Slide 1

Slide 1 text

Threats and Countermeasures in AWS Environments from an Attacker’s Perspective Yuta Morioka (@scgajge12) AWS Community Builder (Security & Identity) 2024/08/25

Slide 2

Slide 2 text

Self-Introduction • Name: Yuta Morioka • morioka12 (@scgajge12) • Job: Security Engineer in Japan • GMO Cybersecurity by Ierae, Inc. • AWS title: AWS Community Builder • Security & Identity Builder since 2024 • My favorite AWS Services: • Amazon S3, AWS Lambda 2 https://scgajge12.github.io/

Slide 3

Slide 3 text

Relationship with JAWS-US 1. May. 2022: • Security-JAWS #25 Speaker 2. Oct. 2022: • JAWS DAYS 2022 Speaker 3. Aug. 2023: • Security-JAWS #30 CTF Organizer 4. Mar. 2024: • JAWS DAYS 2024 Speaker 5. Aug. 2024: (now) • JAWS PANKRATION 2024 Speaker 3

Slide 4

Slide 4 text

Agenda (15 minutes) 1. Attacker's Perspective on the Enterprise Cloud Environment 2. Attackers' Intrusion Techniques in AWS Environment 3. Security Measures in Cloud Environment 4. Summary 4

Slide 5

Slide 5 text

1. A=acker's Perspec?ve on the Enterprise Cloud Environment 5

Slide 6

Slide 6 text

Common Threats in Cloud Environment Main Causes • Misconfigure, Improper Identity Management • Vulnerable Applications and APIs Major Threats • Leakage of Customer or Internal Information • Tampering with Programs or Data or AWS Resource 6

Slide 7

Slide 7 text

ADacker PerspecGve on Cloud Environment Attacker’s Main Objective • Final Goal • Obtaining Confidential Information • Customer Information, Employee Information, Company Information, … • AWS: S3, RDS, DynamoDB, EBS, EFS, Secrets Manager, … • Misuse of AWS Resources • Mining, Malware Distribution, DoS Attack, … • AWS: EC2, Lambda, S3, Fargate, … • Negative Business Impact • Suspension of Service, Repair Cost, Impression Manipulation, Stock Prices, … • Initial Objectives • Obtain Credentials for AWS, APIs, etc. 7 Points

Slide 8

Slide 8 text

Attacker Perspective on Cloud Environment MITRE ATT&CK Framework for Cloud (IaaS) • A Framework for Understanding and Addressing Security Incidents in Cloud Environments . • A framework that categorizes the tactics, techniques, and procedures (TTPs) used in targeted attacks • Targeted Attacks: attacks against specific organizations or individuals • Divides the Attack Lifecycle into 11 Tactics 8

Slide 9

Slide 9 text

MITRE ATT&CK Framework for Cloud (IaaS) 9 https://attack.mitre.org/matrices/enterprise/cloud/iaas/

Slide 10

Slide 10 text

MITRE ATT&CK Framework for Cloud (IaaS) 10 Initial Invasion 1. Initial Access 2. Execution Research 3. Persistence 4. Privilege Escalation 5. Defense Evasion 6. Credential Access 7. Discovery 8. Lateral Movement Misuse 9. Collection 10. Exfiltration 11. Impact

Slide 11

Slide 11 text

2. Attackers' Intrusion Techniques in AWS Environment 11

Slide 12

Slide 12 text

Intrusion Techniques in AWS Environment 1. Initial Access • Summary • Obtain Credentials (IAM) to break into the AWS Environment • Points • The “Attacker” has an Anything Goes Style. • Wide variety of Attack Methods and Perspectives 12

Slide 13

Slide 13 text

Intrusion Techniques in AWS Environment 1. Initial Access • Main Targets • Services Provided • Web Site, Mobile App, API, Server, … • (Threats: Vulnerability Attacks) • Company Employee • PC, Server, Mobile, … • (Threats: Phishing, Malware Infections) • Affiliated Company • (Threats: Supply Chain Attacks) 13 Points

Slide 14

Slide 14 text

Intrusion Techniques in AWS Environment 1. Initial Access • Vulnerability Attacks • For Web Applications and APIs, Mobile, • Obtaining IAM from the EC2 Metadata Server • Obtaining Credential Information from Lambda Environment Variables • Obtain Hard-Coded Credentials for App 14 → Credential Acquisition

Slide 15

Slide 15 text

Intrusion Techniques in AWS Environment Ex: Obtaining IAM for PDF Generation Functions • Terms • Web App running on EC2 to enter any string and embed it in a PDF • Vulnerability Attacks • HTML Injection • Can embed any HTML tag (iframe) • SSRF (Server Side Request Forgery) • Can be accessed by throwing a request to the Internal Server (metadata service) 15

Slide 16

Slide 16 text

OWASP Top 10 / API Security Risks: SSRF (Server-Side Request Forgery) OWASP Top 10 – 2021 10th place OWASP Top 10 API Security Risks – 2023 7th place 16 h5ps://owasp.org/Top10/ h5ps://owasp.org/API-Security/

