Hunters security firm has described a technique that an attacker can use to abuse a legitimate Amazon VPC feature to mask their use of stolen API credentials in AWS.
As AWS explains, Amazon Virtual Private Cloud is a service that lets you launch AWS resources in a logically isolated virtual network.
On Private Cloud, customers have extended control over their virtual networking environment: they can select their own IP address range, configure route tables and network gateways, and create subnets. Unfortunately, attackers can abuse the feature that allows customers extended controls over their IP. An attacker can get control of the IP address written to AWS CloudTrail logs if they have compromised an account and created a new VPC endpoint.
“This can potentially enable an attacker to fool various security protections that rely on the Cloudtrail logs, such as SIEMs and cloud security tools. In addition, analysts looking for evidence of an attack might miss it,” Hunters researchers noted.
Attackers can make their IP address look like an “organizational” public IP address, a third-party service provider’s public IP address, an employee “home” external IP address, or a special private, reserved, testing, or documentation-only IPv4 subnet block.
Attackers could make a malicious action seem as if it has been performed by an employee or evade detection by threat intelligence services.
“The technique does not affect the actual IAM permissions the attacker has when using victims’ compromised AWS API credentials. They can only make the API calls that the compromised credentials have IAM permissions for,” researchers noted.
By using this technique attackers could bypass security measures that rely solely on AWS CloudTrail, an AWS web monitoring service.
Researchers advise security teams should not rely on the contents of the “sourceIPAddress” field in the logs to detect attackers inside AWS making API calls, the researchers noted, but instead, check the “vpcEndpointID” field.
“If you use VPC endpoints in your environment, the only significant difference between the logs created by legitimate actions and the attacker’s actions is the specific VPC endpoint IDs logged. We recommend addressing this use-case with more anomalous-based detection logic, detecting usage of a new VPC endpoint ID never seen before in the organization,” the researchers additionally advised.