Threats and Countermeasures in AWS Environments from an Attacker’s Perspective Yuta Morioka (@scgajge12) AWS Community Builder (Security & Identity) 2024/08/25

Self-Introduction • Name: Yuta Morioka • morioka12 (@scgajge12) • Job: Security Engineer in Japan • GMO Cybersecurity by Ierae, Inc. • AWS title: AWS Community Builder • Security & Identity Builder since 2024 • My favorite AWS Services: • Amazon S3, AWS Lambda 2 https://scgajge12.github.io/

Relationship with JAWS-US 1. May. 2022: • Security-JAWS #25 Speaker 2. Oct. 2022: • JAWS DAYS 2022 Speaker 3. Aug. 2023: • Security-JAWS #30 CTF Organizer 4. Mar. 2024: • JAWS DAYS 2024 Speaker 5. Aug. 2024: (now) • JAWS PANKRATION 2024 Speaker 3

Agenda (15 minutes) 1. Attacker's Perspective on the Enterprise Cloud Environment 2. Attackers' Intrusion Techniques in AWS Environment 3. Security Measures in Cloud Environment 4. Summary 4

1. A=acker's Perspec?ve on the Enterprise Cloud Environment 5

Common Threats in Cloud Environment Main Causes • Misconfigure, Improper Identity Management • Vulnerable Applications and APIs Major Threats • Leakage of Customer or Internal Information • Tampering with Programs or Data or AWS Resource 6

ADacker PerspecGve on Cloud Environment Attacker’s Main Objective • Final Goal • Obtaining Confidential Information • Customer Information, Employee Information, Company Information, … • AWS: S3, RDS, DynamoDB, EBS, EFS, Secrets Manager, … • Misuse of AWS Resources • Mining, Malware Distribution, DoS Attack, … • AWS: EC2, Lambda, S3, Fargate, … • Negative Business Impact • Suspension of Service, Repair Cost, Impression Manipulation, Stock Prices, … • Initial Objectives • Obtain Credentials for AWS, APIs, etc. 7 Points

Attacker Perspective on Cloud Environment MITRE ATT&CK Framework for Cloud (IaaS) • A Framework for Understanding and Addressing Security Incidents in Cloud Environments . • A framework that categorizes the tactics, techniques, and procedures (TTPs) used in targeted attacks • Targeted Attacks: attacks against specific organizations or individuals • Divides the Attack Lifecycle into 11 Tactics 8

MITRE ATT&CK Framework for Cloud (IaaS) 9 https://attack.mitre.org/matrices/enterprise/cloud/iaas/

MITRE ATT&CK Framework for Cloud (IaaS) 10 Initial Invasion 1. Initial Access 2. Execution Research 3. Persistence 4. Privilege Escalation 5. Defense Evasion 6. Credential Access 7. Discovery 8. Lateral Movement Misuse 9. Collection 10. Exfiltration 11. Impact

2. Attackers' Intrusion Techniques in AWS Environment 11

Intrusion Techniques in AWS Environment 1. Initial Access • Summary • Obtain Credentials (IAM) to break into the AWS Environment • Points • The “Attacker” has an Anything Goes Style. • Wide variety of Attack Methods and Perspectives 12

Intrusion Techniques in AWS Environment 1. Initial Access • Main Targets • Services Provided • Web Site, Mobile App, API, Server, … • (Threats: Vulnerability Attacks) • Company Employee • PC, Server, Mobile, … • (Threats: Phishing, Malware Infections) • Affiliated Company • (Threats: Supply Chain Attacks) 13 Points

Intrusion Techniques in AWS Environment 1. Initial Access • Vulnerability Attacks • For Web Applications and APIs, Mobile, • Obtaining IAM from the EC2 Metadata Server • Obtaining Credential Information from Lambda Environment Variables • Obtain Hard-Coded Credentials for App 14 → Credential Acquisition

Intrusion Techniques in AWS Environment Ex: Obtaining IAM for PDF Generation Functions • Terms • Web App running on EC2 to enter any string and embed it in a PDF • Vulnerability Attacks • HTML Injection • Can embed any HTML tag (iframe) • SSRF (Server Side Request Forgery) • Can be accessed by throwing a request to the Internal Server (metadata service) 15

OWASP Top 10 / API Security Risks: SSRF (Server-Side Request Forgery) OWASP Top 10 – 2021 10th place OWASP Top 10 API Security Risks – 2023 7th place 16 h5ps://owasp.org/Top10/ h5ps://owasp.org/API-Security/

