Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Learning from AWS (Customer) Security Incidents

Learning from AWS (Customer) Security Incidents

Presented at BSidesCT 2020

In light of the increasing adoption of cloud computing, there have has been broad coverage of the compromise of customer environments in the cloud. In both popular and technical literature however, there has been a focus on the most egregious, simplest breaches (i.e open S3 buckets). However, deeper analysis shows a much broader variety of tactics currently exploited by attackers and researchers to compromise cloud environments.

This talk will, with a focus on AWS, discuss over a dozen different public breaches. We'll walk through the technical details of these attacks, establish the common root causes, look at lessons learned, and establish how you can proactively secure your environment against these real world risks.

Rami McCarthy

November 14, 2020

More Decks by Rami McCarthy

Other Decks in Technology


  1. Rami McCarthy Product Security Engineer (Reformed Security Consultant) • AWS

    Certified Security, Specialty • CCSKv4 Creator of sadcloud Contributor to ScoutSuite
  2. Database Ransomware • AWS services or user managed • Generally,

    internet exposed with a weak password • BTC ransom • Some examples: ◦ https://mangolassi.it/topic/19664/database-held-for-ransom-a nyone-experience-this-before/16 ◦ https://forums.aws.amazon.com/thread.jspa?threadID=249445 @ramimacisabird
  3. Capital One 2019 Initial Access: • Misconfigured “firewall” (WAF) •

    SSRF -> Metadata Escalation/Persistence: • Over-Privileged EC2 Role Impact: • 100M+ Credit Card Applications stored in S3 https://www.fugue.co/blog/a-technical-analysis-of-the-capital-one-cloud-misconfiguration-breach @ramimacisabird 1/19
  4. Code Spaces 2014 Initial Access: • AWS Console Credentials (Phishing?)

    Escalation/Persistence: • Attacker created additional accounts/access keys Impact: • Wiped S3 buckets, EC2 instances, AMIs, EBS snapshots https://threatpost.com/hacker-puts-hosting-service-code-spaces-out-of-business/106761/ @ramimacisabird 2/19
  5. DNC Hack by the GRU 2016 Initial Access: • Unknown,

    test clusters breached Escalation/Persistence: • EC2 Snapshots copied to attacker AWS accounts Impact: • Tableau and Vertica Queries https://www.politico.com/f/?id=00000168-6161-de11-af7d-ef7327ea0000 @ramimacisabird 3/19
  6. DataDog 2016 Initial Access: • CI/CD AWS access key and

    SSH private key leaked Escalation/Persistence: • Attacker attempted to pivot with customer credentials Impact: • 3 EC2 instances and subset of S3 buckets https://www.datadoghq.com/blog/2016-07-08-security-notice/ @ramimacisabird 4/19
  7. Uber 2016 Initial Access: • Private Github Repo with AWS

    credentials Escalation/Persistence: • N/A Impact: • Names and driver’s license numbers of 600k drivers • PII of 57 million users https://www.bloomberg.com/news/articles/2017-11-21/uber-concealed-cyberattack-that-exposed-57-million-pe ople-s-data https://www.commerce.senate.gov/services/files/7d70e53e-73e9-4336-a100-67b233084f12 @ramimacisabird 5/19
  8. OneLogin 2017 Initial Access: • AWS keys Escalation/Persistence: • Created

    EC2 instances Impact: • Accessed database tables (with encrypted data) https://www.onelogin.com/blog/may-31-2017-security-incident @ramimacisabird 6/19
  9. Politifact 2017 Initial Access: • “Misconfigured cloud computing server” Escalation/Persistence:

    • N/A Impact: • Coinhive cryptojacking https://www.washingtonpost.com/news/the-switch/wp/2017/10/13/hackers-have-turned-politifacts-website-in to-a-trap-for-your-pc/ @ramimacisabird 7/19
  10. LA Times 2018 Initial Access: • S3 global write access

    Escalation/Persistence: • N/A Impact: • Coinhive cryptojacking added to homicide.latimes.com https://www.tripwire.com/state-of-security/security-data-protection/la-times-website-cryptojacking-attack/ @ramimacisabird 8/19
  11. Tesla 2018 Initial Access: • Globally exposed Kubernetes console •

    Pod with AWS credentials Escalation/Persistence: • N/A Impact: • Cryptojacking https://www.wired.com/story/cryptojacking-tesla-amazon-cloud/ @ramimacisabird 9/19
  12. Imperva 2018 Initial Access: • “Internal compute instance” globally accessible

    • “Contained” AWS API key Escalation/Persistence: • N/A Impact: • RDS snapshot stolen https://www.imperva.com/blog/ceoblog/ @ramimacisabird 10/19
  13. Cisco 2018 Initial Access: • Former employee with AWS access

