LAS VEGAS -- Fireglass executives demonstrated techniques during a Black Hat 2016 session that would allow attackers...
in Amazon Web Services environments to manipulate AWS CloudTrail and stay undetected in those environments.
Fireglass' co-founder and CTO Dan Amiga and security research team leader Dor Knafo outlined several infection routes into an AWS environment that would enable attackers to begin moving laterally while erasing evidence of their intrusion in AWS CloudTrail, Amazon's security monitoring service. Amiga said these "user fault infections" include simple phishing attacks and exposing AWS encryption keys in source code repositories like GitHub and Bitbucket. He also detailed direct infection types, such as administrators deploying "poisoned" Amazon machine images that haven't been properly scanned, or attackers obtaining cloud instance metadata and using it to gain access to an environment.
But another important source of direct infections is what Fireglass calls AWS account jumping. Amiga said that because Amazon offers smaller startup companies financial incentives -- sometimes as much as $150,000 in credits -- to move to AWS, when those startups either close or downsize, the AWS accounts may be sold off to other companies looking for bargain-priced AWS instances.
"It's kind of like a black market. You can buy an AWS account with $100,000 in credits [for less than what Amazon offers]" Amiga said. "You just saved a lot of money, but the problem is there is no reset button in AWS. If you just purchased an account ... there's no way you can actually go through and iterate through all of the data centers, all of the regions and all of the APIs."
Therefore, the new owner of an AWS account could be exposed to unpatched vulnerabilities, malware or, worse, an advanced persistent threat lurking in the environment.
Amiga and Knafo also detailed several techniques an APT could use to remain inside even a well-defended AWS account by accessing, manipulating and deleting CloudTrail data. Some techniques, such as deleting or stopping the CloudTrail configuration with API calls, would attract attention from administrators. Other methods, however, would be much harder to detect, Amiga said.
For example, as detailed in Fireglass' research paper, an attacker could turn off CloudTrail for all regions except the home region of the account, which administrators in that region might not notice. Attackers could also update the Amazon S3 bucket lifecycle configuration to delete the CloudTrail files after just one day. And a third option would be to leverage AWS Lambda, Amazon's own event-driven computing service, against the environment itself.
"A good option is to set up a lambda to immediately delete every log file written to this S3 bucket," the Fireglass research paper states. "Lambda function is invoked directly by S3, and it will win any race against other code attempting to consume files written to the bucket, making them invisible."
To defend against these types of attacks, Amiga offered several pointers, including segmenting environments and encrypting sensitive data while also keeping a close eye on the AWS security services.
"Pay careful attention to CloudTrail and all of the different CloudWatch notifications you want to set up," Amiga said. "And assume that your environment can be torn down to pieces like what happened with Code Spaces."
Discover how to police AWS instances with CloudTrail
Read more on the newest AWS security features
Find out about the biggest cloud migration challenges for enterprises