Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Cloud-focused phishing techniques to bypass FID...

TweekFawkes
May 05, 2023
Technology
0
130

Cloud-focused phishing techniques to bypass FIDO2 and WebAuthn

Research presented at BSidesAustin in Austin Texas on Friday May 5th 2023.

Session Name: "Cloud-focused phishing techniques to bypass FIDO2 and WebAuthn"

Proactive organizations are hardening their Single Sign-On (SSO) solutions to require stronger forms of Multi-Factor Authentication (MFA), including the use of hardware tokens for authentication with FIDO2 and WebAuthn. These countermeasures are designed to defeat the stealing of SSO tokens and browser cookies via Adversary-in-The-Middle (AiTM) systems. As more organizations harden their defenses, attackers will evolve their tactics, techniques, and procedures (TTPs) in an effort to gain unauthorized access to organization’s critical information. In this session we will cover cloud-focused phishing techniques that are designed to bypass these new countermeasures, release improved proof of concepts code for these TTPs, and cover what the future of attacking the cloud will look like in the near future!

List 3 things attendees will be able to use in their jobs after hearing your talk
- How to harden their SSO systems to defend against AiTM systems
- How to harden their Cloud Service Provider environments (e.g. AWS, Azure, & GCP) against these edge cases that bypass hardened MFA using hardware tokens with FIDO2 and WebAuthn.
- How to test environments for these attack paths and to more accurately demonstrate the impact of a breach to senior management.

TweekFawkes

May 05, 2023
Tweet

More Decks by TweekFawkes

See All by TweekFawkes
Bypassing the Gatekeepers: LLM Enabled Techniques for Circumventing WAFs at Scale
tweekfawkes
0
27
Cloud Red Teaming: AWS Initial Access & Privilege Escalation
tweekfawkes
0
3.9k
Level Up Your Lab Envs!
tweekfawkes
0
200
Cloud Focused Continuous Red Teaming: Avoiding the Fall of Icarus!
tweekfawkes
0
250
Mining Cloud Resources for Initial Access via Serverless Services
tweekfawkes
0
140
Serverless and Dys-FUNctional Cloud Red Teaming
tweekfawkes
1
180
The Future?!
tweekfawkes
0
150
May the Cloud be with You: Red Teaming GCP (Google Cloud Platform)
tweekfawkes
1
1.1k
May the Cloud be with You: Red Teaming GCP (Google Cloud Platform)
tweekfawkes
0
260

Other Decks in Technology

See All in Technology
『Firebase Dynamic Links終了に備える』 FlutterアプリでのAdjust導入とDeeplink最適化
techiro
0
170
アジャイルでの品質の進化 Agile in Motion vol.1/20241118 Hiroyuki Sato
shift_evolve
0
180
Making your applications cross-environment - OSCG 2024 NA
salaboy
0
200
Python(PYNQ)がテーマのAMD主催のFPGAコンテストに参加してきた
iotengineer22
0
540
OCI 運用監視サービス 概要
oracle4engineer
PRO
0
4.8k
Storybook との上手な向き合い方を考える
re_taro
5
770
SREが投資するAIOps ~ペアーズにおけるLLM for Developerへの取り組み~
takumiogawa
2
480
インフラとバックエンドとフロントエンドをくまなく調べて遅いアプリを早くした件
tubone24
1
430
ISUCONに強くなるかもしれない日々の過ごしかた/Findy ISUCON 2024-11-14
fujiwara3
8
880
10XにおけるData Contractの導入について: Data Contract事例共有会
10xinc
7
690
【Startup CTO of the Year 2024 / Audience Award】アセンド取締役CTO 丹羽健
niwatakeru
0
1.4k
誰も全体を知らない ~ ロールの垣根を超えて引き上げる開発生産性 / Boosting Development Productivity Across Roles
kakehashi
2
230

