options

Slide 35

Slide 35 text

Slide 36

Slide 36 text

Slide 37

Slide 37 text

Slide 38

Slide 38 text

Slide 39

Slide 39 text

Slide 40

Slide 40 text

Slide 41

Slide 41 text

Copyright 2022 by Stage 2 Security https:// .Security AWS Account - Client - #90210 AWS Account - Attacker - #31337 EC2 SocialStackSetSmother Instances AWS IAM Role Policies Admin Cloud Formation Template Stack Lambda Function

Slide 42

Slide 42 text

Copyright 2022 by Stage 2 Security https:// .Security SocialStackSetSmother Click Link In Email https://us-east- 1.console.aws.amazon.com/cloudformation/home?r egion=us-east- 1#/stacks/create/review?templateURL=https://TO DO_BUCKET_NAME.s3.amazonaws.com/TODO_TEMPLATE_ NAME.yml&stackName=TODO_STACK_NAME https://aws.amazon.com/blogs/devops/construct-your-own-launch-stack-url/

Slide 43

Slide 43 text

Copyright 2022 by Stage 2 Security https:// .Security AWS Account - Client - #90210 AWS Account - Attacker - #31337 S3 EC2 SocialStackSetSmother Instances AWS IAM Role Policies Admin Public Object cf_template.yaml S3 Bucket API GW S3 Bucket Object results001.txt Endpoint Lambda Function Cloud Formation Template Stack Lambda Function Email AWS IAM Policies Role

Slide 44

Slide 44 text

Slide 45

Slide 45 text

Slide 46

Slide 46 text

Slide 47

Slide 47 text

Copyright 2022 by Stage 2 Security https:// .Security AWS Account - Client - #90210 AWS Account - Attacker - #31337 S3 EC2 SocialStackSetSmother Instances AWS IAM Role Policies Admin API GW S3 Bucket Object results001.txt Endpoint Lambda Function Cloud Formation Template Stack Lambda Function AWS IAM Policies Role AWS SAM

Slide 48

Slide 48 text

Slide 49

Slide 49 text

Slide 50

Slide 50 text

Copyright 2022 by Stage 2 Security https:// .Security SocialStackSetSmother v0.0.1 Areas for Improvement in v0.0.1: ● CF Template Assumes the User Has the Permissions/Ability to: ○ Create an IAM Role with “AdministratorAccess” policy attached ○ Create & Execute a Lambda Function e.g. lambda:InvokeFunction ● CF Template creates an IAM Role which contains the AWS Account ID# of the Attacker’s AWS Account, making it easy to report abuse to AWS ● CF Template contains Python code which is easy to analyze and determine it looks suspicious ○ Python Code also contains Attacker’s API GW URL ● Phish contains link to Attacker’s Globally Unique S3 Bucket Name

Slide 51

Slide 51 text

Slide 52

Slide 52 text

Slide 53

Slide 53 text

Copyright 2022 by Stage 2 Security https:// .Security Phish Contains Link to Attacker’s S3 Bucket Name Ideas to Remediate: ● Redirector (e.g. socat, reverse proxy, etc.) to S3 Bucket to Mask Name ● CDN to S3 Bucket to Mask Name ● Find Another AWS User’s S3 Bucket with Misconfigured Permissions and Upload our CloudFormation.yaml Template to their S3 Bucket

Slide 54

Slide 54 text

Slide 55

Slide 55 text

Slide 56

Slide 56 text

Copyright 2022 by Stage 2 Security https:// .Security Phish Contains Link to Attacker’s S3 Bucket Name Ideas: Redirector (e.g. socat, reverse proxy, etc.) to S3 Bucket to Mask Name ✅ Valid Input: https://tmnttime.s3.us-east-2.amazonaws.com/template- v2-0-1.yaml ❌ Invalid Input // No Object in S3 Bucket: https://tmnttime.s3.us-east- 2.amazonaws.com/template-v0-0-0.yaml https://www.youtube.com/watch?v=nDei76dTTdY

Slide 57

Slide 57 text

Copyright 2022 by Stage 2 Security https:// .Security Phish Contains Link to Attacker’s S3 Bucket Name Ideas: Redirector (e.g. socat, reverse proxy, etc.) to S3 Bucket to Mask Name ✅ Valid Input: https://tmnttime.s3.us-east-2.amazonaws.com/template- v2-0-1.yaml ✅ Invalid Input // Invalid Scheme: bryce://tmnttime.s3.us-east- 2.amazonaws.com/template-v2-0-1.yaml https://www.youtube.com/watch?v=nDei76dTTdY

