![Page 1: Account jumping post infection persistency and lateral movement in AWS](https://reader034.vdocument.in/reader034/viewer/2022051709/58729d0f1a28ab07208b4ee9/html5/thumbnails/1.jpg)
Dan AmigaCo-Founder and CTO
Account Jumping, Post infection persistency & Lateral Movement in AWS
Dor KnafoSecurity Research Leader
![Page 2: Account jumping post infection persistency and lateral movement in AWS](https://reader034.vdocument.in/reader034/viewer/2022051709/58729d0f1a28ab07208b4ee9/html5/thumbnails/2.jpg)
![Page 3: Account jumping post infection persistency and lateral movement in AWS](https://reader034.vdocument.in/reader034/viewer/2022051709/58729d0f1a28ab07208b4ee9/html5/thumbnails/3.jpg)
Agenda§ Infection§ Staying Undetected§ Lateral Movement§ Persistency§ Solutions
![Page 4: Account jumping post infection persistency and lateral movement in AWS](https://reader034.vdocument.in/reader034/viewer/2022051709/58729d0f1a28ab07208b4ee9/html5/thumbnails/4.jpg)
AWS Infection Potential
![Page 5: Account jumping post infection persistency and lateral movement in AWS](https://reader034.vdocument.in/reader034/viewer/2022051709/58729d0f1a28ab07208b4ee9/html5/thumbnails/5.jpg)
AWS CloudTrail
![Page 6: Account jumping post infection persistency and lateral movement in AWS](https://reader034.vdocument.in/reader034/viewer/2022051709/58729d0f1a28ab07208b4ee9/html5/thumbnails/6.jpg)
INFECTION
![Page 7: Account jumping post infection persistency and lateral movement in AWS](https://reader034.vdocument.in/reader034/viewer/2022051709/58729d0f1a28ab07208b4ee9/html5/thumbnails/7.jpg)
User Fault Infection
Infected machines Phishing
AWS S3
Source Repo
![Page 8: Account jumping post infection persistency and lateral movement in AWS](https://reader034.vdocument.in/reader034/viewer/2022051709/58729d0f1a28ab07208b4ee9/html5/thumbnails/8.jpg)
Infection through 3rd party services§ AWS ECS task definition
§ API Calls to task definition are recorded via CloudTrail§ Contains sensitive information (e.g. environment variables - keys)
![Page 9: Account jumping post infection persistency and lateral movement in AWS](https://reader034.vdocument.in/reader034/viewer/2022051709/58729d0f1a28ab07208b4ee9/html5/thumbnails/9.jpg)
Infection through AWS § Cloud Metadata
§ Not only AWS§ Poisoned AMI§ Account leftovers – “Account Jumping”
![Page 10: Account jumping post infection persistency and lateral movement in AWS](https://reader034.vdocument.in/reader034/viewer/2022051709/58729d0f1a28ab07208b4ee9/html5/thumbnails/10.jpg)
SURVIVAL
![Page 11: Account jumping post infection persistency and lateral movement in AWS](https://reader034.vdocument.in/reader034/viewer/2022051709/58729d0f1a28ab07208b4ee9/html5/thumbnails/11.jpg)
Surviving key rotation or deletion
• AWS Session Token Services§ You cannot call any IAM APIs unless MFA authentication information
is included in the request.§ You cannot call any STS API except AssumeRole.
![Page 12: Account jumping post infection persistency and lateral movement in AWS](https://reader034.vdocument.in/reader034/viewer/2022051709/58729d0f1a28ab07208b4ee9/html5/thumbnails/12.jpg)
DEMO
![Page 13: Account jumping post infection persistency and lateral movement in AWS](https://reader034.vdocument.in/reader034/viewer/2022051709/58729d0f1a28ab07208b4ee9/html5/thumbnails/13.jpg)
HIDE
![Page 14: Account jumping post infection persistency and lateral movement in AWS](https://reader034.vdocument.in/reader034/viewer/2022051709/58729d0f1a28ab07208b4ee9/html5/thumbnails/14.jpg)
Staying Undetected§ The obvious way to do it
§ Delete the trails
§ Stop the trails
$ aws cloudtrail delete-trail –name [trail-name]
$ aws cloudtrail stop-logging –name [trail-name]
![Page 15: Account jumping post infection persistency and lateral movement in AWS](https://reader034.vdocument.in/reader034/viewer/2022051709/58729d0f1a28ab07208b4ee9/html5/thumbnails/15.jpg)
Staying Undetected§ Disable Multi region logging
§ On the same time disable global services logging (IAM)
$ aws cloudtrail update-trail –name [trail-name] --no-is-multi-region –no-include-global-services
![Page 16: Account jumping post infection persistency and lateral movement in AWS](https://reader034.vdocument.in/reader034/viewer/2022051709/58729d0f1a28ab07208b4ee9/html5/thumbnails/16.jpg)
Staying Undetected§ Move your efforts to S3
§ Delete the bucket
§ Revoke CloudTrails access
$ aws s3 rb –force [bucket-name]
$ aws s3api put-bucket-policy --bucket [buck-name] –policy [file://miodified-policy.json]
![Page 17: Account jumping post infection persistency and lateral movement in AWS](https://reader034.vdocument.in/reader034/viewer/2022051709/58729d0f1a28ab07208b4ee9/html5/thumbnails/17.jpg)
Staying Undetected§ Move your efforts to S3