Featured

See All Featured
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
159
15k
The Illustrated Children's Guide to Kubernetes
chrisshort
48
48k
Building Flexible Design Systems
yeseniaperezcruz
327
38k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
29
2.3k
Docker and Python
trallard
40
3.1k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
191
16k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
47
2.1k
Fantastic passwords and where to find them - at NoRuKo
philnash
50
2.9k
A Modern Web Designer's Workflow
chriscoyier
693
190k
5 minutes of I Can Smell Your CMS
philhawksworth
202
19k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
665
120k
Unsuck your backbone
ammeep
668
57k

Transcript

  1. https:// .Security Version 1.0 Copyright 2022 by Stage 2 Security

    Outplay Your Adversary! Bryce Kunz // @TweekFawkes

  2. https:// .Security Version 1.0 Copyright 2022 by Stage 2 Security

    Cloud Red Teaming: Initial Access & Privilege Escalation

  3. Copyright 2022 by Stage 2 Security https:// .Security Who Am

    I? Go From Zero to Cloud Admin! • Globally Shared Resources • SSO Tokens & Browser Cookies • Cloud Native Phishing Agenda Privilege Escalation • Graph Database Technologies • IAM Roles • iam:PassRole • Basic Priv Esc Example via Graph DB • Common Priv Esc Access Vectors Cloud Lab Envs • Tools & Techniques

  4. Copyright 2022 by Stage 2 Security https:// .Security WhoAmI Overview

  5. Copyright 2022 by Stage 2 Security https:// .Security Defense DHS

    SOC Offense NSA Red Team Adobe Digital Exp. (DX) Bryce Kunz; @TweekFawkes Services • Hack (Pentest) • Hunt (Splunk ES) • Train (Cloud Sec.)

  6. Copyright 2022 by Stage 2 Security https:// .Security AWS: •

    Amazon Machine Images (AMI) Snapshots • Elastic Block Storage (EBS) Snapshots • Amazon Relational Database Service (RDS) Snapshots • Serverless Application Repository Azure: • Azure Compute Gallery …

  7. Copyright 2022 by Stage 2 Security https:// .Security AWS: •

    Amazon Machine Images (AMI) Snapshots • Elastic Block Storage (EBS) Snapshots • Amazon Relational Database Service (RDS) Snapshots • Serverless Application Repository Azure: • Azure Compute Gallery …

  8. Copyright 2022 by Stage 2 Security https:// .Security AWS: •

    Amazon Machine Images (AMI) Snapshots • Elastic Block Storage (EBS) Snapshots • Amazon Relational Database Service (RDS) Snapshots • Serverless Application Repository Azure: • Azure Compute Gallery …

  9. Copyright 2022 by Stage 2 Security https:// .Security AWS: •

    Amazon Machine Images (AMI) Snapshots • Elastic Block Storage (EBS) Snapshots • Amazon Relational Database Service (RDS) Snapshots • Serverless Application Repository Azure: • Azure Compute Gallery …

  10. Copyright 2022 by Stage 2 Security https:// .Security BSidesSLC.org Hardware

    Badge by @professor__plum Friday Apr. 12th 2024 Salt Lake City, Utah https://BSidesSLC.org

  11. Copyright 2022 by Stage 2 Security https:// .Security BSidesSLC.org Hardware

    Badge by @professor__plum Friday Apr. 14th 2023 & Saturday Apr. 15th 2023 Salt Lake City, Utah https://BSidesSLC.org

  12. Copyright 2022 by Stage 2 Security https:// .Security Go From

    Zero to Cloud Admin! Overview

  13. Copyright 2022 by Stage 2 Security https:// .Security AWS Account

    External Resources Typical Steps: • Exploit App • Collect Creds • Reuse Creds Elastic Block Store (EBS) Volume Snapshot Elastic Compute Cloud (EC2) Instance Instances AWS IAM Role AWS STS Temporary Credentials Temporary Credentials Policies Identities Global Cloud

  14. Copyright 2022 by Stage 2 Security https:// .Security AWS Account

    Globally Shared Resources: • EC2 AMIs • EBS Snapshots • RDS Snapshots • etc… Elastic Block Store (EBS) Volume Snapshot Elastic Compute Cloud (EC2) Instance Instances Global Cloud Secrets