Slide 58

Slide 58 text

Copyright 2022 by Stage 2 Security https:// .Security Phish Contains Link to Attacker’s S3 Bucket Name Ideas: Redirector (e.g. socat, reverse proxy, etc.) to S3 Bucket to Mask Name ✅ Valid Input: https://tmnttime.s3.us-east-2.amazonaws.com/template- v2-0-1.yaml ✅ Invalid Input // Invalid TCP Port: https://tmnttime.s3.us-east- 2.amazonaws.com:2222/template-v2-0-1.yaml https://www.youtube.com/watch?v=nDei76dTTdY

Slide 59

Slide 59 text

Copyright 2022 by Stage 2 Security https:// .Security Idea: Leverage an obfuscated url to mislead Ideas: Redirector (e.g. socat, reverse proxy, etc.) to S3 Bucket to Mask Name ✅ Valid Input: https://tmnttime.s3.us-east-2.amazonaws.com/template- v2-0-1.yaml ✅ Invalid Input // Invalid Protocol & TCP Port: ftp://tmnttime.s3.us-east- 2.amazonaws.com:2222/template-v2-0-1.yaml Anyone going to ftp on port 2222 will be rejected but the AWS CF service will still deploy the malicious template. https://www.youtube.com/watch?v=nDei76dTTdY

Slide 60

Slide 60 text

Copyright 2022 by Stage 2 Security https:// .Security Phish Contains Link to Attacker’s S3 Bucket Name Ideas: Redirector (e.g. socat, reverse proxy, etc.) to S3 Bucket to Mask Name ✅ Valid Input: https://tmnttime.s3.us-east-2.amazonaws.com/template- v2-0-1.yaml ❌ Invalid Input // FQDN Not Containing “s3” & “amazonaws.com”: https://tmnttime.s3.amazonaws.com@example.com/template-v2-0-1.yaml https://www.youtube.com/watch?v=nDei76dTTdY

Slide 61

Slide 61 text

Slide 62

Slide 62 text

Copyright 2022 by Stage 2 Security https:// .Security Phish Contains Link to Attacker’s S3 Bucket Name Ideas: CDN to S3 Bucket to Mask Name ✅ Valid Input: https://tmnttime.s3.us-east-2.amazonaws.com/template- v2-0-1.yaml ❌ Invalid Input // FQDN Not Containing “s3” & “amazonaws.com”: https://d111111abcdef8.cloudfront.net/template-v2-0-1.yaml https://www.youtube.com/watch?v=nDei76dTTdY

Slide 63

Slide 63 text

Slide 64

Slide 64 text

Slide 65

Slide 65 text

Copyright 2022 by Stage 2 Security https:// .Security Finding S3 Buckets with Public PutObject Perms Crime Group: https://www.zdnet.com/article/new-magecart-attacks-leverage-misconfigured-s3-buckets-to-infect-over-17k-sites/

Slide 66

Slide 66 text

Copyright 2022 by Stage 2 Security https:// .Security Thinking… Crime Group: https://www.zdnet.com/article/new-magecart-attacks-leverage-misconfigured-s3-buckets-to-infect-over-17k-sites/ This was in 2019… is something similar to this even still possible in 2023? If it is possible, what would be the level of effort required before an attacker would be able to find a misconfigured S3 bucket where they could upload and/or modify an object hosted within the S3 Bucket? Can anyone pull this off or is this something only a nation state will be able to execute on now?

Slide 67

Slide 67 text

Slide 68

Slide 68 text

Copyright 2022 by Stage 2 Security https:// .Security AWS Serverless Application Model (SAM) Infrastructure as Code Based on CloudFormation, but much simpler to implement common Serverless Application Models... https://aws.amazon.com/serverless/sam/

Slide 69

Slide 69 text

Copyright 2022 by Stage 2 Security https:// .Security AWS Serverless Application Model (SAM) The Serverless Application Model is commonly referred to as “SAM” in AWS documentation SAM is NOT an AWS Service, it’s more similar to Zappa or Terraform New Resource Types with SAM: ● AWS::Serverless::Function -> AWS Lambda Functions ● AWS::Serverless::Api -> AWS API Gateway APIs ● AWS::Serverless::SimpleTable -> AWS Dynamo DB Tables https://aws.amazon.com/serverless/sam/

Slide 70

Slide 70 text

Slide 71

Slide 71 text

Copyright 2022 by Stage 2 Security https:// .Security SAM Template A simple AWS SAM application that triggers a Lambda function every 120 seconds using CloudWatch Events SAM Template: ● CloudWatch Events ○ Every 120 Seconds ● Lambda ○ Python 3.9 ● Attach Policy to Enable: ○ s3:PutObject to Specific bucketname e.g. sds3bn001 ● Set Timeout to Max: ○ 15 Minutes (900 Seconds)

Slide 72

Slide 72 text

Slide 73

Slide 73 text

Copyright 2022 by Stage 2 Security https:// .Security Lambda Application - Part 2 Create Random Bucket Names: ● Generate an Random Bucket Name ● Ensure the Bucket Name meets the AWS requirements for S3 Bucket Names

