Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Cloud-focused phishing techniques to bypass FIDO2 and WebAuthn

TweekFawkes
May 05, 2023
Technology
0
78

Cloud-focused phishing techniques to bypass FIDO2 and WebAuthn

Research presented at BSidesAustin in Austin Texas on Friday May 5th 2023.

Session Name: "Cloud-focused phishing techniques to bypass FIDO2 and WebAuthn"

Proactive organizations are hardening their Single Sign-On (SSO) solutions to require stronger forms of Multi-Factor Authentication (MFA), including the use of hardware tokens for authentication with FIDO2 and WebAuthn. These countermeasures are designed to defeat the stealing of SSO tokens and browser cookies via Adversary-in-The-Middle (AiTM) systems. As more organizations harden their defenses, attackers will evolve their tactics, techniques, and procedures (TTPs) in an effort to gain unauthorized access to organization’s critical information. In this session we will cover cloud-focused phishing techniques that are designed to bypass these new countermeasures, release improved proof of concepts code for these TTPs, and cover what the future of attacking the cloud will look like in the near future!

List 3 things attendees will be able to use in their jobs after hearing your talk
- How to harden their SSO systems to defend against AiTM systems
- How to harden their Cloud Service Provider environments (e.g. AWS, Azure, & GCP) against these edge cases that bypass hardened MFA using hardware tokens with FIDO2 and WebAuthn.
- How to test environments for these attack paths and to more accurately demonstrate the impact of a breach to senior management.

TweekFawkes

May 05, 2023
Tweet

More Decks by TweekFawkes

See All by TweekFawkes
Cloud Red Teaming: AWS Initial Access & Privilege Escalation
tweekfawkes
0
3.5k
Level Up Your Lab Envs!
tweekfawkes
0
180
Cloud Focused Continuous Red Teaming: Avoiding the Fall of Icarus!
tweekfawkes
0
210
Mining Cloud Resources for Initial Access via Serverless Services
tweekfawkes
0
110
Serverless and Dys-FUNctional Cloud Red Teaming
tweekfawkes
1
160
The Future?!
tweekfawkes
0
140
May the Cloud be with You: Red Teaming GCP (Google Cloud Platform)
tweekfawkes
1
1k
May the Cloud be with You: Red Teaming GCP (Google Cloud Platform)
tweekfawkes
0
230
UVU - Red Teaming GCP (Google Cloud Platform)
tweekfawkes
1
210

Other Decks in Technology

See All in Technology
Google Cloud Next '24 Recap(Cloud Run/k8s)
mokocm
0
260
AWS学習者向けにAzureの解説スライドを作成した話
handy
2
100
Grafana x PagerDuty Better Together
jacopen
0
160
AWSに詳しくない人でも始められるコスト最適化ガイド
yuhta28
1
250
Java EE/Jakarta EEの現状と将来 ―クラウドネイティブ時代にJava EEは対応できるのか?―
takakiyo
1
170
推しは推せるときに推せ! プロダクトにフィードバックしていこう
nakasho
0
400
Azureの基本的な権限管理の勉強会
yhana
0
910
web-application-security
matsuihidetoshi
0
180
[新卒向け研修資料] テスト文字列に「うんこ」と入れるな(2024年版)
infiniteloop_inc
4
16k
MapLibreとAmazon Location Service
dayjournal
1
160
アクセシビリティを考慮したUI/CSSフレームワーク・ライブラリ選定
yajihum
2
1k
One engineer company with Ruby on Rails
rstankov
2
250

Featured

See All Featured
Agile that works and the tools we love
rasmusluckow
325
20k
10 Git Anti Patterns You Should be Aware of
lemiorhan
648
58k
In The Pink: A Labor of Love
frogandcode
138
21k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
60
14k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
155
14k
Pencils Down: Stop Designing & Start Developing
hursman
117
11k
Why You Should Never Use an ORM
jnunemaker
PRO
51
8.6k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
357
22k
Embracing the Ebb and Flow
colly
80
4.1k
The Illustrated Children's Guide to Kubernetes
chrisshort
31
46k
Making Projects Easy
brettharned
108
5.5k
Done Done
chrislema
178
15k