Intrusion Techniques in AWS Environment Ex: Obtaining IAM for PDF Generation Functions • SSRF via HTML Injection inside a PDF file on EC2 17 https://blog.appsecco.com/finding-ssrf-via-html-injection-inside-a-pdf-file-on-aws-ec2-214cc5ec5d90

Intrusion Techniques in AWS Environment Ex: Obtaining IAM for PDF Generation Functions • Attack Payload • 18 ← Generated PDF

Intrusion Techniques in AWS Environment 1. Initial Access • Misconfiguration of AWS Resources • Retrieve Sensitive Information from S3 Bucket • Tampering with the API Gateway's API 19 → Obtaining Confidential Information

Intrusion Techniques in AWS Environment Ex: [Information Disclosure] S3 Bucket Public Access 20 https://hackerone.com/reports/1021906

Intrusion Techniques in AWS Environment 1. Initial Access • Phishing and Malware Infections • Send malicious attachments via Email to infect people with Malware • Sending malicious URLs via Email to force victims to access Fake Web Sites 21 → Obtaining Confidential Information

Intrusion Techniques in AWS Environment Ex: AWS Login Page Phishing 22 Fake URL: 「hxxps://aws1-console-login.us/login/」 Fake Web Page →

Intrusion Techniques in AWS Environment Summary: 1. Initial Access • Actions of the Attacker • Vulnerability Attacks • Leakage from Misconfiguration • Phishing and Malware Infections • Others • Obtain any information on the Internet • (GitHub, Internet Archive, Dark Web, ...) • Physical office intrusion into the company network • Gathering information through an inside job 23

Intrusion Techniques in AWS Environment After Initial Access • Research • Investigation of IAM Permissions Obtained • Tools: Pace, … • IAM Privilege Elevation • Tampering with AWS Resources • Misuse • Extraction of Confidential Information • Misuse of AWS Services and Resources 24

3. Security Measures in Cloud Environment 25

Security Measures in Cloud Environment Security Measures from an Attacker's Perspective 1. Understand “Sensitive Information” in the Cloud Environment 2. Assume a variety of External and Internal threats 3. Implement Security Measures for each target 4. Implement a Defense in Depth to minimize damage in the event of an initial intrusion 26 Points

Security Measures in Cloud Environment Keywords • Defense in Depth • Three Areas: • Entrance Measures → Internal Measures → Exit Measures • Cloud Environment: (MITRE ATT) • Initial Invasion → Research → Misuse • Attack Surface • Cloud Environment for External use • Cloud Environment for Internal use • People dealing with Cloud Environments 27

4. Summary 28

Attacker Perspective on Cloud Environments Attacker’s Main Objective • Final Goal • Obtaining Confidential Information • Customer Information, Employee Information, Company Information, … • AWS: S3, RDS, DynamoDB, EBS, EFS, Secrets Manager, … • Misuse of AWS Resources • Mining, Malware Distribution, DoS Attack, … • AWS: EC2, Lambda, S3, Fargate, … • Negative Business Impact • Suspension of Service, Repair Cost, Impression Manipulation, Stock Prices, … • Initial Objectives • Obtain credentials for AWS, APIs, etc. 29 Points

Intrusion Techniques in AWS Environment 1. Initial Access • Main Targets • Services Provided • Web Site, Mobile App, API, Server, … • (Threats: Vulnerability Attacks) • Company Employee • PC, Server, Mobile, … • (Threats: Phishing, Malware Infections) • Affiliated Company • (Threats: Supply Chain Attacks) 30 Points

My Blog & Slide (Japanese) Topic: Cloud Security • Pitfalls of Lambda - Dangers and Security Measures due to Vulnerable Libraries • Serverless Security Risks - Vulnerability Attacks and Countermeasures in AWS Lambda • Security risks and countermeasures due to vulnerable use of Amazon S3 • CTF Cloud Issue Attack Methodology Summary (2021, 2022, 2023 Edition) • HTB Cloud Issue Attack Methodology Summary • Amazon EC2 Security (Vulnerability) Case Study • MFA Authentication Evasion and Examples of AWS Login by Phishing • Introduction to Cloud Security from an Offensive Perspective ~AWS Edition~ • ⭐ Introduction to Cloud Security - Threats and Countermeasures when Focusing on the AWS Environment from an Offensive Perspective 31 https://scgajge12.github.io/tags/cloud/

Thank you for listening!