Exfiltration EBS Snapshot

Storyline

  • The threat actor discovered leaked credentials in an open-source code repository and targeted a major organization’s AWS environment.

  • The attacker conducted reconnaissance to identify weaknesses for exploitation.

  • The IAM leaked credentials were carelessly configured, enabling the attacker to backdoor an existing IAM role. This modification allowed the role to be assumed from an external AWS account, creating a hidden backdoor and granting privileged access.

  • The attacker could now maintain a connection even if their initial compromised credentials were detected and access was restricted.

  • To avoid detection, the attacker used the compromised IAM credentials to disable AWS CloudTrail, ensuring their activities remained untraceable during the compromise.

  • With CloudTrail temporarily disabled, the attacker proceeded toward their ultimate objective, which involved exfiltrating valuable data from the organization’s EC2 instances.

  • The attacker achieved this by sharing the EBS snapshot containing the stolen data with an AWS account under their control, effectively concealing the exfiltration.

Attack simulation chain of attack

  • Technique: Backdoor an IAM Role

    • MITRE ATT&CK Tactic: Persistence

    • Detect for AWS Detection: AWS Suspect External Access Granting, AWS Suspect Admin Privilege Granting

    • Description: The attacker establishes persistence by backdooring an existing IAM role, allowing the attacker to assume it from an external AWS account. In order to maintain a connection with the AWS account in case the compromised IAM user credentials are detected and access is cut off.

  • Technique: Stop CloudTrail Trail

    • MITRE ATT&CK Tactic: Defense Evasion

    • Detect for AWS Detection: AWS Security Tools Disabled

    • Description: The attacker leverages the compromised IAM credentials to disable AWS CloudTrail, aiming to evade detection throughout the compromise. By degrading, disabling, or bypassing security controls, attackers can advance towards their objectives with greater ease. Despite this, Vectra recommends granting our cloud sensor access to the organization’s CloudTrail trail. Consequently, the attacker’s action of disabling AWS CloudTrail at the compromised account level does not impact sensor ingestion, and Vectra continues to monitor and detect suspicious activity.

  • Technique: Exfiltrate EBS Snapshot by Sharing It

    • MITRE ATT&CK Tactic: Exfiltration

    • Detect for AWS Detection: AWS Suspect Public EBS Change

    • Description: The attacker reaches her goal by exfiltrating an EBS snapshot by sharing it with an external attacker-managed AWS account. Exfiltration of EC2 snapshots by an attacker may expose details that support further attack progression. An impacted organization may have incurred data loss, affecting the confidentiality of sensitive information in the impacted EC2 instances.

Prerequisite

  • Create an IAM user and assign Administrator permissions to the user. It’s best to create a separate IAM user instead of using your AWS federated identity for each attack simulation. This approach helps track and identify all activities associated with a specific attack simulation by attributing them to the corresponding user. IAM User Creation Guide

  • Recommended name for IAM user: YOUR_INITIALS-exfiltrate-ebs-snapshot

  • Configure AWS profile using the IAM user credentials.

  • Run the following command to start the AWS CLI configuration process:

aws configure --profile REPLACE_WITH_YOUR_INITIALS-exfiltrate-ebs-snapshot

  • Enter your AWS Access Key ID and Secret Access Key when prompted.

  • These credentials are obtained from IAM user created above.

  • Make sure the IAM user associated with these credentials Administrator permissions.

AWS Access Key ID [None]: REPLACE_WITH_IAM_USER_ACCESS_KEY_ID
AWS Secret Access Key [None]: REPLACE_WITH_IAM_USER_SECRET_ACCESS_KEY

  • Specify the AWS region and output format with the following values when prompted.

Default region name [None]: us-west-2
Default output format [None]: json

  • You can verify the configuration by running the following command:

aws s3 ls --profile REPLACE_WITH_YOUR_INITIALS-exfiltrate-ebs-snapshot

Executing Attack Simulation Instructions:

  • Execute exfiltration ebs snapshot attack simulation

export AWS_PROFILE=REPLACE_WITH_YOUR_INITIALS-exfiltrate-ebs-snapshot
export AWS_DEFAULT_REGION=us-west-2

cd attack_simulations/
bash ./exfiltration_ebs_snapshot.sh

Note

Be prepared to provide the screenshot as proof of completing this exercise if requested

  1. Access Vectra’s platform.

  2. Navigate to the Respond page on the platform to locate your IAM user.

    • If you have followed recommended naming convention, you can utilize “YOUR_INITIALS-exfiltrate-ebs-snapshot” as a contains search filter. This will help you locate the the user more effectively.”

  3. Click on the compromised user’s name to access the Account Detections screen.

  4. Take a screenshot of the Account Detections screen.

    • AWS Suspect External Access Granting

    • AWS Suspect Admin Privilege Granting

    • AWS Security Tools Disabled

    • AWS Suspect Public EBS Change