Learning from AWS (Customer) Security Incidents

Slide 1

Slide 1 text

Learning from AWS Customer Security Incidents Rami McCarthy @ramimacisabird

Slide 2

Slide 2 text

Rami McCarthy Product Security Engineer (Reformed Security Consultant) ● AWS Certified Security, Specialty ● CCSKv4 Creator of sadcloud Contributor to ScoutSuite

Slide 3

Slide 3 text

● Background ● Breaches ● Prior Art ● Case Studies ● Trends ● Recommendations

Slide 4

Slide 4 text

Photo by Kenrick Mills on Unsplash The Cloud

Slide 5

Slide 5 text

No content

Slide 6

Slide 6 text

No content

Slide 7

Slide 7 text

Breaches

Slide 8

Slide 8 text

Blameless Post-Mortems https://landing.google.com/sre/sre-book/chapters/postmortem-culture

Slide 9

Slide 9 text

The common cases - S3, ElasticSearch ● https://github.com/nagwww/s3-leaks ● https://www.upguard.com/breaches @ramimacisabird

Slide 10

Slide 10 text

Database Ransomware ● AWS services or user managed ● Generally, internet exposed with a weak password ● BTC ransom ● Some examples: ○ https://mangolassi.it/topic/19664/database-held-for-ransom-a nyone-experience-this-before/16 ○ https://forums.aws.amazon.com/thread.jspa?threadID=249445 @ramimacisabird

Slide 11

Slide 11 text

Prior Art

Slide 12

Slide 12 text

No content

Slide 13

Slide 13 text

No content

Slide 14

Slide 14 text

No content

Slide 15

Slide 15 text

No content

Slide 16

Slide 16 text

No content

Slide 17

Slide 17 text

Case Studies

Slide 18

Slide 18 text

Capital One 2019 Initial Access: ● Misconfigured “firewall” (WAF) ● SSRF -> Metadata Escalation/Persistence: ● Over-Privileged EC2 Role Impact: ● 100M+ Credit Card Applications stored in S3 https://www.fugue.co/blog/a-technical-analysis-of-the-capital-one-cloud-misconfiguration-breach @ramimacisabird 1/19

Slide 19

Slide 19 text

Code Spaces 2014 Initial Access: ● AWS Console Credentials (Phishing?) Escalation/Persistence: ● Attacker created additional accounts/access keys Impact: ● Wiped S3 buckets, EC2 instances, AMIs, EBS snapshots https://threatpost.com/hacker-puts-hosting-service-code-spaces-out-of-business/106761/ @ramimacisabird 2/19

Slide 20

Slide 20 text

DNC Hack by the GRU 2016 Initial Access: ● Unknown, test clusters breached Escalation/Persistence: ● EC2 Snapshots copied to attacker AWS accounts Impact: ● Tableau and Vertica Queries https://www.politico.com/f/?id=00000168-6161-de11-af7d-ef7327ea0000 @ramimacisabird 3/19

Slide 21

Slide 21 text

DataDog 2016 Initial Access: ● CI/CD AWS access key and SSH private key leaked Escalation/Persistence: ● Attacker attempted to pivot with customer credentials Impact: ● 3 EC2 instances and subset of S3 buckets https://www.datadoghq.com/blog/2016-07-08-security-notice/ @ramimacisabird 4/19

Slide 22

Slide 22 text

Uber 2016 Initial Access: ● Private Github Repo with AWS credentials Escalation/Persistence: ● N/A Impact: ● Names and driver’s license numbers of 600k drivers ● PII of 57 million users https://www.bloomberg.com/news/articles/2017-11-21/uber-concealed-cyberattack-that-exposed-57-million-pe ople-s-data https://www.commerce.senate.gov/services/files/7d70e53e-73e9-4336-a100-67b233084f12 @ramimacisabird 5/19

Slide 23

Slide 23 text

OneLogin 2017 Initial Access: ● AWS keys Escalation/Persistence: ● Created EC2 instances Impact: ● Accessed database tables (with encrypted data) https://www.onelogin.com/blog/may-31-2017-security-incident @ramimacisabird 6/19

Slide 24

Slide 24 text

Politifact 2017 Initial Access: ● “Misconfigured cloud computing server” Escalation/Persistence: ● N/A Impact: ● Coinhive cryptojacking https://www.washingtonpost.com/news/the-switch/wp/2017/10/13/hackers-have-turned-politifacts-website-in to-a-trap-for-your-pc/ @ramimacisabird 7/19

Slide 25

Slide 25 text

LA Times 2018 Initial Access: ● S3 global write access Escalation/Persistence: ● N/A Impact: ● Coinhive cryptojacking added to homicide.latimes.com https://www.tripwire.com/state-of-security/security-data-protection/la-times-website-cryptojacking-attack/ @ramimacisabird 8/19

Slide 26

Slide 26 text

Tesla 2018 Initial Access: ● Globally exposed Kubernetes console ● Pod with AWS credentials Escalation/Persistence: ● N/A Impact: ● Cryptojacking https://www.wired.com/story/cryptojacking-tesla-amazon-cloud/ @ramimacisabird 9/19

Slide 27

Slide 27 text

Imperva 2018 Initial Access: ● “Internal compute instance” globally accessible ● “Contained” AWS API key Escalation/Persistence: ● N/A Impact: ● RDS snapshot stolen https://www.imperva.com/blog/ceoblog/ @ramimacisabird 10/19

