Learning from AWS (Customer) Security Incidents

Learning from AWS Customer
Security Incidents
Rami McCarthy @ramimacisabird

View Slide

Rami McCarthy
Product Security Engineer
(Reformed Security Consultant)
● AWS Certified Security, Specialty
● CCSKv4
Creator of sadcloud Contributor to ScoutSuite

View Slide

● Background
● Breaches
● Prior Art
● Case Studies
● Trends
● Recommendations

View Slide

Photo by Kenrick Mills on Unsplash
The Cloud

View Slide

View Slide

Breaches

View Slide

Blameless Post-Mortems
https://landing.google.com/sre/sre-book/chapters/postmortem-culture

View Slide

The common cases - S3, ElasticSearch
● https://github.com/nagwww/s3-leaks
● https://www.upguard.com/breaches
@ramimacisabird

View Slide

Database Ransomware
● AWS services or user managed
● Generally, internet exposed with a weak password
● BTC ransom
● Some examples:
○ https://mangolassi.it/topic/19664/database-held-for-ransom-a
nyone-experience-this-before/16
○ https://forums.aws.amazon.com/thread.jspa?threadID=249445
@ramimacisabird

View Slide

Prior Art

View Slide

View Slide

Case Studies

View Slide

Capital One
2019
Initial Access:
● Misconfigured “firewall” (WAF)
● SSRF -> Metadata
Escalation/Persistence:
● Over-Privileged EC2 Role
Impact:
● 100M+ Credit Card Applications
stored in S3
https://www.fugue.co/blog/a-technical-analysis-of-the-capital-one-cloud-misconfiguration-breach
@ramimacisabird
1/19

View Slide

Code Spaces
2014
Initial Access:
● AWS Console Credentials
(Phishing?)
● Attacker created additional
accounts/access keys
Impact:
● Wiped S3 buckets, EC2 instances,
AMIs, EBS snapshots
https://threatpost.com/hacker-puts-hosting-service-code-spaces-out-of-business/106761/
@ramimacisabird
2/19

View Slide

DNC Hack by the
GRU
2016
Initial Access:
● Unknown, test clusters breached
● EC2 Snapshots copied to attacker
AWS accounts
Impact:
● Tableau and Vertica Queries
https://www.politico.com/f/?id=00000168-6161-de11-af7d-ef7327ea0000
@ramimacisabird
3/19

View Slide

DataDog
2016
Initial Access:
● CI/CD AWS access key and SSH
private key leaked
● Attacker attempted to pivot with
customer credentials
Impact:
● 3 EC2 instances and subset of S3
buckets
https://www.datadoghq.com/blog/2016-07-08-security-notice/
@ramimacisabird
4/19

View Slide

Uber
2016
Initial Access:
● Private Github Repo with AWS
credentials
● N/A
Impact:
● Names and driver’s license numbers
of 600k drivers
● PII of 57 million users
https://www.bloomberg.com/news/articles/2017-11-21/uber-concealed-cyberattack-that-exposed-57-million-pe
ople-s-data
https://www.commerce.senate.gov/services/files/7d70e53e-73e9-4336-a100-67b233084f12
@ramimacisabird
5/19

View Slide

OneLogin
2017
Initial Access:
● AWS keys
● Created EC2 instances
Impact:
● Accessed database tables (with
encrypted data)
https://www.onelogin.com/blog/may-31-2017-security-incident
@ramimacisabird
6/19

View Slide

Politifact
2017
Initial Access:
● “Misconfigured cloud computing
server”
● N/A
Impact:
● Coinhive cryptojacking
https://www.washingtonpost.com/news/the-switch/wp/2017/10/13/hackers-have-turned-politifacts-website-in
to-a-trap-for-your-pc/
@ramimacisabird
7/19

View Slide

LA Times
2018
Initial Access:
● S3 global write access
● N/A
Impact:
● Coinhive cryptojacking added to
homicide.latimes.com
https://www.tripwire.com/state-of-security/security-data-protection/la-times-website-cryptojacking-attack/
@ramimacisabird
8/19

View Slide

Tesla
2018
Initial Access:
● Globally exposed Kubernetes
console
● Pod with AWS credentials
● N/A
Impact:
● Cryptojacking
https://www.wired.com/story/cryptojacking-tesla-amazon-cloud/
@ramimacisabird
9/19

View Slide

Imperva
2018
Initial Access:
● “Internal compute instance”
globally accessible
● “Contained” AWS API key
● N/A
Impact:
● RDS snapshot stolen
https://www.imperva.com/blog/ceoblog/
@ramimacisabird
10/19

View Slide

Cisco
2018
Initial Access:
● Former employee with AWS access 5
months post-resignation
● N/A
Impact:
● Deleted ~450 EC2 instances
https://www.zdnet.com/article/former-cisco-engineer-pleads-guilty-to-network-damage-wiping-16000-webex-tea
ms-accounts/
@ramimacisabird
11/19