  15. Copyright 2022 by Stage 2 Security https:// .Security AWS Account

    Client-Side Vectors: • RCE • Cookies • Phishing • AiTM • Supply Chain • Social Engineering • Extensions • etc… Elastic Block Store (EBS) Volume Snapshot Elastic Compute Cloud (EC2) Instance Instances AWS IAM Role AWS STS Temporary Credentials Policies Identities Global Cloud Admin

  16. Copyright 2022 by Stage 2 Security https:// .Security Globally Shared

    Resources

  17. Copyright 2022 by Stage 2 Security https:// .Security Globally Public

    Resources AWS: • Amazon Machine Images (AMI) Snapshots • Elastic Block Storage (EBS) Snapshots • Amazon Relational Database Service (RDS) Snapshots • Serverless Application Repository Azure: • Azure Compute Gallery https://github.com/SummitRoute/aws_exposable_resources

  18. Copyright 2022 by Stage 2 Security https:// .Security Public Elastic

    Block Storage (EBS) Snapshots Dufflebag is a tool that searches through public Elastic Block Storage (EBS) snapshots for secrets that may have been accidentally left in. You may be surprised by all the passwords and secrets just laying around! https://github.com/BishopFox/dufflebag

  19. Copyright 2022 by Stage 2 Security https:// .Security SSO Tokens

    & Browser Cookies Client-Side

  20. Copyright 2022 by Stage 2 Security https:// .Security Overview Methods

    Include: • Malicious Browser Extension • Adversary-in-the-Middle (AiTM) Other Common Methods Include: • Malicious Documents (e.g. Office Macros) • Malicious Applications

  21. Copyright 2022 by Stage 2 Security https:// .Security Malicious Browser

    Extensions

  22. Copyright 2022 by Stage 2 Security https:// .Security Malicious Browser

    Extension Users Evil Server SSO / App TLS Browser

  23. Copyright 2022 by Stage 2 Security https:// .Security CursedChrome Red

    Team Toolkit Options https://github.com/mandatoryprogrammer/CursedChrome

  24. Copyright 2022 by Stage 2 Security https:// .Security ChatGPT-4 Build

    me an Extension please! :) https://www.linkedin.com/posts/danielperjesi_how-i-created-a-chrome-extension-with-chatgpt-activity-7021098555054432256-W3Kl

  25. Copyright 2022 by Stage 2 Security https:// .Security ChatGPT-4 Builds

    an Extension https://developer.chrome.com/docs/webstore/publish/

  26. Copyright 2022 by Stage 2 Security https:// .Security CursedChrome Backdoor

    the Extension https://www.youtube.com/watch?v=cdSXdwa5trc

  27. Copyright 2022 by Stage 2 Security https:// .Security Defense: Enterprise

    Policies (e.g. Chrome) Users Evil Server SSO / App TLS Browser https://github.com/mandatoryprogrammer/ChromeGalvanizer

  28. Copyright 2022 by Stage 2 Security https:// .Security Adversary-in-the-Middle (AiTM)

  29. Copyright 2022 by Stage 2 Security https:// .Security Adversary-in-the-Middle (AiTM)

    Users Evil Proxy SSO / App TLS TLS Browser

  30. Copyright 2022 by Stage 2 Security https:// .Security Phishing +

    AiTM Evil Proxy SSO / App TLS TLS Browser Users Email

  31. Copyright 2022 by Stage 2 Security https:// .Security Browser Access

    Evil Proxy SSO / App TLS TLS Browser Users Email Browser

  32. Copyright 2022 by Stage 2 Security https:// .Security SaaS &

    Cloud Access Evil Proxy SSO / App TLS TLS Browser Users Email Browser SaaS / CSP

  33. Copyright 2022 by Stage 2 Security https:// .Security EDRs: Largely

    Ignore Browser Sessions! Evil Proxy SSO / App TLS TLS Browser Users Email Browser SaaS / CSP EDR EDR Cloud

