Learning from AWS (Customer) Security Incidents

A431674e1b362e40786876211b77455e?s=47 Rami McCarthy
November 14, 2020

Learning from AWS (Customer) Security Incidents

Presented at BSidesCT 2020

In light of the increasing adoption of cloud computing, there have has been broad coverage of the compromise of customer environments in the cloud. In both popular and technical literature however, there has been a focus on the most egregious, simplest breaches (i.e open S3 buckets). However, deeper analysis shows a much broader variety of tactics currently exploited by attackers and researchers to compromise cloud environments.

This talk will, with a focus on AWS, discuss over a dozen different public breaches. We'll walk through the technical details of these attacks, establish the common root causes, look at lessons learned, and establish how you can proactively secure your environment against these real world risks.

A431674e1b362e40786876211b77455e?s=128

Rami McCarthy

November 14, 2020
Tweet

Transcript

  1. Learning from AWS Customer Security Incidents Rami McCarthy @ramimacisabird

  2. Rami McCarthy Product Security Engineer (Reformed Security Consultant) • AWS

    Certified Security, Specialty • CCSKv4 Creator of sadcloud Contributor to ScoutSuite
  3. • Background • Breaches • Prior Art • Case Studies

    • Trends • Recommendations
  4. Photo by Kenrick Mills on Unsplash The Cloud

  5. None
  6. None
  7. Breaches

  8. Blameless Post-Mortems https://landing.google.com/sre/sre-book/chapters/postmortem-culture

  9. The common cases - S3, ElasticSearch • https://github.com/nagwww/s3-leaks • https://www.upguard.com/breaches

    @ramimacisabird
  10. Database Ransomware • AWS services or user managed • Generally,

    internet exposed with a weak password • BTC ransom • Some examples: ◦ https://mangolassi.it/topic/19664/database-held-for-ransom-a nyone-experience-this-before/16 ◦ https://forums.aws.amazon.com/thread.jspa?threadID=249445 @ramimacisabird
  11. Prior Art

  12. None
  13. None
  14. None
  15. None
  16. None
  17. Case Studies

  18. Capital One 2019 Initial Access: • Misconfigured “firewall” (WAF) •

    SSRF -> Metadata Escalation/Persistence: • Over-Privileged EC2 Role Impact: • 100M+ Credit Card Applications stored in S3 https://www.fugue.co/blog/a-technical-analysis-of-the-capital-one-cloud-misconfiguration-breach @ramimacisabird 1/19
  19. Code Spaces 2014 Initial Access: • AWS Console Credentials (Phishing?)

    Escalation/Persistence: • Attacker created additional accounts/access keys Impact: • Wiped S3 buckets, EC2 instances, AMIs, EBS snapshots https://threatpost.com/hacker-puts-hosting-service-code-spaces-out-of-business/106761/ @ramimacisabird 2/19
  20. DNC Hack by the GRU 2016 Initial Access: • Unknown,

    test clusters breached Escalation/Persistence: • EC2 Snapshots copied to attacker AWS accounts Impact: • Tableau and Vertica Queries https://www.politico.com/f/?id=00000168-6161-de11-af7d-ef7327ea0000 @ramimacisabird 3/19
  21. DataDog 2016 Initial Access: • CI/CD AWS access key and

    SSH private key leaked Escalation/Persistence: • Attacker attempted to pivot with customer credentials Impact: • 3 EC2 instances and subset of S3 buckets https://www.datadoghq.com/blog/2016-07-08-security-notice/ @ramimacisabird 4/19
  22. Uber 2016 Initial Access: • Private Github Repo with AWS

    credentials Escalation/Persistence: • N/A Impact: • Names and driver’s license numbers of 600k drivers • PII of 57 million users https://www.bloomberg.com/news/articles/2017-11-21/uber-concealed-cyberattack-that-exposed-57-million-pe ople-s-data https://www.commerce.senate.gov/services/files/7d70e53e-73e9-4336-a100-67b233084f12 @ramimacisabird 5/19
  23. OneLogin 2017 Initial Access: • AWS keys Escalation/Persistence: • Created

    EC2 instances Impact: • Accessed database tables (with encrypted data) https://www.onelogin.com/blog/may-31-2017-security-incident @ramimacisabird 6/19
  24. Politifact 2017 Initial Access: • “Misconfigured cloud computing server” Escalation/Persistence:

    • N/A Impact: • Coinhive cryptojacking https://www.washingtonpost.com/news/the-switch/wp/2017/10/13/hackers-have-turned-politifacts-website-in to-a-trap-for-your-pc/ @ramimacisabird 7/19
  25. LA Times 2018 Initial Access: • S3 global write access

    Escalation/Persistence: • N/A Impact: • Coinhive cryptojacking added to homicide.latimes.com https://www.tripwire.com/state-of-security/security-data-protection/la-times-website-cryptojacking-attack/ @ramimacisabird 8/19
  26. Tesla 2018 Initial Access: • Globally exposed Kubernetes console •

    Pod with AWS credentials Escalation/Persistence: • N/A Impact: • Cryptojacking https://www.wired.com/story/cryptojacking-tesla-amazon-cloud/ @ramimacisabird 9/19
  27. Imperva 2018 Initial Access: • “Internal compute instance” globally accessible