View Slide

JW Player
2019
Initial Access:
● Weave Scope (publicly exposed),
RCE by design
● N/A
Impact:
● Cryptojacking
https://medium.com/jw-player-engineering/how-a-cryptocurrency-miner-made-its-way-onto-our-internal-kuber
netes-clusters-9b09c4704205
@ramimacisabird
12/19

View Slide

Malindo Air
2019
Initial Access:
● Former employees for an
e-commerce provider abused their
access
● N/A
Impact:
● 35 million customer records
https://www.infosecurity-magazine.com/news/malindo-air-data-breach-was-inside/
@ramimacisabird
13/19

View Slide

Twilio
2020
Initial Access:
● S3 global write access
● N/A
Impact:
● Magecart
https://www.twilio.com/blog/incident-report-taskrouter-js-sdk-july-2020
@ramimacisabird
14/19

View Slide

Magecart and S3 Global Write … interlude
As of July 2019:
“the group has managed to compromise a vast collection
of S3 buckets to impact well over 17,000 domains”
- RiskIQ
https://www.riskiq.com/blog/labs/magecart-amazon-s3-buckets/

View Slide

“Behind the scenes
in the Expel SOC:
Alert-to-fix in
AWS”
2020
Initial Access:
● Root IAM user access key
compromised
● SSH keys generated for EC2
instances
Impact:
● Cryptojacking
https://expel.io/blog/behind-the-scenes-expel-soc-alert-aws/
@ramimacisabird
15/19

View Slide

2020
“Finding evil in
AWS: A key pair to
remember”
Initial Access:
● 8 IAM access keys compromised
● Backdoored security groups
Impact:
● Command line access to EC2
instances
https://expel.io/blog/finding-evil-in-aws/
@ramimacisabird
16/19

View Slide

TeamTNT Worm
2020
Initial Access:
● Misconfigured Docker & k8s
platforms
● Steals AWS credentials from
~/.aws/*
Impact:
● Cryptojacking for Monero
https://www.cadosecurity.com/post/team-tnt-the-first-crypto-mining-worm-to-steal-aws-credentials
@ramimacisabird
17/19

View Slide

Cryptomining
AMI
2020
Initial Access:
● Windows 2008 Server Community
AMI
● N/A
Impact:
● Monero miner
https://www.darkreading.com/cloud/cryptominer-found-embedded-in-aws-community-ami/d/d-id/1338713
@ramimacisabird
18/19

View Slide

2020
Mandiant: Insider
Threat Scenario
Initial Access:
● Fired employee uses credentials
● Access CI/CD server, create a new
user, steal credentials
Impact:
● Deleted production databases
https://www.youtube.com/watch?v=rtEjI_5TPdw
@ramimacisabird
19/19

View Slide

Trends

View Slide

Mitre Att&ck AWS Matrix
https://attack.mitre.org/matrices/enterprise/cloud/aws/

View Slide

Mitre Att&ck AWS Matrix

View Slide

Initial Vectors
@ramimacisabird
+

View Slide

Recommendations
● SSDLC
● Penetration Testing
● IMDSv2
Metadata Access
● Access Analyzer for S3*
https://docs.aws.amazon.com/AmazonS3
/latest/user-guide/access-analyzer.html
S3 Global Write
● Only use trusted
sources
Malicious AMIs
@ramimacisabird

View Slide

Recommendations
● Asset Inventory
● Patch Management
● Limit External
Exposure
Application Vulnerability
● Offboarding
● Third party risk
● Principle of Least
Privilege
● Logging/Monitoring
○ Heuristics
■ Time
■ Location
■ Activity
Valid Credential Abuse
● IAM Best Practices
○ MFA
○ Key Rotation
○ Avoid static
credentials
● Principle of Least
Privilege
○ Cloudsplaining
Valid Credential Theft
@ramimacisabird

View Slide

https://opensource.salesforce.com/cloudsplaining/#/summary
@ramimacisabird

View Slide

@ramimacisabird
Thank you!
Feel free to track me
down in Discord or
on Twitter
https://speakerdeck.com/ramimac
Puppy tax

View Slide

Top 10 Cloud Attack Killchains
1. Static API Credential Exposure to Account Hijack
2. Compromised Server via Exposed Remote Access Ports
3. Compromised Database via Inadvertent Exposure
4. Object Storage Public Data Exposure
5. Server Side Request Forgery
6. Cryptomining
7. Network Attack
8. Compromised Secrets
9. Novel Cloud Data Exposure and Exfiltration
10. Subdomain Takeover
https://disruptops.com/stop-todays-top-10-cloud-attack-killchains/
@ramimacisabird

View Slide

Learning from AWS (Customer) Security Incidents

Learning from AWS (Customer) Security Incidents

Rami McCarthy

More Decks by Rami McCarthy

Other Decks in Technology

Featured

Transcript