Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Case Study of AWS Security Breaches and Attack / Defense Techniques

7bcb468888a82bfeb38a2818207e53c6?s=47 Steve Teo
August 31, 2019

Case Study of AWS Security Breaches and Attack / Defense Techniques

Presented during the AWS APAC Community Day Leader's Meetup 2019 in Melbourne


Steve Teo

August 31, 2019

More Decks by Steve Teo

Other Decks in Technology


  1. Case Study of AWS Security Breaches and Attack / Defense

    Techniques Steve Teo Director of Cloud Security Engineering Horangi Cyber Security www.linkedin.com/in/steveteo
  2. Steve “Potay” Teo • Director of Cloud Security Engineering @

    Horangi • CloudDevSecOps Fanatic • 4 years+ working on AWS • AWS Areas of Interests: • AWS Multi-Account Architectures • Cloud Security • Totally uncertified and proud :P • Ate 24 buffalo wings at last year’s Reinvent Tatonka Challenge
  3. Communities I serve https://www.meetup.com/AWS-SG/ https://www.meetup.com/ Atlassian-User-Group-Singapore/

  4. AWS User Group Singapore - Monthly

  5. AWS User Group Singapore - Monthly

  6. Context

  7. “Know thy self, know thy enemy. A thousand battles, a

    thousand victories.” – Sun Tzu, Art of War
  8. By 2020 95% of cloud security failures will be the

    customer's fault - Gartner
  9. Shared Responsibility Model

  10. Horangi Warden – Cloud Security Configuration Checker

  11. VS

  12. Every AWS Account is a Blank Cheque – Steve Teo

  13. S3 Bucket Breaches

  14. “The reason why Google and Facebook are the most powerful

    companies in the world is because last year data surpassed oil in value” - Brittany Kaiser (The Great Hack)
  15. Some of the Biggest S3 Breaches • Sept 2017 -

    Accenture Leak • Bucket(s): acp-deployment, acpcollector, acp-software, acp-ssl • Highly sensitive data about Accenture Cloud Platform, its inner workings, and Accenture clients using the platform • 40,000 passwords stored in plaintext, architectural information and code for the company's client-facing cloud platform, decryption keys, certificates, API data and administrator login credentials. • https://www.upguard.com/breaches/cloud-leak-accenture • Street Cred -- • May 2019 – Attunity Leak • Bucket(s): attunity-it, attunity-patch, attunity-support • 750 gigabytes of compressed email backup exposed, including Netflix, Ford, TD Bank • https://www.upguard.com/breaches/attunity-data-leak • Street Cred --
  16. Some of the Biggest S3 Breaches • June 2017 -

    Partner • Bucket(s): verizon-sftp • Bucket was operated by 3rd Party Partner, NICE Systems • Names, addresses, account details, and account personal identification numbers (PINs) of as many as 14 million US customers of telecommunications carrier Verizon • https://www.upguard.com/breaches/verizon-cloud-leak • Street Cred -- • Jan 2019 – Third-Party Apps • Cultura Colectiva • Bucket(s): cc-datalake • 146 gigabytes and contains over 540 million records detailing comments, likes, reactions, account names, FB IDs and more • At the Pool • FB user data for 22K users, including plaintext passwords • https://www.upguard.com/breaches/facebook-user-data-leak • Street Cred --
  17. Attack - S3 Enumeration • Lots of tools out there

    to discover S3 buckets • Powered by dictionaries + pattern techniques • Some specialized tools like https://github.com/jordanpotti/ AWSBucketDump can even dump a bucket’s content or search for contents within the bucket
  18. Attack - Bucket-Stream • https://github.com/eth0izzle/bucket-stream • Listens to various certificate

    transparency logs (via certstream) and attempts to find public S3 buckets from permutations of the certificates domain name.
  19. Attack - Bucket-Stream

  20. Attack - Bucket-Stream

  21. Attack - Bucket-Stream

  22. Attack - Bucket-Stream • They were there before me

  23. None
  24. Attack - buckets.greyhatwarfare.com

  25. Attack - buckets.greyhatwarfare.com

  26. Defense – S3 Block Public Access

  27. Defense – S3 Inspector • Checks all your buckets for

    public access • For every bucket gives you the report with: • Indicator if your bucket is public or not • Permissions for your bucket if it is public • List of URLs to access your bucket (non-public buckets will return Access Denied) if it is public • https://github.com/kromtech/s3-inspector
  28. S3 Security Is Flawed By Design? • https://www.upguard.com/blog/s3-security-is-flawed-by-design • “Our

    opinion is that the security problem with S3 is one of product design." • Key Points • Can’t break legacy • #1: Any Authenticated Users • #2: Inconsistent ACLs and Bucket Policies (union of all the IAM policies, S3 bucket policies, and S3 ACLs that apply) • Recommendation • Split S3 up into Amazon Web Hosting and Amazon Private Storage
  29. Other External Threats