Transcript

  1. https:// .Security Version 1.0 Copyright 2022 by Stage 2 Security

    Outplay Your Adversary! Bryce Kunz // @TweekFawkes

  2. https:// .Security Version 1.0 Copyright 2022 by Stage 2 Security

    Cloud Red Teaming: Initial Access & Privilege Escalation

  3. Copyright 2022 by Stage 2 Security https:// .Security Who Am

    I? Go From Zero to Cloud Admin! • Globally Shared Resources • SSO Tokens & Browser Cookies • Cloud Native Phishing Agenda Privilege Escalation • Graph Database Technologies • IAM Roles • iam:PassRole • Basic Priv Esc Example via Graph DB • Common Priv Esc Access Vectors Cloud Lab Envs • Tools & Techniques

  4. Copyright 2022 by Stage 2 Security https:// .Security WhoAmI Overview

  5. Copyright 2022 by Stage 2 Security https:// .Security Defense DHS

    SOC Offense NSA Red Team Adobe Digital Exp. (DX) Bryce Kunz; @TweekFawkes Services • Hack (Pentest) • Hunt (Splunk ES) • Train (Cloud Sec.)

  6. Copyright 2022 by Stage 2 Security https:// .Security AWS: •

    Amazon Machine Images (AMI) Snapshots • Elastic Block Storage (EBS) Snapshots • Amazon Relational Database Service (RDS) Snapshots • Serverless Application Repository Azure: • Azure Compute Gallery …

  7. Copyright 2022 by Stage 2 Security https:// .Security AWS: •

    Amazon Machine Images (AMI) Snapshots • Elastic Block Storage (EBS) Snapshots • Amazon Relational Database Service (RDS) Snapshots • Serverless Application Repository Azure: • Azure Compute Gallery …

  8. Copyright 2022 by Stage 2 Security https:// .Security AWS: •

    Amazon Machine Images (AMI) Snapshots • Elastic Block Storage (EBS) Snapshots • Amazon Relational Database Service (RDS) Snapshots • Serverless Application Repository Azure: • Azure Compute Gallery …

  9. Copyright 2022 by Stage 2 Security https:// .Security AWS: •

    Amazon Machine Images (AMI) Snapshots • Elastic Block Storage (EBS) Snapshots • Amazon Relational Database Service (RDS) Snapshots • Serverless Application Repository Azure: • Azure Compute Gallery …

  10. Copyright 2022 by Stage 2 Security https:// .Security BSidesSLC.org Hardware

    Badge by @professor__plum Friday Apr. 12th 2024 Salt Lake City, Utah https://BSidesSLC.org

  11. Copyright 2022 by Stage 2 Security https:// .Security BSidesSLC.org Hardware

    Badge by @professor__plum Friday Apr. 14th 2023 & Saturday Apr. 15th 2023 Salt Lake City, Utah https://BSidesSLC.org

  12. Copyright 2022 by Stage 2 Security https:// .Security Go From

    Zero to Cloud Admin! Overview

  13. Copyright 2022 by Stage 2 Security https:// .Security AWS Account

    External Resources Typical Steps: • Exploit App • Collect Creds • Reuse Creds Elastic Block Store (EBS) Volume Snapshot Elastic Compute Cloud (EC2) Instance Instances AWS IAM Role AWS STS Temporary Credentials Temporary Credentials Policies Identities Global Cloud

  14. Copyright 2022 by Stage 2 Security https:// .Security AWS Account

    Globally Shared Resources: • EC2 AMIs • EBS Snapshots • RDS Snapshots • etc… Elastic Block Store (EBS) Volume Snapshot Elastic Compute Cloud (EC2) Instance Instances Global Cloud Secrets