  34. Copyright 2022 by Stage 2 Security https:// .Security AiTM Evilginx2

    https://github.com/kgretzky/evilginx2 https://github.com/drk1wi/Modlishka https://github.com/muraenateam/muraena https://github.com/ustayready/CredSniper Phishing GoPhish https://github.com/gophish/gophish https://github.com/pentestgeek/phishing-frenzy https://github.com/rsmusllp/king-phisher Red Team Toolkit Options

  35. Copyright 2022 by Stage 2 Security https:// .Security AiTM Evilginx2

    Phishing GoPhish Red Team Toolkit Options = EvilGoPhish https://github.com/fin3ss3g0d/evilgophish +

  36. Copyright 2022 by Stage 2 Security https:// .Security Defense: Incorrect

    FQDN Okta-Test.com Okta.com TLS TLS Browser Users Email Browser SaaS / CSP EDR EDR Cloud

  37. Copyright 2022 by Stage 2 Security https:// .Security Defense: FIDO2

    (Hardware/YubiKey) + WebAuthn Okta-Test.com Okta.com TLS TLS Browser Users Email Browser SaaS / CSP EDR EDR Cloud

  38. Copyright 2022 by Stage 2 Security https:// .Security One More

    Thing! Cloud Native Phishing

  39. Copyright 2022 by Stage 2 Security https:// .Security Scott Piper

    @0xdabbad00 Shout Out! https://tldrsec.com/blog/lesser-known-aws-attacks/

  40. Copyright 2022 by Stage 2 Security https:// .Security SocialStackSetSmother v1

  41. Copyright 2022 by Stage 2 Security https:// .Security AWS Account

    - Client - #90210 AWS Account - Attacker - #31337 EC2 SocialStackSetSmother Instances AWS IAM Role Policies Admin Cloud Formation Template Stack Lambda Function

  42. Copyright 2022 by Stage 2 Security https:// .Security SocialStackSetSmother Click

    Link In Email https://us-east- 1.console.aws.amazon.com/cloudformation/home?r egion=us-east- 1#/stacks/create/review?templateURL=https://TO DO_BUCKET_NAME.s3.amazonaws.com/TODO_TEMPLATE_ NAME.yml&stackName=TODO_STACK_NAME https://aws.amazon.com/blogs/devops/construct-your-own-launch-stack-url/

  43. Copyright 2022 by Stage 2 Security https:// .Security AWS Account

    - Client - #90210 AWS Account - Attacker - #31337 S3 EC2 SocialStackSetSmother Instances AWS IAM Role Policies Admin Public Object cf_template.yaml S3 Bucket API GW S3 Bucket Object results001.txt Endpoint Lambda Function Cloud Formation Template Stack Lambda Function Email AWS IAM Policies Role

  44. Copyright 2022 by Stage 2 Security https:// .Security SocialStackSetSmother https://aws.amazon.com/blogs/devops/construct-your-own-launch-stack-url/

  45. Copyright 2022 by Stage 2 Security https:// .Security AWS Account

    - Client - #90210 AWS Account - Attacker - #31337 S3 EC2 SocialStackSetSmother Instances AWS IAM Role Policies Admin Public Object cf_template.yaml S3 Bucket API GW S3 Bucket Object results001.txt Endpoint Lambda Function Cloud Formation Template Stack Lambda Function Email AWS IAM Policies Role AWS SAM

  46. Copyright 2022 by Stage 2 Security https:// .Security SocialStackSetSmother Attacker

    Needs Targets AWS Account ID# To Follow The Path Back

  47. Copyright 2022 by Stage 2 Security https:// .Security AWS Account

    - Client - #90210 AWS Account - Attacker - #31337 S3 EC2 SocialStackSetSmother Instances AWS IAM Role Policies Admin API GW S3 Bucket Object results001.txt Endpoint Lambda Function Cloud Formation Template Stack Lambda Function AWS IAM Policies Role AWS SAM

