Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Threats and Countermeasures in AWS Environments...

Threats and Countermeasures in AWS Environments from an Attacker’s Perspective

「JAWS PANKRATION 2024」の登壇スライドです。
- https://jawspankration2024.jaws-ug.jp/

morioka12

August 24, 2024
Tweet

More Decks by morioka12

Other Decks in Technology

Transcript

  1. Threats and Countermeasures in AWS Environments from an Attacker’s Perspective

    Yuta Morioka (@scgajge12) AWS Community Builder (Security & Identity) 2024/08/25
  2. Self-Introduction • Name: Yuta Morioka • morioka12 (@scgajge12) • Job:

    Security Engineer in Japan • GMO Cybersecurity by Ierae, Inc. • AWS title: AWS Community Builder • Security & Identity Builder since 2024 • My favorite AWS Services: • Amazon S3, AWS Lambda 2 https://scgajge12.github.io/
  3. Relationship with JAWS-US 1. May. 2022: • Security-JAWS #25 Speaker

    2. Oct. 2022: • JAWS DAYS 2022 Speaker 3. Aug. 2023: • Security-JAWS #30 CTF Organizer 4. Mar. 2024: • JAWS DAYS 2024 Speaker 5. Aug. 2024: (now) • JAWS PANKRATION 2024 Speaker 3
  4. Agenda (15 minutes) 1. Attacker's Perspective on the Enterprise Cloud

    Environment 2. Attackers' Intrusion Techniques in AWS Environment 3. Security Measures in Cloud Environment 4. Summary 4
  5. Common Threats in Cloud Environment Main Causes • Misconfigure, Improper

    Identity Management • Vulnerable Applications and APIs Major Threats • Leakage of Customer or Internal Information • Tampering with Programs or Data or AWS Resource 6
  6. ADacker PerspecGve on Cloud Environment Attacker’s Main Objective • Final

    Goal • Obtaining Confidential Information • Customer Information, Employee Information, Company Information, … • AWS: S3, RDS, DynamoDB, EBS, EFS, Secrets Manager, … • Misuse of AWS Resources • Mining, Malware Distribution, DoS Attack, … • AWS: EC2, Lambda, S3, Fargate, … • Negative Business Impact • Suspension of Service, Repair Cost, Impression Manipulation, Stock Prices, … • Initial Objectives • Obtain Credentials for AWS, APIs, etc. 7 Points
  7. Attacker Perspective on Cloud Environment MITRE ATT&CK Framework for Cloud

    (IaaS) • A Framework for Understanding and Addressing Security Incidents in Cloud Environments . • A framework that categorizes the tactics, techniques, and procedures (TTPs) used in targeted attacks • Targeted Attacks: attacks against specific organizations or individuals • Divides the Attack Lifecycle into 11 Tactics 8
  8. MITRE ATT&CK Framework for Cloud (IaaS) 10 Initial Invasion 1.

    Initial Access 2. Execution Research 3. Persistence 4. Privilege Escalation 5. Defense Evasion 6. Credential Access 7. Discovery 8. Lateral Movement Misuse 9. Collection 10. Exfiltration 11. Impact
  9. Intrusion Techniques in AWS Environment 1. Initial Access • Summary

    • Obtain Credentials (IAM) to break into the AWS Environment • Points • The “Attacker” has an Anything Goes Style. • Wide variety of Attack Methods and Perspectives 12
  10. Intrusion Techniques in AWS Environment 1. Initial Access • Main

    Targets • Services Provided • Web Site, Mobile App, API, Server, … • (Threats: Vulnerability Attacks) • Company Employee • PC, Server, Mobile, … • (Threats: Phishing, Malware Infections) • Affiliated Company • (Threats: Supply Chain Attacks) 13 Points
  11. Intrusion Techniques in AWS Environment 1. Initial Access • Vulnerability

    Attacks • For Web Applications and APIs, Mobile, • Obtaining IAM from the EC2 Metadata Server • Obtaining Credential Information from Lambda Environment Variables • Obtain Hard-Coded Credentials for App 14 → Credential Acquisition
  12. Intrusion Techniques in AWS Environment Ex: Obtaining IAM for PDF

    Generation Functions • Terms • Web App running on EC2 to enter any string and embed it in a PDF • Vulnerability Attacks • HTML Injection • Can embed any HTML tag (iframe) • SSRF (Server Side Request Forgery) • Can be accessed by throwing a request to the Internal Server (metadata service) 15
  13. OWASP Top 10 / API Security Risks: SSRF (Server-Side Request