Slide 28

Slide 28 text

Cisco 2018 Initial Access: ● Former employee with AWS access 5 months post-resignation Escalation/Persistence: ● N/A Impact: ● Deleted ~450 EC2 instances https://www.zdnet.com/article/former-cisco-engineer-pleads-guilty-to-network-damage-wiping-16000-webex-tea ms-accounts/ @ramimacisabird 11/19

Slide 29

Slide 29 text

JW Player 2019 Initial Access: ● Weave Scope (publicly exposed), RCE by design Escalation/Persistence: ● N/A Impact: ● Cryptojacking https://medium.com/jw-player-engineering/how-a-cryptocurrency-miner-made-its-way-onto-our-internal-kuber netes-clusters-9b09c4704205 @ramimacisabird 12/19

Slide 30

Slide 30 text

Malindo Air 2019 Initial Access: ● Former employees for an e-commerce provider abused their access Escalation/Persistence: ● N/A Impact: ● 35 million customer records https://www.infosecurity-magazine.com/news/malindo-air-data-breach-was-inside/ @ramimacisabird 13/19

Slide 31

Slide 31 text

Twilio 2020 Initial Access: ● S3 global write access Escalation/Persistence: ● N/A Impact: ● Magecart https://www.twilio.com/blog/incident-report-taskrouter-js-sdk-july-2020 @ramimacisabird 14/19

Slide 32

Slide 32 text

Magecart and S3 Global Write … interlude As of July 2019: “the group has managed to compromise a vast collection of S3 buckets to impact well over 17,000 domains” - RiskIQ https://www.riskiq.com/blog/labs/magecart-amazon-s3-buckets/

Slide 33

Slide 33 text

“Behind the scenes in the Expel SOC: Alert-to-fix in AWS” 2020 Initial Access: ● Root IAM user access key compromised Escalation/Persistence: ● SSH keys generated for EC2 instances Impact: ● Cryptojacking https://expel.io/blog/behind-the-scenes-expel-soc-alert-aws/ @ramimacisabird 15/19

Slide 34

Slide 34 text

2020 “Finding evil in AWS: A key pair to remember” Initial Access: ● 8 IAM access keys compromised Escalation/Persistence: ● Backdoored security groups Impact: ● Command line access to EC2 instances https://expel.io/blog/finding-evil-in-aws/ @ramimacisabird 16/19

Slide 35

Slide 35 text

TeamTNT Worm 2020 Initial Access: ● Misconfigured Docker & k8s platforms Escalation/Persistence: ● Steals AWS credentials from ~/.aws/* Impact: ● Cryptojacking for Monero https://www.cadosecurity.com/post/team-tnt-the-first-crypto-mining-worm-to-steal-aws-credentials @ramimacisabird 17/19

Slide 36

Slide 36 text

Cryptomining AMI 2020 Initial Access: ● Windows 2008 Server Community AMI Escalation/Persistence: ● N/A Impact: ● Monero miner https://www.darkreading.com/cloud/cryptominer-found-embedded-in-aws-community-ami/d/d-id/1338713 @ramimacisabird 18/19

Slide 37

Slide 37 text

2020 Mandiant: Insider Threat Scenario Initial Access: ● Fired employee uses credentials Escalation/Persistence: ● Access CI/CD server, create a new user, steal credentials Impact: ● Deleted production databases https://www.youtube.com/watch?v=rtEjI_5TPdw @ramimacisabird 19/19

Slide 38

Slide 38 text

Trends

Slide 39

Slide 39 text

Mitre Att&ck AWS Matrix https://attack.mitre.org/matrices/enterprise/cloud/aws/

Slide 40

Slide 40 text

Mitre Att&ck AWS Matrix

Slide 41

Slide 41 text

Initial Vectors @ramimacisabird +

Slide 42

Slide 42 text

Initial Vectors @ramimacisabird +

Slide 43

Slide 43 text

Recommendations ● SSDLC ● Penetration Testing ● IMDSv2 Metadata Access ● Access Analyzer for S3* https://docs.aws.amazon.com/AmazonS3 /latest/user-guide/access-analyzer.html S3 Global Write ● Only use trusted sources Malicious AMIs @ramimacisabird

Slide 44

Slide 44 text

Recommendations ● Asset Inventory ● Patch Management ● Limit External Exposure Application Vulnerability ● Offboarding ● Third party risk ● Principle of Least Privilege ● Logging/Monitoring ○ Heuristics ■ Time ■ Location ■ Activity Valid Credential Abuse ● IAM Best Practices ○ MFA ○ Key Rotation ○ Avoid static credentials ● Principle of Least Privilege ○ Cloudsplaining Valid Credential Theft @ramimacisabird

Slide 45

Slide 45 text

https://opensource.salesforce.com/cloudsplaining/#/summary @ramimacisabird

Slide 46

Slide 46 text

@ramimacisabird Thank you! Feel free to track me down in Discord or on Twitter https://speakerdeck.com/ramimac Puppy tax

Slide 47

Slide 47 text

Top 10 Cloud Attack Killchains 1. Static API Credential Exposure to Account Hijack 2. Compromised Server via Exposed Remote Access Ports 3. Compromised Database via Inadvertent Exposure 4. Object Storage Public Data Exposure 5. Server Side Request Forgery 6. Cryptomining 7. Network Attack 8. Compromised Secrets 9. Novel Cloud Data Exposure and Exfiltration 10. Subdomain Takeover https://disruptops.com/stop-todays-top-10-cloud-attack-killchains/ @ramimacisabird