  48. Copyright 2022 by Stage 2 Security https:// .Security AWS Account

    - Client - #90210 AWS Account - Attacker - #31337 S3 EC2 SocialStackSetSmother Instances AWS IAM Role Policies Admin Public Object cf_template.yaml S3 Bucket API GW S3 Bucket Object results001.txt Endpoint Lambda Function Cloud Formation Template Stack Lambda Function Email AWS IAM Policies Role AWS SAM

  49. Copyright 2022 by Stage 2 Security https:// .Security SocialStackSetSmother Sample

    Code https://github.com/TweekFawkes/SocialStackSetSmother

  50. Copyright 2022 by Stage 2 Security https:// .Security SocialStackSetSmother v0.0.1

    Areas for Improvement in v0.0.1: • CF Template Assumes the User Has the Permissions/Ability to: ◦ Create an IAM Role with “AdministratorAccess” policy attached ◦ Create & Execute a Lambda Function e.g. lambda:InvokeFunction • CF Template creates an IAM Role which contains the AWS Account ID# of the Attacker’s AWS Account, making it easy to report abuse to AWS • CF Template contains Python code which is easy to analyze and determine it looks suspicious ◦ Python Code also contains Attacker’s API GW URL • Phish contains link to Attacker’s Globally Unique S3 Bucket Name

  51. Copyright 2022 by Stage 2 Security https:// .Security SocialStackSetSmother v0.0.2

  52. Copyright 2022 by Stage 2 Security https:// .Security AWS Account

    - Client - #90210 AWS Account - Attacker - #31337 S3 EC2 SocialStackSetSmother Instances AWS IAM Role Policies Admin Public Object cf_template.yaml S3 Bucket API GW S3 Bucket Object results001.txt Endpoint Lambda Function Cloud Formation Template Stack Lambda Function Email AWS IAM Policies Role AWS SAM

  53. Copyright 2022 by Stage 2 Security https:// .Security Phish Contains

    Link to Attacker’s S3 Bucket Name Ideas to Remediate: • Redirector (e.g. socat, reverse proxy, etc.) to S3 Bucket to Mask Name • CDN to S3 Bucket to Mask Name • Find Another AWS User’s S3 Bucket with Misconfigured Permissions and Upload our CloudFormation.yaml Template to their S3 Bucket

  54. Copyright 2022 by Stage 2 Security https:// .Security Phish Contains

    Link to Attacker’s S3 Bucket Name Ideas: Redirector (e.g. socat, reverse proxy, etc.) to S3 Bucket to Mask Name ✅ Valid Input: https://tmnttime.s3.us-east-2.amazonaws.com/template- v2-0-1.yaml

  55. Copyright 2022 by Stage 2 Security https:// .Security AWS Account

    - Client - #90210 AWS Account - Attacker - #31337 S3 EC2 SocialStackSetSmother Instances AWS IAM Role Policies Admin Public Object cf_template.yaml S3 Bucket API GW S3 Bucket Object results001.txt Endpoint Lambda Function Cloud Formation Template Stack Lambda Function Email AWS IAM Policies Role AWS SAM

  56. Copyright 2022 by Stage 2 Security https:// .Security Phish Contains

    Link to Attacker’s S3 Bucket Name Ideas: Redirector (e.g. socat, reverse proxy, etc.) to S3 Bucket to Mask Name ✅ Valid Input: https://tmnttime.s3.us-east-2.amazonaws.com/template- v2-0-1.yaml ❌ Invalid Input // No Object in S3 Bucket: https://tmnttime.s3.us-east- 2.amazonaws.com/template-v0-0-0.yaml https://www.youtube.com/watch?v=nDei76dTTdY

  57. Copyright 2022 by Stage 2 Security https:// .Security Phish Contains

    Link to Attacker’s S3 Bucket Name Ideas: Redirector (e.g. socat, reverse proxy, etc.) to S3 Bucket to Mask Name ✅ Valid Input: https://tmnttime.s3.us-east-2.amazonaws.com/template- v2-0-1.yaml ✅ Invalid Input // Invalid Scheme: bryce://tmnttime.s3.us-east- 2.amazonaws.com/template-v2-0-1.yaml https://www.youtube.com/watch?v=nDei76dTTdY