  15. Copyright 2022 by Stage 2 Security https:// .Security AWS Account

    Client-Side Vectors: • RCE • Cookies • Phishing • AiTM • Supply Chain • Social Engineering • Extensions • etc… Elastic Block Store (EBS) Volume Snapshot Elastic Compute Cloud (EC2) Instance Instances AWS IAM Role AWS STS Temporary Credentials Policies Identities Global Cloud Admin

  16. Copyright 2022 by Stage 2 Security https:// .Security Globally Shared

    Resources

  17. Copyright 2022 by Stage 2 Security https:// .Security Globally Public

    Resources AWS: • Amazon Machine Images (AMI) Snapshots • Elastic Block Storage (EBS) Snapshots • Amazon Relational Database Service (RDS) Snapshots • Serverless Application Repository Azure: • Azure Compute Gallery https://github.com/SummitRoute/aws_exposable_resources

  18. Copyright 2022 by Stage 2 Security https:// .Security Public Elastic

    Block Storage (EBS) Snapshots Dufflebag is a tool that searches through public Elastic Block Storage (EBS) snapshots for secrets that may have been accidentally left in. You may be surprised by all the passwords and secrets just laying around! https://github.com/BishopFox/dufflebag

  19. Copyright 2022 by Stage 2 Security https:// .Security SSO Tokens

    & Browser Cookies Client-Side

  20. Copyright 2022 by Stage 2 Security https:// .Security Overview Methods

    Include: • Malicious Browser Extension • Adversary-in-the-Middle (AiTM) Other Common Methods Include: • Malicious Documents (e.g. Office Macros) • Malicious Applications

  21. Copyright 2022 by Stage 2 Security https:// .Security Malicious Browser

    Extensions

  22. Copyright 2022 by Stage 2 Security https:// .Security Malicious Browser

    Extension Users Evil Server SSO / App TLS Browser

  23. Copyright 2022 by Stage 2 Security https:// .Security CursedChrome Red

    Team Toolkit Options https://github.com/mandatoryprogrammer/CursedChrome

  24. Copyright 2022 by Stage 2 Security https:// .Security ChatGPT-4 Build

    me an Extension please! :) https://www.linkedin.com/posts/danielperjesi_how-i-created-a-chrome-extension-with-chatgpt-activity-7021098555054432256-W3Kl

  25. Copyright 2022 by Stage 2 Security https:// .Security ChatGPT-4 Builds

    an Extension https://developer.chrome.com/docs/webstore/publish/

  26. Copyright 2022 by Stage 2 Security https:// .Security CursedChrome Backdoor

    the Extension https://www.youtube.com/watch?v=cdSXdwa5trc

  27. Copyright 2022 by Stage 2 Security https:// .Security Defense: Enterprise

    Policies (e.g. Chrome) Users Evil Server SSO / App TLS Browser https://github.com/mandatoryprogrammer/ChromeGalvanizer

  28. Copyright 2022 by Stage 2 Security https:// .Security Adversary-in-the-Middle (AiTM)

  29. Copyright 2022 by Stage 2 Security https:// .Security Adversary-in-the-Middle (AiTM)

    Users Evil Proxy SSO / App TLS TLS Browser

  30. Copyright 2022 by Stage 2 Security https:// .Security Phishing +

    AiTM Evil Proxy SSO / App TLS TLS Browser Users Email

  31. Copyright 2022 by Stage 2 Security https:// .Security Browser Access

    Evil Proxy SSO / App TLS TLS Browser Users Email Browser

  32. Copyright 2022 by Stage 2 Security https:// .Security SaaS &

    Cloud Access Evil Proxy SSO / App TLS TLS Browser Users Email Browser SaaS / CSP

  33. Copyright 2022 by Stage 2 Security https:// .Security EDRs: Largely

    Ignore Browser Sessions! Evil Proxy SSO / App TLS TLS Browser Users Email Browser SaaS / CSP EDR EDR Cloud