§ AWS Lambda§ Trigger on every new file in the bucket§ Wins (almost) every race
§ 1 Month, 44640 minutes, 8928 Lambda invocations in total.§ Less than 0.01% of the free tier
![Page 18: Account jumping post infection persistency and lateral movement in AWS](https://reader034.vdocument.in/reader034/viewer/2022051709/58729d0f1a28ab07208b4ee9/html5/thumbnails/18.jpg)
Staying Undetected§ AWS Key Management Service
§ Integrated with CloudTrail§ S3’s Server Side Encryption (SSE)
![Page 19: Account jumping post infection persistency and lateral movement in AWS](https://reader034.vdocument.in/reader034/viewer/2022051709/58729d0f1a28ab07208b4ee9/html5/thumbnails/19.jpg)
DEMO
![Page 20: Account jumping post infection persistency and lateral movement in AWS](https://reader034.vdocument.in/reader034/viewer/2022051709/58729d0f1a28ab07208b4ee9/html5/thumbnails/20.jpg)
LATERLMOVEMENT
![Page 21: Account jumping post infection persistency and lateral movement in AWS](https://reader034.vdocument.in/reader034/viewer/2022051709/58729d0f1a28ab07208b4ee9/html5/thumbnails/21.jpg)
Explore the infected environment§ Direct Connect§ IAM§ Amazon support tickets§ S3
![Page 22: Account jumping post infection persistency and lateral movement in AWS](https://reader034.vdocument.in/reader034/viewer/2022051709/58729d0f1a28ab07208b4ee9/html5/thumbnails/22.jpg)
PERSISTENCY
![Page 23: Account jumping post infection persistency and lateral movement in AWS](https://reader034.vdocument.in/reader034/viewer/2022051709/58729d0f1a28ab07208b4ee9/html5/thumbnails/23.jpg)
Persistency§ Create new users (typosquatting for extra stealth)
§ In response you’ll recive an access key ID and a secret access key§ Up to two access tokens per user
$ aws iam create-user --user-name [username]$ aws iam create-access-key --user-name [username]
![Page 24: Account jumping post infection persistency and lateral movement in AWS](https://reader034.vdocument.in/reader034/viewer/2022051709/58729d0f1a28ab07208b4ee9/html5/thumbnails/24.jpg)
Persistency§ Creating a second access key is risky§ AWS Lambda, again!§ Create a second access key on newly created users, and post it back
to you
![Page 25: Account jumping post infection persistency and lateral movement in AWS](https://reader034.vdocument.in/reader034/viewer/2022051709/58729d0f1a28ab07208b4ee9/html5/thumbnails/25.jpg)
Persistency§ Backdoor with new roles§ Use your new low privledge tokens to assume the new roles.§ Create a lambda that responds to role creation and adds a backdoor§ Register to UpdateAssumeRolePolicy to reintroduce backdoors that
are removed.
![Page 26: Account jumping post infection persistency and lateral movement in AWS](https://reader034.vdocument.in/reader034/viewer/2022051709/58729d0f1a28ab07208b4ee9/html5/thumbnails/26.jpg)
Persistency
![Page 27: Account jumping post infection persistency and lateral movement in AWS](https://reader034.vdocument.in/reader034/viewer/2022051709/58729d0f1a28ab07208b4ee9/html5/thumbnails/27.jpg)
Persistency§ Virtual Private Cloud§ Security Group§ Use a public endpoint and AWS Lambda to bypass the security
group§ SQS, AWS Gateway API, AWS S3 (with VPC endpoint)
![Page 28: Account jumping post infection persistency and lateral movement in AWS](https://reader034.vdocument.in/reader034/viewer/2022051709/58729d0f1a28ab07208b4ee9/html5/thumbnails/28.jpg)
Persistency
![Page 29: Account jumping post infection persistency and lateral movement in AWS](https://reader034.vdocument.in/reader034/viewer/2022051709/58729d0f1a28ab07208b4ee9/html5/thumbnails/29.jpg)
DEMO
![Page 30: Account jumping post infection persistency and lateral movement in AWS](https://reader034.vdocument.in/reader034/viewer/2022051709/58729d0f1a28ab07208b4ee9/html5/thumbnails/30.jpg)
SOLUTIONS
![Page 31: Account jumping post infection persistency and lateral movement in AWS](https://reader034.vdocument.in/reader034/viewer/2022051709/58729d0f1a28ab07208b4ee9/html5/thumbnails/31.jpg)
Solutions§ Awareness & Develop unique skillset for your environment§ Stateless Architecture with focus on data protection§ Leverage strong account separation (dev, production1, production2)§ CASB solutions will mature into dedicated PaaS/IaaS offering§ Automation via code, CloudFormation, Dockers, etc. for
environment recreated from scratch
![Page 32: Account jumping post infection persistency and lateral movement in AWS](https://reader034.vdocument.in/reader034/viewer/2022051709/58729d0f1a28ab07208b4ee9/html5/thumbnails/32.jpg)
Q&A
![Page 33: Account jumping post infection persistency and lateral movement in AWS](https://reader034.vdocument.in/reader034/viewer/2022051709/58729d0f1a28ab07208b4ee9/html5/thumbnails/33.jpg)
Dan AmigaCo-Founder and CTO
Account Jumping, Post infection persistency & Lateral Movement in AWS
Dor KnafoSecurity Research Leader