  58. Copyright 2022 by Stage 2 Security https:// .Security Phish Contains

    Link to Attacker’s S3 Bucket Name Ideas: Redirector (e.g. socat, reverse proxy, etc.) to S3 Bucket to Mask Name ✅ Valid Input: https://tmnttime.s3.us-east-2.amazonaws.com/template- v2-0-1.yaml ✅ Invalid Input // Invalid TCP Port: https://tmnttime.s3.us-east- 2.amazonaws.com:2222/template-v2-0-1.yaml https://www.youtube.com/watch?v=nDei76dTTdY

  59. Copyright 2022 by Stage 2 Security https:// .Security Idea: Leverage

    an obfuscated url to mislead Ideas: Redirector (e.g. socat, reverse proxy, etc.) to S3 Bucket to Mask Name ✅ Valid Input: https://tmnttime.s3.us-east-2.amazonaws.com/template- v2-0-1.yaml ✅ Invalid Input // Invalid Protocol & TCP Port: ftp://tmnttime.s3.us-east- 2.amazonaws.com:2222/template-v2-0-1.yaml Anyone going to ftp on port 2222 will be rejected but the AWS CF service will still deploy the malicious template. https://www.youtube.com/watch?v=nDei76dTTdY

  60. Copyright 2022 by Stage 2 Security https:// .Security Phish Contains

    Link to Attacker’s S3 Bucket Name Ideas: Redirector (e.g. socat, reverse proxy, etc.) to S3 Bucket to Mask Name ✅ Valid Input: https://tmnttime.s3.us-east-2.amazonaws.com/template- v2-0-1.yaml ❌ Invalid Input // FQDN Not Containing “s3” & “amazonaws.com”: https://[email protected]/template-v2-0-1.yaml https://www.youtube.com/watch?v=nDei76dTTdY

  61. Copyright 2022 by Stage 2 Security https:// .Security Phish Contains

    Link to Attacker’s S3 Bucket Name Ideas to Remediate: • Redirector (e.g. socat, reverse proxy, etc.) to S3 Bucket to Mask Name • CDN to S3 Bucket to Mask Name • Find Another AWS User’s S3 Bucket with Misconfigured Permissions and Upload our CloudFormation.yaml Template to their S3 Bucket

  62. Copyright 2022 by Stage 2 Security https:// .Security Phish Contains

    Link to Attacker’s S3 Bucket Name Ideas: CDN to S3 Bucket to Mask Name ✅ Valid Input: https://tmnttime.s3.us-east-2.amazonaws.com/template- v2-0-1.yaml ❌ Invalid Input // FQDN Not Containing “s3” & “amazonaws.com”: https://d111111abcdef8.cloudfront.net/template-v2-0-1.yaml https://www.youtube.com/watch?v=nDei76dTTdY

  63. Copyright 2022 by Stage 2 Security https:// .Security Phish Contains

    Link to Attacker’s S3 Bucket Name Ideas to Remediate: • Redirector (e.g. socat, reverse proxy, etc.) to S3 Bucket to Mask Name • CDN to S3 Bucket to Mask Name • Find Another AWS User’s S3 Bucket with Misconfigured Permissions and Upload our CloudFormation.yaml Template to their S3 Bucket

  64. Copyright 2022 by Stage 2 Security https:// .Security AWS Account

    - Client - #90210 AWS Account - Attacker - #31337 S3 EC2 SocialStackSetSmother Instances AWS IAM Role Policies Admin Public Object cf_template.yaml S3 Bucket API GW S3 Bucket Object results001.txt Endpoint Lambda Function Cloud Formation Template Stack Lambda Function Email AWS IAM Policies Role AWS SAM

  65. Copyright 2022 by Stage 2 Security https:// .Security Finding S3

    Buckets with Public PutObject Perms Crime Group: https://www.zdnet.com/article/new-magecart-attacks-leverage-misconfigured-s3-buckets-to-infect-over-17k-sites/

  66. Copyright 2022 by Stage 2 Security https:// .Security Thinking… Crime

    Group: https://www.zdnet.com/article/new-magecart-attacks-leverage-misconfigured-s3-buckets-to-infect-over-17k-sites/ This was in 2019… is something similar to this even still possible in 2023? If it is possible, what would be the level of effort required before an attacker would be able to find a misconfigured S3 bucket where they could upload and/or modify an object hosted within the S3 Bucket? Can anyone pull this off or is this something only a nation state will be able to execute on now?