  34. Copyright 2022 by Stage 2 Security https:// .Security AiTM Evilginx2

    https://github.com/kgretzky/evilginx2 https://github.com/drk1wi/Modlishka https://github.com/muraenateam/muraena https://github.com/ustayready/CredSniper Phishing GoPhish https://github.com/gophish/gophish https://github.com/pentestgeek/phishing-frenzy https://github.com/rsmusllp/king-phisher Red Team Toolkit Options

  35. Copyright 2022 by Stage 2 Security https:// .Security AiTM Evilginx2

    Phishing GoPhish Red Team Toolkit Options = EvilGoPhish https://github.com/fin3ss3g0d/evilgophish +

  36. Copyright 2022 by Stage 2 Security https:// .Security Defense: Incorrect

    FQDN Okta-Test.com Okta.com TLS TLS Browser Users Email Browser SaaS / CSP EDR EDR Cloud

  37. Copyright 2022 by Stage 2 Security https:// .Security Defense: FIDO2

    (Hardware/YubiKey) + WebAuthn Okta-Test.com Okta.com TLS TLS Browser Users Email Browser SaaS / CSP EDR EDR Cloud

  38. Copyright 2022 by Stage 2 Security https:// .Security One More

    Thing! Cloud Native Phishing

  39. Copyright 2022 by Stage 2 Security https:// .Security Scott Piper

    @0xdabbad00 Shout Out! https://tldrsec.com/blog/lesser-known-aws-attacks/

  40. Copyright 2022 by Stage 2 Security https:// .Security SocialStackSetSmother v1

  41. Copyright 2022 by Stage 2 Security https:// .Security AWS Account

    - Client - #90210 AWS Account - Attacker - #31337 EC2 SocialStackSetSmother Instances AWS IAM Role Policies Admin Cloud Formation Template Stack Lambda Function

  42. Copyright 2022 by Stage 2 Security https:// .Security SocialStackSetSmother Click

    Link In Email https://us-east- 1.console.aws.amazon.com/cloudformation/home?r egion=us-east- 1#/stacks/create/review?templateURL=https://TO DO_BUCKET_NAME.s3.amazonaws.com/TODO_TEMPLATE_ NAME.yml&stackName=TODO_STACK_NAME https://aws.amazon.com/blogs/devops/construct-your-own-launch-stack-url/

  43. Copyright 2022 by Stage 2 Security https:// .Security AWS Account

    - Client - #90210 AWS Account - Attacker - #31337 S3 EC2 SocialStackSetSmother Instances AWS IAM Role Policies Admin Public Object cf_template.yaml S3 Bucket API GW S3 Bucket Object results001.txt Endpoint Lambda Function Cloud Formation Template Stack Lambda Function Email AWS IAM Policies Role

  44. Copyright 2022 by Stage 2 Security https:// .Security SocialStackSetSmother https://aws.amazon.com/blogs/devops/construct-your-own-launch-stack-url/

  45. Copyright 2022 by Stage 2 Security https:// .Security AWS Account

    - Client - #90210 AWS Account - Attacker - #31337 S3 EC2 SocialStackSetSmother Instances AWS IAM Role Policies Admin Public Object cf_template.yaml S3 Bucket API GW S3 Bucket Object results001.txt Endpoint Lambda Function Cloud Formation Template Stack Lambda Function Email AWS IAM Policies Role AWS SAM

  46. Copyright 2022 by Stage 2 Security https:// .Security SocialStackSetSmother Attacker

    Needs Targets AWS Account ID# To Follow The Path Back

  47. Copyright 2022 by Stage 2 Security https:// .Security AWS Account

    - Client - #90210 AWS Account - Attacker - #31337 S3 EC2 SocialStackSetSmother Instances AWS IAM Role Policies Admin API GW S3 Bucket Object results001.txt Endpoint Lambda Function Cloud Formation Template Stack Lambda Function AWS IAM Policies Role AWS SAM