    5 months post-resignation Escalation/Persistence: • N/A Impact: • Deleted ~450 EC2 instances https://www.zdnet.com/article/former-cisco-engineer-pleads-guilty-to-network-damage-wiping-16000-webex-tea ms-accounts/ @ramimacisabird 11/19
  14. JW Player 2019 Initial Access: • Weave Scope (publicly exposed),

    RCE by design Escalation/Persistence: • N/A Impact: • Cryptojacking https://medium.com/jw-player-engineering/how-a-cryptocurrency-miner-made-its-way-onto-our-internal-kuber netes-clusters-9b09c4704205 @ramimacisabird 12/19
  15. Malindo Air 2019 Initial Access: • Former employees for an

    e-commerce provider abused their access Escalation/Persistence: • N/A Impact: • 35 million customer records https://www.infosecurity-magazine.com/news/malindo-air-data-breach-was-inside/ @ramimacisabird 13/19
  16. Twilio 2020 Initial Access: • S3 global write access Escalation/Persistence:

    • N/A Impact: • Magecart https://www.twilio.com/blog/incident-report-taskrouter-js-sdk-july-2020 @ramimacisabird 14/19
  17. Magecart and S3 Global Write … interlude As of July

    2019: “the group has managed to compromise a vast collection of S3 buckets to impact well over 17,000 domains” - RiskIQ https://www.riskiq.com/blog/labs/magecart-amazon-s3-buckets/
  18. “Behind the scenes in the Expel SOC: Alert-to-fix in AWS”

    2020 Initial Access: • Root IAM user access key compromised Escalation/Persistence: • SSH keys generated for EC2 instances Impact: • Cryptojacking https://expel.io/blog/behind-the-scenes-expel-soc-alert-aws/ @ramimacisabird 15/19
  19. 2020 “Finding evil in AWS: A key pair to remember”

    Initial Access: • 8 IAM access keys compromised Escalation/Persistence: • Backdoored security groups Impact: • Command line access to EC2 instances https://expel.io/blog/finding-evil-in-aws/ @ramimacisabird 16/19
  20. TeamTNT Worm 2020 Initial Access: • Misconfigured Docker & k8s

    platforms Escalation/Persistence: • Steals AWS credentials from ~/.aws/* Impact: • Cryptojacking for Monero https://www.cadosecurity.com/post/team-tnt-the-first-crypto-mining-worm-to-steal-aws-credentials @ramimacisabird 17/19
  21. Cryptomining AMI 2020 Initial Access: • Windows 2008 Server Community

    AMI Escalation/Persistence: • N/A Impact: • Monero miner https://www.darkreading.com/cloud/cryptominer-found-embedded-in-aws-community-ami/d/d-id/1338713 @ramimacisabird 18/19
  22. 2020 Mandiant: Insider Threat Scenario Initial Access: • Fired employee

    uses credentials Escalation/Persistence: • Access CI/CD server, create a new user, steal credentials Impact: • Deleted production databases https://www.youtube.com/watch?v=rtEjI_5TPdw @ramimacisabird 19/19
  23. Recommendations • SSDLC • Penetration Testing • IMDSv2 Metadata Access

    • Access Analyzer for S3* https://docs.aws.amazon.com/AmazonS3 /latest/user-guide/access-analyzer.html S3 Global Write • Only use trusted sources Malicious AMIs @ramimacisabird
  24. Recommendations • Asset Inventory • Patch Management • Limit External

    Exposure Application Vulnerability • Offboarding • Third party risk • Principle of Least Privilege • Logging/Monitoring ◦ Heuristics ▪ Time ▪ Location ▪ Activity Valid Credential Abuse • IAM Best Practices ◦ MFA ◦ Key Rotation ◦ Avoid static credentials • Principle of Least Privilege ◦ Cloudsplaining Valid Credential Theft @ramimacisabird
  25. @ramimacisabird Thank you! Feel free to track me down in

    Discord or on Twitter https://speakerdeck.com/ramimac Puppy tax
  26. Top 10 Cloud Attack Killchains 1. Static API Credential Exposure

    to Account Hijack 2. Compromised Server via Exposed Remote Access Ports 3. Compromised Database via Inadvertent Exposure 4. Object Storage Public Data Exposure 5. Server Side Request Forgery 6. Cryptomining 7. Network Attack 8. Compromised Secrets 9. Novel Cloud Data Exposure and Exfiltration 10. Subdomain Takeover https://disruptops.com/stop-todays-top-10-cloud-attack-killchains/ @ramimacisabird