    Forgery) OWASP Top 10 – 2021 10th place OWASP Top 10 API Security Risks – 2023 7th place 16 h5ps://owasp.org/Top10/ h5ps://owasp.org/API-Security/
  14. Intrusion Techniques in AWS Environment Ex: Obtaining IAM for PDF

    Generation Functions • SSRF via HTML Injection inside a PDF file on EC2 17 https://blog.appsecco.com/finding-ssrf-via-html-injection-inside-a-pdf-file-on-aws-ec2-214cc5ec5d90
  15. Intrusion Techniques in AWS Environment Ex: Obtaining IAM for PDF

    Generation Functions • Attack Payload • <iframe src="http://169.254.169.254/latest/meta- data/iam/security-credentials/ ROLE-NAME-HERE"></iframe> 18 ← Generated PDF
  16. Intrusion Techniques in AWS Environment 1. Initial Access • Misconfiguration

    of AWS Resources • Retrieve Sensitive Information from S3 Bucket • Tampering with the API Gateway's API 19 → Obtaining Confidential Information
  17. Intrusion Techniques in AWS Environment Ex: [Information Disclosure] S3 Bucket

    Public Access 20 https://hackerone.com/reports/1021906
  18. Intrusion Techniques in AWS Environment 1. Initial Access • Phishing

    and Malware Infections • Send malicious attachments via Email to infect people with Malware • Sending malicious URLs via Email to force victims to access Fake Web Sites 21 → Obtaining Confidential Information
  19. Intrusion Techniques in AWS Environment Ex: AWS Login Page Phishing

    22 Fake URL: 「hxxps://aws1-console-login.us/login/」 Fake Web Page →
  20. Intrusion Techniques in AWS Environment Summary: 1. Initial Access •

    Actions of the Attacker • Vulnerability Attacks • Leakage from Misconfiguration • Phishing and Malware Infections • Others • Obtain any information on the Internet • (GitHub, Internet Archive, Dark Web, ...) • Physical office intrusion into the company network • Gathering information through an inside job 23
  21. Intrusion Techniques in AWS Environment After Initial Access • Research

    • Investigation of IAM Permissions Obtained • Tools: Pace, … • IAM Privilege Elevation • Tampering with AWS Resources • Misuse • Extraction of Confidential Information • Misuse of AWS Services and Resources 24
  22. Security Measures in Cloud Environment Security Measures from an Attacker's

    Perspective 1. Understand “Sensitive Information” in the Cloud Environment 2. Assume a variety of External and Internal threats 3. Implement Security Measures for each target 4. Implement a Defense in Depth to minimize damage in the event of an initial intrusion 26 Points
  23. Security Measures in Cloud Environment Keywords • Defense in Depth

    • Three Areas: • Entrance Measures → Internal Measures → Exit Measures • Cloud Environment: (MITRE ATT) • Initial Invasion → Research → Misuse • Attack Surface • Cloud Environment for External use • Cloud Environment for Internal use • People dealing with Cloud Environments 27
  24. Attacker Perspective on Cloud Environments Attacker’s Main Objective • Final

    Goal • Obtaining Confidential Information • Customer Information, Employee Information, Company Information, … • AWS: S3, RDS, DynamoDB, EBS, EFS, Secrets Manager, … • Misuse of AWS Resources • Mining, Malware Distribution, DoS Attack, … • AWS: EC2, Lambda, S3, Fargate, … • Negative Business Impact • Suspension of Service, Repair Cost, Impression Manipulation, Stock Prices, … • Initial Objectives • Obtain credentials for AWS, APIs, etc. 29 Points
  25. Intrusion Techniques in AWS Environment 1. Initial Access • Main

    Targets • Services Provided • Web Site, Mobile App, API, Server, … • (Threats: Vulnerability Attacks) • Company Employee • PC, Server, Mobile, … • (Threats: Phishing, Malware Infections) • Affiliated Company • (Threats: Supply Chain Attacks) 30 Points
  26. My Blog & Slide (Japanese) Topic: Cloud Security • Pitfalls

    of Lambda - Dangers and Security Measures due to Vulnerable Libraries • Serverless Security Risks - Vulnerability Attacks and Countermeasures in AWS Lambda • Security risks and countermeasures due to vulnerable use of Amazon S3 • CTF Cloud Issue Attack Methodology Summary (2021, 2022, 2023 Edition) • HTB Cloud Issue Attack Methodology Summary • Amazon EC2 Security (Vulnerability) Case Study • MFA Authentication Evasion and Examples of AWS Login by Phishing • Introduction to Cloud Security from an Offensive Perspective ~AWS Edition~ • ⭐ Introduction to Cloud Security - Threats and Countermeasures when Focusing on the AWS Environment from an Offensive Perspective 31 https://scgajge12.github.io/tags/cloud/