  48. Copyright 2022 by Stage 2 Security https:// .Security AWS Account

    - Client - #90210 AWS Account - Attacker - #31337 S3 EC2 SocialStackSetSmother Instances AWS IAM Role Policies Admin Public Object cf_template.yaml S3 Bucket API GW S3 Bucket Object results001.txt Endpoint Lambda Function Cloud Formation Template Stack Lambda Function Email AWS IAM Policies Role AWS SAM

  49. Copyright 2022 by Stage 2 Security https:// .Security SocialStackSetSmother Sample

    Code https://github.com/TweekFawkes/SocialStackSetSmother

  50. Copyright 2022 by Stage 2 Security https:// .Security SocialStackSetSmother v0.0.1

    Areas for Improvement in v0.0.1: • CF Template Assumes the User Has the Permissions/Ability to: ◦ Create an IAM Role with “AdministratorAccess” policy attached ◦ Create & Execute a Lambda Function e.g. lambda:InvokeFunction • CF Template creates an IAM Role which contains the AWS Account ID# of the Attacker’s AWS Account, making it easy to report abuse to AWS • CF Template contains Python code which is easy to analyze and determine it looks suspicious ◦ Python Code also contains Attacker’s API GW URL • Phish contains link to Attacker’s Globally Unique S3 Bucket Name

  51. Copyright 2022 by Stage 2 Security https:// .Security SocialStackSetSmother v0.0.2

  52. Copyright 2022 by Stage 2 Security https:// .Security AWS Account

    - Client - #90210 AWS Account - Attacker - #31337 S3 EC2 SocialStackSetSmother Instances AWS IAM Role Policies Admin Public Object cf_template.yaml S3 Bucket API GW S3 Bucket Object results001.txt Endpoint Lambda Function Cloud Formation Template Stack Lambda Function Email AWS IAM Policies Role AWS SAM

  53. Copyright 2022 by Stage 2 Security https:// .Security Phish Contains

    Link to Attacker’s S3 Bucket Name Ideas to Remediate: • Redirector (e.g. socat, reverse proxy, etc.) to S3 Bucket to Mask Name • CDN to S3 Bucket to Mask Name • Find Another AWS User’s S3 Bucket with Misconfigured Permissions and Upload our CloudFormation.yaml Template to their S3 Bucket

  54. Copyright 2022 by Stage 2 Security https:// .Security Phish Contains

    Link to Attacker’s S3 Bucket Name Ideas: Redirector (e.g. socat, reverse proxy, etc.) to S3 Bucket to Mask Name ✅ Valid Input: https://tmnttime.s3.us-east-2.amazonaws.com/template- v2-0-1.yaml

  55. Copyright 2022 by Stage 2 Security https:// .Security AWS Account

    - Client - #90210 AWS Account - Attacker - #31337 S3 EC2 SocialStackSetSmother Instances AWS IAM Role Policies Admin Public Object cf_template.yaml S3 Bucket API GW S3 Bucket Object results001.txt Endpoint Lambda Function Cloud Formation Template Stack Lambda Function Email AWS IAM Policies Role AWS SAM

  56. Copyright 2022 by Stage 2 Security https:// .Security Phish Contains

    Link to Attacker’s S3 Bucket Name Ideas: Redirector (e.g. socat, reverse proxy, etc.) to S3 Bucket to Mask Name ✅ Valid Input: https://tmnttime.s3.us-east-2.amazonaws.com/template- v2-0-1.yaml ❌ Invalid Input // No Object in S3 Bucket: https://tmnttime.s3.us-east- 2.amazonaws.com/template-v0-0-0.yaml https://www.youtube.com/watch?v=nDei76dTTdY

  57. Copyright 2022 by Stage 2 Security https:// .Security Phish Contains

    Link to Attacker’s S3 Bucket Name Ideas: Redirector (e.g. socat, reverse proxy, etc.) to S3 Bucket to Mask Name ✅ Valid Input: https://tmnttime.s3.us-east-2.amazonaws.com/template- v2-0-1.yaml ✅ Invalid Input // Invalid Scheme: bryce://tmnttime.s3.us-east- 2.amazonaws.com/template-v2-0-1.yaml https://www.youtube.com/watch?v=nDei76dTTdY