  67. Copyright 2022 by Stage 2 Security https:// .Security AWS Serverless

    Application Model (SAM) https://aws.amazon.com/serverless/build-a-web-app/

  68. Copyright 2022 by Stage 2 Security https:// .Security AWS Serverless

    Application Model (SAM) Infrastructure as Code Based on CloudFormation, but much simpler to implement common Serverless Application Models... https://aws.amazon.com/serverless/sam/

  69. Copyright 2022 by Stage 2 Security https:// .Security AWS Serverless

    Application Model (SAM) The Serverless Application Model is commonly referred to as “SAM” in AWS documentation SAM is NOT an AWS Service, it’s more similar to Zappa or Terraform New Resource Types with SAM: • AWS::Serverless::Function -> AWS Lambda Functions • AWS::Serverless::Api -> AWS API Gateway APIs • AWS::Serverless::SimpleTable -> AWS Dynamo DB Tables https://aws.amazon.com/serverless/sam/

  70. Copyright 2022 by Stage 2 Security https:// .Security Leverage SAM

    to Create... SAM: • template.yaml • app.py • etc. CloudFormation

  71. Copyright 2022 by Stage 2 Security https:// .Security SAM Template

    A simple AWS SAM application that triggers a Lambda function every 120 seconds using CloudWatch Events SAM Template: • CloudWatch Events ◦ Every 120 Seconds • Lambda ◦ Python 3.9 • Attach Policy to Enable: ◦ s3:PutObject to Specific bucketname e.g. sds3bn001 • Set Timeout to Max: ◦ 15 Minutes (900 Seconds)

  72. Copyright 2022 by Stage 2 Security https:// .Security Lambda Application

    - Part 1 Create Random Bucket Names: • Generate an Random Bucket Name

  73. Copyright 2022 by Stage 2 Security https:// .Security Lambda Application

    - Part 2 Create Random Bucket Names: • Generate an Random Bucket Name • Ensure the Bucket Name meets the AWS requirements for S3 Bucket Names

  74. Copyright 2022 by Stage 2 Security https:// .Security Lambda Application

    - Part 3 Create Random Bucket Names: • Generate an Random Bucket Name • Ensure the Bucket Name meets the AWS requirements for S3 Bucket Names Try 33x Random Names • 200 - S3 Bucket Exists • 403 - S3 Denied • 404 - S3 Does NOT Exist

  75. Copyright 2022 by Stage 2 Security https:// .Security Lambda Application

    - Part 4 Create Random Bucket Names: • Generate an Random Bucket Name • Ensure the Bucket Name meets the AWS requirements for S3 Bucket Names Try 33x Random Names • 200 - S3 Bucket Exists • 403 - S3 Denied • 404 - S3 Does NOT Exist Write Results to S3 Bucket

  76. Copyright 2022 by Stage 2 Security https:// .Security Lambda Application

    Create Random Bucket Names: • Generate an Random Bucket Name • Ensure the Bucket Name meets the AWS requirements for S3 Bucket Names Try 33x Random Names • 200 - S3 Bucket Exists • 403 - S3 Denied • 404 - S3 Does NOT Exist Write Results to S3 Bucket

  77. Copyright 2022 by Stage 2 Security https:// .Security Cron via

    CloudWatch Events https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-property-function-schedule.html Cloud Watch Events - Every 120 seconds (*/2 * * * *) 33x 0-3 Second Delay w/ Max 15 Min ~ 300 Buckets (200s) in ~5 Days python3 requests https://' + sRandomString + '.s3.amazonaws.com HTTP 200 means the Bucket Exists SAM: • template.yaml • app.py • etc. CloudFormation