    • “Contained” AWS API key Escalation/Persistence: • N/A Impact: • RDS snapshot stolen https://www.imperva.com/blog/ceoblog/ @ramimacisabird 10/19
  28. Cisco 2018 Initial Access: • Former employee with AWS access

    5 months post-resignation Escalation/Persistence: • N/A Impact: • Deleted ~450 EC2 instances https://www.zdnet.com/article/former-cisco-engineer-pleads-guilty-to-network-damage-wiping-16000-webex-tea ms-accounts/ @ramimacisabird 11/19
  29. JW Player 2019 Initial Access: • Weave Scope (publicly exposed),

    RCE by design Escalation/Persistence: • N/A Impact: • Cryptojacking https://medium.com/jw-player-engineering/how-a-cryptocurrency-miner-made-its-way-onto-our-internal-kuber netes-clusters-9b09c4704205 @ramimacisabird 12/19
  30. Malindo Air 2019 Initial Access: • Former employees for an

    e-commerce provider abused their access Escalation/Persistence: • N/A Impact: • 35 million customer records https://www.infosecurity-magazine.com/news/malindo-air-data-breach-was-inside/ @ramimacisabird 13/19
  31. Twilio 2020 Initial Access: • S3 global write access Escalation/Persistence:

    • N/A Impact: • Magecart https://www.twilio.com/blog/incident-report-taskrouter-js-sdk-july-2020 @ramimacisabird 14/19
  32. Magecart and S3 Global Write … interlude As of July

    2019: “the group has managed to compromise a vast collection of S3 buckets to impact well over 17,000 domains” - RiskIQ https://www.riskiq.com/blog/labs/magecart-amazon-s3-buckets/
  33. “Behind the scenes in the Expel SOC: Alert-to-fix in AWS”

    2020 Initial Access: • Root IAM user access key compromised Escalation/Persistence: • SSH keys generated for EC2 instances Impact: • Cryptojacking https://expel.io/blog/behind-the-scenes-expel-soc-alert-aws/ @ramimacisabird 15/19
  34. 2020 “Finding evil in AWS: A key pair to remember”

    Initial Access: • 8 IAM access keys compromised Escalation/Persistence: • Backdoored security groups Impact: • Command line access to EC2 instances https://expel.io/blog/finding-evil-in-aws/ @ramimacisabird 16/19
  35. TeamTNT Worm 2020 Initial Access: • Misconfigured Docker & k8s

    platforms Escalation/Persistence: • Steals AWS credentials from ~/.aws/* Impact: • Cryptojacking for Monero https://www.cadosecurity.com/post/team-tnt-the-first-crypto-mining-worm-to-steal-aws-credentials @ramimacisabird 17/19
  36. Cryptomining AMI 2020 Initial Access: • Windows 2008 Server Community

    AMI Escalation/Persistence: • N/A Impact: • Monero miner https://www.darkreading.com/cloud/cryptominer-found-embedded-in-aws-community-ami/d/d-id/1338713 @ramimacisabird 18/19
  37. 2020 Mandiant: Insider Threat Scenario Initial Access: • Fired employee

    uses credentials Escalation/Persistence: • Access CI/CD server, create a new user, steal credentials Impact: • Deleted production databases https://www.youtube.com/watch?v=rtEjI_5TPdw @ramimacisabird 19/19
  38. Trends

  39. Mitre Att&ck AWS Matrix https://attack.mitre.org/matrices/enterprise/cloud/aws/

  40. Mitre Att&ck AWS Matrix

  41. Initial Vectors @ramimacisabird +

  42. Initial Vectors @ramimacisabird +

  43. Recommendations • SSDLC • Penetration Testing • IMDSv2 Metadata Access

    • Access Analyzer for S3* https://docs.aws.amazon.com/AmazonS3 /latest/user-guide/access-analyzer.html S3 Global Write • Only use trusted sources Malicious AMIs @ramimacisabird
  44. Recommendations • Asset Inventory • Patch Management • Limit External

    Exposure Application Vulnerability • Offboarding • Third party risk • Principle of Least Privilege • Logging/Monitoring ◦ Heuristics ▪ Time ▪ Location ▪ Activity Valid Credential Abuse • IAM Best Practices ◦ MFA ◦ Key Rotation ◦ Avoid static credentials • Principle of Least Privilege ◦ Cloudsplaining Valid Credential Theft @ramimacisabird
  45. https://opensource.salesforce.com/cloudsplaining/#/summary @ramimacisabird

  46. @ramimacisabird Thank you! Feel free to track me down in

    Discord or on Twitter https://speakerdeck.com/ramimac Puppy tax
  47. Top 10 Cloud Attack Killchains 1. Static API Credential Exposure

    to Account Hijack 2. Compromised Server via Exposed Remote Access Ports 3. Compromised Database via Inadvertent Exposure 4. Object Storage Public Data Exposure 5. Server Side Request Forgery 6. Cryptomining 7. Network Attack 8. Compromised Secrets 9. Novel Cloud Data Exposure and Exfiltration 10. Subdomain Takeover https://disruptops.com/stop-todays-top-10-cloud-attack-killchains/ @ramimacisabird