  58. Copyright 2022 by Stage 2 Security https:// .Security Phish Contains

    Link to Attacker’s S3 Bucket Name Ideas: Redirector (e.g. socat, reverse proxy, etc.) to S3 Bucket to Mask Name ✅ Valid Input: https://tmnttime.s3.us-east-2.amazonaws.com/template- v2-0-1.yaml ✅ Invalid Input // Invalid TCP Port: https://tmnttime.s3.us-east- 2.amazonaws.com:2222/template-v2-0-1.yaml https://www.youtube.com/watch?v=nDei76dTTdY

  59. Copyright 2022 by Stage 2 Security https:// .Security Idea: Leverage

    an obfuscated url to mislead Ideas: Redirector (e.g. socat, reverse proxy, etc.) to S3 Bucket to Mask Name ✅ Valid Input: https://tmnttime.s3.us-east-2.amazonaws.com/template- v2-0-1.yaml ✅ Invalid Input // Invalid Protocol & TCP Port: ftp://tmnttime.s3.us-east- 2.amazonaws.com:2222/template-v2-0-1.yaml Anyone going to ftp on port 2222 will be rejected but the AWS CF service will still deploy the malicious template. https://www.youtube.com/watch?v=nDei76dTTdY

  60. Copyright 2022 by Stage 2 Security https:// .Security Phish Contains

    Link to Attacker’s S3 Bucket Name Ideas: Redirector (e.g. socat, reverse proxy, etc.) to S3 Bucket to Mask Name ✅ Valid Input: https://tmnttime.s3.us-east-2.amazonaws.com/template- v2-0-1.yaml ❌ Invalid Input // FQDN Not Containing “s3” & “amazonaws.com”: https://[email protected]/template-v2-0-1.yaml https://www.youtube.com/watch?v=nDei76dTTdY

  61. Copyright 2022 by Stage 2 Security https:// .Security Phish Contains

    Link to Attacker’s S3 Bucket Name Ideas to Remediate: • Redirector (e.g. socat, reverse proxy, etc.) to S3 Bucket to Mask Name • CDN to S3 Bucket to Mask Name • Find Another AWS User’s S3 Bucket with Misconfigured Permissions and Upload our CloudFormation.yaml Template to their S3 Bucket

  62. Copyright 2022 by Stage 2 Security https:// .Security Phish Contains

    Link to Attacker’s S3 Bucket Name Ideas: CDN to S3 Bucket to Mask Name ✅ Valid Input: https://tmnttime.s3.us-east-2.amazonaws.com/template- v2-0-1.yaml ❌ Invalid Input // FQDN Not Containing “s3” & “amazonaws.com”: https://d111111abcdef8.cloudfront.net/template-v2-0-1.yaml https://www.youtube.com/watch?v=nDei76dTTdY

  63. Copyright 2022 by Stage 2 Security https:// .Security Phish Contains

    Link to Attacker’s S3 Bucket Name Ideas to Remediate: • Redirector (e.g. socat, reverse proxy, etc.) to S3 Bucket to Mask Name • CDN to S3 Bucket to Mask Name • Find Another AWS User’s S3 Bucket with Misconfigured Permissions and Upload our CloudFormation.yaml Template to their S3 Bucket

  64. Copyright 2022 by Stage 2 Security https:// .Security AWS Account

    - Client - #90210 AWS Account - Attacker - #31337 S3 EC2 SocialStackSetSmother Instances AWS IAM Role Policies Admin Public Object cf_template.yaml S3 Bucket API GW S3 Bucket Object results001.txt Endpoint Lambda Function Cloud Formation Template Stack Lambda Function Email AWS IAM Policies Role AWS SAM

  65. Copyright 2022 by Stage 2 Security https:// .Security Finding S3

    Buckets with Public PutObject Perms Crime Group: https://www.zdnet.com/article/new-magecart-attacks-leverage-misconfigured-s3-buckets-to-infect-over-17k-sites/

  66. Copyright 2022 by Stage 2 Security https:// .Security Thinking… Crime

    Group: https://www.zdnet.com/article/new-magecart-attacks-leverage-misconfigured-s3-buckets-to-infect-over-17k-sites/ This was in 2019… is something similar to this even still possible in 2023? If it is possible, what would be the level of effort required before an attacker would be able to find a misconfigured S3 bucket where they could upload and/or modify an object hosted within the S3 Bucket? Can anyone pull this off or is this something only a nation state will be able to execute on now?