  78. Copyright 2022 by Stage 2 Security https:// .Security Cloud9 IDE

    https://aws.amazon.com/cloud9/

  79. Copyright 2022 by Stage 2 Security https:// .Security PyCharm IDE

    https://aws.amazon.com/blogs/aws/new-aws-toolkits-for-pycharm-intellij-preview-and-visual-studio-code-preview/

  80. Copyright 2022 by Stage 2 Security https:// .Security Processing Scripts

    001_download_objects_from_s3.py • Download all the objects from S3 • Combine the contents into one python list 002_find_valid_s3_buckets.py • Sort through the python list to find all the HTTP 200 Response Codes ◦ Meaning the S3 Bucket Exists and we have some level of access to it e.g. it’s a public bucket 003_find_public_write.py • Attempt to Upload an object with a .yml extension to the S3 Bucket • Double Check that we can access the object publicly via the Internet • If Successful, Attempt to Delete the Uploaded .yml Object And the Results…?

  81. Copyright 2022 by Stage 2 Security https:// .Security The Results?

    And the Results…? In approximately ~5 days it discovered around ~10 S3 buckets which are publicly accessible and anyone can upload a file to presumably host a malicious CloudFormation template :/

  82. Copyright 2022 by Stage 2 Security https:// .Security Answers… This

    was in 2019… is something similar to this even still possible in 2023? YES!

  83. Copyright 2022 by Stage 2 Security https:// .Security Answers… This

    was in 2019… is something similar to this even still possible in 2023? YES! If it is possible, what would be the level of effort required before an attacker would be able to find a misconfigured S3 bucket where they could upload and/or modify an object hosted within the S3 Bucket? A few hours of coding and ~5 days or less to run

  84. Copyright 2022 by Stage 2 Security https:// .Security Answers… This

    was in 2019… is something similar to this even still possible in 2023? YES! If it is possible, what would be the level of effort required before an attacker would be able to find a misconfigured S3 bucket where they could upload and/or modify an object hosted within the S3 Bucket? A few hours of coding and ~5 days or less to run Can anyone pull this off or is this something only a nation state will be able to execute on now? Anyone with basic python3 scripting skills and some AWS can pull this off.

  85. Copyright 2022 by Stage 2 Security https:// .Security SocialStackSetSmother v0.0.2

    Areas for Improvement in v0.0.2: • CF Template Assumes the User Has the Permissions/Ability to: ◦ Create an IAM Role with “AdministratorAccess” policy attached ◦ Create & Execute a Lambda Function e.g. lambda:InvokeFunction • CF Template creates an IAM Role which contains the AWS Account ID# of the Attacker’s AWS Account, making it easy to report abuse to AWS • CF Template contains Python code which is easy to analyze and determine it looks suspicious ◦ Python Code also contains Attacker’s API GW URL • Phish contains link to Attacker’s Globally Unique S3 Bucket Name

  86. Copyright 2022 by Stage 2 Security https:// .Security June &

    July – More Code Releases with Updates on LinkedIn August - Black Hat USA Training – Las Vegas Astute AWS/Azure/GCP Cloud Red Team: It's Raining Shells! - 2023 Edition October – SaintCon - Utah What’s Next?

  87. Copyright 2022 by Stage 2 Security https:// .Security Contact Info

    Twitter: @TweekFawkes LinkedIn: https://www.linkedin.com/in/brycekunz/ Email: [email protected] Slide Decks: https://speakerdeck.com/tweekfawkes/ Code on GitHub: https://github.com/TweekFawkes/SocialStackSetSmother

  88. Copyright 2022 by Stage 2 Security https:// .Security Trainings @

    BlackHat & On-Site! Thank You! [email protected] .sh @TweekFawkes

  89. Copyright 2022 by Stage 2 Security https:// .Security End Overview