  30. None
  31. Code Spaces "We finally managed to get our panel access

    back but not before he had removed all EBS snapshots, S3 buckets, all AMIs, some EBS instances, and several machine instances."
  32. Hack • Between March 12, 2019 and July 17, 2019,

    an unauthorized user accessed data stored in AWS S3 buckets belonging to Capital One. • The unauthorized user exfiltrated the data and stored it on GitHub under their real name, Paige Thompson, as well as boasting about the data theft in a Slack channel and on twitter using the pseudonym “erratic”. • Loss of over 100 million credit card applications and 100 thousand social security numbers
  33. Hack • Server-Side Request Forgery (SSRF) attack An SSRF attack

    tricks a server into executing commands on behalf of a remote user, enabling the user to treat the server as a proxy for his or her requests and get access to non-public endpoints.
  34. Hack*****-WAF-Role

  35. Hack 700 Buckets ModSecurity WAF { "Effect": "Allow", "Actions": [

    "s3:ListBuckets", "s3:Sync" ], "Resource": "*" }
  36. Hack • https://blog.cloudsploit.com/a-technical-analysis-of-the-capital- one-hack-a9b43d7c8aea • https://rhinosecuritylabs.com/aws/capital-one-cloud_breach_s3- cloudgoat/ • https://ejj.io/blog/capital-one •

    https://www.justice.gov/usao-wdwa/press- release/file/1188626/download • https://www.newsweek.com/amazon-capital-one-hack-data-leak- breach-paige-thompson-cybercrime-1451665 • https://awsinsider.net/articles/2019/08/21/aws-scanning.aspx
  37. Attack - Phished AWS Persistent Cookies • https://rhinosecuritylabs.com/aws/mfa-phishing-on-aws/ • https://rhinosecuritylabs.com/aws/aws-phished-persistent-cookies/

    • It all starts with social engineering
  38. Attack - Phished AWS Persistent Cookies • Uses tools such

    as Evilginx2, Modlishka, Muraena, and CredSniper
  39. Attack - Phished AWS Persistent Cookies

  40. Attack - IAM Role Enumeration • https://rhinosecuritylabs.com/aws/ assume-worst-aws-assume-role- enumeration/ •

    Keep your AWS Account ID close!
  41. Attack - IAM Role Enumeration • https://rhinosecuritylabs.com/aws/ assume-worst-aws-assume-role- enumeration/ •

    Keep your AWS Account ID close!
  42. Internal Threats

  43. May 2016 - Disgruntled Employee @ Voova • “An irate

    sacked techie who rampaged through his former employer's AWS accounts with a purloined login, nuking 23 servers and triggering a wave of redundancies, has been jailed.” • Got hold of a former colleague's AWS login and destroyed what police and prosecutors claimed was £500,000 worth of business- critical data. • Did not implement multi-factor authentication. • IP Traced - "One of their customers is Valtech, and the defendant was employed by Valtech in Manchester and was dismissed... at the time of the attack”. • https://www.theregister.co.uk/2019/03/20/st effan_needham_aws_rampage_prison_sente nce_voova/
  44. My Own Experience • I can’t document the story here,

    but … • If I had to call it one thing, it would be a “Security Game Day” • Key Learnings • Assume everything is compromised • There is probably a lot more going than you think is happening. Think Motive • Avoid putting all your eggs into one basket • Hard to conduct forensics without proper tools or audit services setup properly • Avoid having long-lived keys, IAM users • Set effective guardrails
  45. None
  46. None
  47. Sometimes, if it is not your’s or AWS’s fault

  48. Amazon Route 53 BGP Hijack • April 24, 2018 -

    $150,000 USD in Ethereum Stolen in MyEtherWallet Hack
  49. Amazon Route 53 BGP Hijack • BGP leak would be

    IP space that is announced by somebody not allowed by the owner of the space • In order for a leak to be accepted • A smaller prefix ( = 1 IP vs = 256 IPs) • Have better metrics than a prefix with the same length (shorter path) • This IP space is allocated to Amazon (AS16509). But the ASN that announced it was eNet Inc (AS10297) to their peers and forwarded to Hurricane Electric (AS6939), Level 3. Level 3 (AS3356) and NTT (AS2914) did not accept the announcement • Announcements • over • over • over • Over
  50. Amazon Route 53 BGP Hijack

  51. Amazon Route 53 BGP Hijack Normal GG – Good Game

  52. Amazon Route 53 BGP Hijack

  53. Amazon Route 53 BGP Hijack

  54. Amazon Route 53 BGP Hijack • https://www.internetsociety.org/blog/2018/04/amazons-route-53- bgp-hijack/ • https://blog.cloudflare.com/bgp-leaks-and-crypto-currencies/

    • https://www.manrs.org/2018/04/another-bgp-hijacking-event- highlights-the-importance-of-manrs-and-routing-security/ • https://www.darkreading.com/attacks-breaches/myetherwallet- dns-attack-offers-opt-in-lessons/d/d-id/1331656
  55. Other Interesting Stuff

  56. Honey Tokens

  57. Honey Tokens - Project Spacecrab • https://bitbucket.org/asecurityteam/spacecrab

  58. Key Takeaways • Knowing how to attack means you know

    how to defend • Security is everyone’s responsibility • If you are scrambling during an incident, you are already too late • Adopt a zero trust, sceptic mindset • Don’t let people shoot themselves in their foot easily
  59. https://speakerdeck.com/stevepotayteo/effective-aws-account-strategy-using-aws-organizations

  60. None
  61. None
  62. Every AWS Account is a Blank Cheque – Steve Teo

  63. Q & A?

  64. Thank you

  65. None