  67. Copyright 2022 by Stage 2 Security https:// .Security AWS Serverless

    Application Model (SAM) https://aws.amazon.com/serverless/build-a-web-app/

  68. Copyright 2022 by Stage 2 Security https:// .Security AWS Serverless

    Application Model (SAM) Infrastructure as Code Based on CloudFormation, but much simpler to implement common Serverless Application Models... https://aws.amazon.com/serverless/sam/

  69. Copyright 2022 by Stage 2 Security https:// .Security AWS Serverless

    Application Model (SAM) The Serverless Application Model is commonly referred to as “SAM” in AWS documentation SAM is NOT an AWS Service, it’s more similar to Zappa or Terraform New Resource Types with SAM: • AWS::Serverless::Function -> AWS Lambda Functions • AWS::Serverless::Api -> AWS API Gateway APIs • AWS::Serverless::SimpleTable -> AWS Dynamo DB Tables https://aws.amazon.com/serverless/sam/

  70. Copyright 2022 by Stage 2 Security https:// .Security Leverage SAM

    to Create... SAM: • template.yaml • app.py • etc. CloudFormation

  71. Copyright 2022 by Stage 2 Security https:// .Security SAM Template

    A simple AWS SAM application that triggers a Lambda function every 120 seconds using CloudWatch Events SAM Template: • CloudWatch Events ◦ Every 120 Seconds • Lambda ◦ Python 3.9 • Attach Policy to Enable: ◦ s3:PutObject to Specific bucketname e.g. sds3bn001 • Set Timeout to Max: ◦ 15 Minutes (900 Seconds)

  72. Copyright 2022 by Stage 2 Security https:// .Security Lambda Application

    - Part 1 Create Random Bucket Names: • Generate an Random Bucket Name

  73. Copyright 2022 by Stage 2 Security https:// .Security Lambda Application

    - Part 2 Create Random Bucket Names: • Generate an Random Bucket Name • Ensure the Bucket Name meets the AWS requirements for S3 Bucket Names

  74. Copyright 2022 by Stage 2 Security https:// .Security Lambda Application

    - Part 3 Create Random Bucket Names: • Generate an Random Bucket Name • Ensure the Bucket Name meets the AWS requirements for S3 Bucket Names Try 33x Random Names • 200 - S3 Bucket Exists • 403 - S3 Denied • 404 - S3 Does NOT Exist

  75. Copyright 2022 by Stage 2 Security https:// .Security Lambda Application

    - Part 4 Create Random Bucket Names: • Generate an Random Bucket Name • Ensure the Bucket Name meets the AWS requirements for S3 Bucket Names Try 33x Random Names • 200 - S3 Bucket Exists • 403 - S3 Denied • 404 - S3 Does NOT Exist Write Results to S3 Bucket

  76. Copyright 2022 by Stage 2 Security https:// .Security Lambda Application

    Create Random Bucket Names: • Generate an Random Bucket Name • Ensure the Bucket Name meets the AWS requirements for S3 Bucket Names Try 33x Random Names • 200 - S3 Bucket Exists • 403 - S3 Denied • 404 - S3 Does NOT Exist Write Results to S3 Bucket

  77. Copyright 2022 by Stage 2 Security https:// .Security Cron via

    CloudWatch Events https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-property-function-schedule.html Cloud Watch Events - Every 120 seconds (*/2 * * * *) 33x 0-3 Second Delay w/ Max 15 Min ~ 300 Buckets (200s) in ~5 Days python3 requests https://' + sRandomString + '.s3.amazonaws.com HTTP 200 means the Bucket Exists SAM: • template.yaml • app.py • etc. CloudFormation