Slide 74

Slide 74 text

Copyright 2022 by Stage 2 Security https:// .Security Lambda Application - Part 3 Create Random Bucket Names: ● Generate an Random Bucket Name ● Ensure the Bucket Name meets the AWS requirements for S3 Bucket Names Try 33x Random Names ● 200 - S3 Bucket Exists ● 403 - S3 Denied ● 404 - S3 Does NOT Exist

Slide 75

Slide 75 text

Copyright 2022 by Stage 2 Security https:// .Security Lambda Application - Part 4 Create Random Bucket Names: ● Generate an Random Bucket Name ● Ensure the Bucket Name meets the AWS requirements for S3 Bucket Names Try 33x Random Names ● 200 - S3 Bucket Exists ● 403 - S3 Denied ● 404 - S3 Does NOT Exist Write Results to S3 Bucket

Slide 76

Slide 76 text

Copyright 2022 by Stage 2 Security https:// .Security Lambda Application Create Random Bucket Names: ● Generate an Random Bucket Name ● Ensure the Bucket Name meets the AWS requirements for S3 Bucket Names Try 33x Random Names ● 200 - S3 Bucket Exists ● 403 - S3 Denied ● 404 - S3 Does NOT Exist Write Results to S3 Bucket

Slide 77

Slide 77 text

Copyright 2022 by Stage 2 Security https:// .Security Cron via CloudWatch Events https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-property-function-schedule.html Cloud Watch Events - Every 120 seconds (*/2 * * * *) 33x 0-3 Second Delay w/ Max 15 Min ~ 300 Buckets (200s) in ~5 Days python3 requests https://' + sRandomString + '.s3.amazonaws.com HTTP 200 means the Bucket Exists SAM: ● template.yaml ● app.py ● etc. CloudFormation

Slide 78

Slide 78 text

Slide 79

Slide 79 text

Slide 80

Slide 80 text

Copyright 2022 by Stage 2 Security https:// .Security Processing Scripts 001_download_objects_from_s3.py ● Download all the objects from S3 ● Combine the contents into one python list 002_find_valid_s3_buckets.py ● Sort through the python list to find all the HTTP 200 Response Codes ○ Meaning the S3 Bucket Exists and we have some level of access to it e.g. it’s a public bucket 003_find_public_write.py ● Attempt to Upload an object with a .yml extension to the S3 Bucket ● Double Check that we can access the object publicly via the Internet ● If Successful, Attempt to Delete the Uploaded .yml Object And the Results…?

Slide 81

Slide 81 text

Copyright 2022 by Stage 2 Security https:// .Security The Results? And the Results…? In approximately ~5 days it discovered around ~10 S3 buckets which are publicly accessible and anyone can upload a file to presumably host a malicious CloudFormation template :/

Slide 82

Slide 82 text

Slide 83

Slide 83 text

Slide 84

Slide 84 text

Copyright 2022 by Stage 2 Security https:// .Security Answers… This was in 2019… is something similar to this even still possible in 2023? YES! If it is possible, what would be the level of effort required before an attacker would be able to find a misconfigured S3 bucket where they could upload and/or modify an object hosted within the S3 Bucket? A few hours of coding and ~5 days or less to run Can anyone pull this off or is this something only a nation state will be able to execute on now? Anyone with basic python3 scripting skills and some AWS can pull this off.

Slide 85

Slide 85 text

Copyright 2022 by Stage 2 Security https:// .Security SocialStackSetSmother v0.0.2 Areas for Improvement in v0.0.2: ● CF Template Assumes the User Has the Permissions/Ability to: ○ Create an IAM Role with “AdministratorAccess” policy attached ○ Create & Execute a Lambda Function e.g. lambda:InvokeFunction ● CF Template creates an IAM Role which contains the AWS Account ID# of the Attacker’s AWS Account, making it easy to report abuse to AWS ● CF Template contains Python code which is easy to analyze and determine it looks suspicious ○ Python Code also contains Attacker’s API GW URL ● Phish contains link to Attacker’s Globally Unique S3 Bucket Name

Slide 86

Slide 86 text

Copyright 2022 by Stage 2 Security https:// .Security June & July – More Code Releases with Updates on LinkedIn August - Black Hat USA Training – Las Vegas Astute AWS/Azure/GCP Cloud Red Team: It's Raining Shells! - 2023 Edition October – SaintCon - Utah What’s Next?

Slide 87

Slide 87 text

Copyright 2022 by Stage 2 Security https:// .Security Contact Info Twitter: @TweekFawkes LinkedIn: https://www.linkedin.com/in/brycekunz/ Email: Bryce.Kunz@uvcyber.com Slide Decks: https://speakerdeck.com/tweekfawkes/ Code on GitHub: https://github.com/TweekFawkes/SocialStackSetSmother

Slide 88

Slide 88 text

Slide 89

Slide 89 text