Slide 17

Slide 17 text

Intrusion Techniques in AWS Environment Ex: Obtaining IAM for PDF Generation Functions • SSRF via HTML Injection inside a PDF file on EC2 17 https://blog.appsecco.com/finding-ssrf-via-html-injection-inside-a-pdf-file-on-aws-ec2-214cc5ec5d90

Slide 18

Slide 18 text

Intrusion Techniques in AWS Environment Ex: Obtaining IAM for PDF Generation Functions • Attack Payload • 18 ← Generated PDF

Slide 19

Slide 19 text

Intrusion Techniques in AWS Environment 1. Initial Access • Misconfiguration of AWS Resources • Retrieve Sensitive Information from S3 Bucket • Tampering with the API Gateway's API 19 → Obtaining Confidential Information

Slide 20

Slide 20 text

Intrusion Techniques in AWS Environment Ex: [Information Disclosure] S3 Bucket Public Access 20 https://hackerone.com/reports/1021906

Slide 21

Slide 21 text

Intrusion Techniques in AWS Environment 1. Initial Access • Phishing and Malware Infections • Send malicious attachments via Email to infect people with Malware • Sending malicious URLs via Email to force victims to access Fake Web Sites 21 → Obtaining Confidential Information

Slide 22

Slide 22 text

Intrusion Techniques in AWS Environment Ex: AWS Login Page Phishing 22 Fake URL: 「hxxps://aws1-console-login.us/login/」 Fake Web Page →

Slide 23

Slide 23 text

Intrusion Techniques in AWS Environment Summary: 1. Initial Access • Actions of the Attacker • Vulnerability Attacks • Leakage from Misconfiguration • Phishing and Malware Infections • Others • Obtain any information on the Internet • (GitHub, Internet Archive, Dark Web, ...) • Physical office intrusion into the company network • Gathering information through an inside job 23

Slide 24

Slide 24 text

Intrusion Techniques in AWS Environment After Initial Access • Research • Investigation of IAM Permissions Obtained • Tools: Pace, … • IAM Privilege Elevation • Tampering with AWS Resources • Misuse • Extraction of Confidential Information • Misuse of AWS Services and Resources 24

Slide 25

Slide 25 text

3. Security Measures in Cloud Environment 25

Slide 26

Slide 26 text

Security Measures in Cloud Environment Security Measures from an Attacker's Perspective 1. Understand “Sensitive Information” in the Cloud Environment 2. Assume a variety of External and Internal threats 3. Implement Security Measures for each target 4. Implement a Defense in Depth to minimize damage in the event of an initial intrusion 26 Points

Slide 27

Slide 27 text

Security Measures in Cloud Environment Keywords • Defense in Depth • Three Areas: • Entrance Measures → Internal Measures → Exit Measures • Cloud Environment: (MITRE ATT) • Initial Invasion → Research → Misuse • Attack Surface • Cloud Environment for External use • Cloud Environment for Internal use • People dealing with Cloud Environments 27

Slide 28

Slide 28 text

4. Summary 28

Slide 29

Slide 29 text

Attacker Perspective on Cloud Environments Attacker’s Main Objective • Final Goal • Obtaining Confidential Information • Customer Information, Employee Information, Company Information, … • AWS: S3, RDS, DynamoDB, EBS, EFS, Secrets Manager, … • Misuse of AWS Resources • Mining, Malware Distribution, DoS Attack, … • AWS: EC2, Lambda, S3, Fargate, … • Negative Business Impact • Suspension of Service, Repair Cost, Impression Manipulation, Stock Prices, … • Initial Objectives • Obtain credentials for AWS, APIs, etc. 29 Points

Slide 30

Slide 30 text

Intrusion Techniques in AWS Environment 1. Initial Access • Main Targets • Services Provided • Web Site, Mobile App, API, Server, … • (Threats: Vulnerability Attacks) • Company Employee • PC, Server, Mobile, … • (Threats: Phishing, Malware Infections) • Affiliated Company • (Threats: Supply Chain Attacks) 30 Points

Slide 31

Slide 31 text

My Blog & Slide (Japanese) Topic: Cloud Security • Pitfalls of Lambda - Dangers and Security Measures due to Vulnerable Libraries • Serverless Security Risks - Vulnerability Attacks and Countermeasures in AWS Lambda • Security risks and countermeasures due to vulnerable use of Amazon S3 • CTF Cloud Issue Attack Methodology Summary (2021, 2022, 2023 Edition) • HTB Cloud Issue Attack Methodology Summary • Amazon EC2 Security (Vulnerability) Case Study • MFA Authentication Evasion and Examples of AWS Login by Phishing • Introduction to Cloud Security from an Offensive Perspective ~AWS Edition~ • ⭐ Introduction to Cloud Security - Threats and Countermeasures when Focusing on the AWS Environment from an Offensive Perspective 31 https://scgajge12.github.io/tags/cloud/

Slide 32

Slide 32 text

Thank you for listening!