  78. Copyright 2022 by Stage 2 Security https:// .Security Cloud9 IDE

    https://aws.amazon.com/cloud9/

  79. Copyright 2022 by Stage 2 Security https:// .Security PyCharm IDE

    https://aws.amazon.com/blogs/aws/new-aws-toolkits-for-pycharm-intellij-preview-and-visual-studio-code-preview/

  80. Copyright 2022 by Stage 2 Security https:// .Security Processing Scripts

    001_download_objects_from_s3.py • Download all the objects from S3 • Combine the contents into one python list 002_find_valid_s3_buckets.py • Sort through the python list to find all the HTTP 200 Response Codes ◦ Meaning the S3 Bucket Exists and we have some level of access to it e.g. it’s a public bucket 003_find_public_write.py • Attempt to Upload an object with a .yml extension to the S3 Bucket • Double Check that we can access the object publicly via the Internet • If Successful, Attempt to Delete the Uploaded .yml Object And the Results…?

  81. Copyright 2022 by Stage 2 Security https:// .Security The Results?

    And the Results…? In approximately ~5 days it discovered around ~10 S3 buckets which are publicly accessible and anyone can upload a file to presumably host a malicious CloudFormation template :/

  82. Copyright 2022 by Stage 2 Security https:// .Security Answers… This

    was in 2019… is something similar to this even still possible in 2023? YES!

  83. Copyright 2022 by Stage 2 Security https:// .Security Answers… This

    was in 2019… is something similar to this even still possible in 2023? YES! If it is possible, what would be the level of effort required before an attacker would be able to find a misconfigured S3 bucket where they could upload and/or modify an object hosted within the S3 Bucket? A few hours of coding and ~5 days or less to run

  84. Copyright 2022 by Stage 2 Security https:// .Security Answers… This

    was in 2019… is something similar to this even still possible in 2023? YES! If it is possible, what would be the level of effort required before an attacker would be able to find a misconfigured S3 bucket where they could upload and/or modify an object hosted within the S3 Bucket? A few hours of coding and ~5 days or less to run Can anyone pull this off or is this something only a nation state will be able to execute on now? Anyone with basic python3 scripting skills and some AWS can pull this off.

  85. Copyright 2022 by Stage 2 Security https:// .Security SocialStackSetSmother v0.0.2

    Areas for Improvement in v0.0.2: • CF Template Assumes the User Has the Permissions/Ability to: ◦ Create an IAM Role with “AdministratorAccess” policy attached ◦ Create & Execute a Lambda Function e.g. lambda:InvokeFunction • CF Template creates an IAM Role which contains the AWS Account ID# of the Attacker’s AWS Account, making it easy to report abuse to AWS • CF Template contains Python code which is easy to analyze and determine it looks suspicious ◦ Python Code also contains Attacker’s API GW URL • Phish contains link to Attacker’s Globally Unique S3 Bucket Name

  86. Copyright 2022 by Stage 2 Security https:// .Security June &

    July – More Code Releases with Updates on LinkedIn August - Black Hat USA Training – Las Vegas Astute AWS/Azure/GCP Cloud Red Team: It's Raining Shells! - 2023 Edition October – SaintCon - Utah What’s Next?

  87. Copyright 2022 by Stage 2 Security https:// .Security Contact Info

    Twitter: @TweekFawkes LinkedIn: https://www.linkedin.com/in/brycekunz/ Email: [email protected] Slide Decks: https://speakerdeck.com/tweekfawkes/ Code on GitHub: https://github.com/TweekFawkes/SocialStackSetSmother

  88. Copyright 2022 by Stage 2 Security https:// .Security Trainings @

    BlackHat & On-Site! Thank You! [email protected] .sh @TweekFawkes

  89. Copyright 2022 by Stage 2 Security https:// .Security End Overview