HomeCloud ComputingAmazon GuardDuty Enhances Detection of EC2 Occasion Credential Exfiltration

Amazon GuardDuty Enhances Detection of EC2 Occasion Credential Exfiltration


[This blog post was updated on Jan. 23rd to show how to use imdsv2 instead of imdsv1]

Amazon GuardDuty is a risk detection service that repeatedly displays for malicious exercise and unauthorized habits to guard your AWS accounts, workloads, and information saved in Amazon Easy Storage Service (Amazon S3). Knowledgeable by a mess of public and AWS-generated information feeds and powered by machine studying, GuardDuty analyzes billions of occasions in pursuit of traits, patterns, and anomalies which are recognizable indicators that one thing is amiss. You possibly can allow it with a click on and see the primary findings inside minutes.

Right now, we’re including to GuardDuty the flexibility to detect when your Amazon Elastic Compute Cloud (Amazon EC2) occasion credentials are getting used from one other AWS Account. EC2 occasion credentials are the short-term credentials made out there by means of the EC2 metadata service to any functions working on an occasion, when an AWS Identification and Entry Administration (IAM) function is hooked up to it.

What Are the Dangers?
When your workloads deployed on EC2 cases entry AWS companies, they use an entry key, a secret entry key, and a session token. The safe mechanism to move entry key credentials to your workloads is to outline the permissions required by your workload, create one or a number of IAM insurance policies with the permissions, connect the insurance policies to an IAM function and, lastly, connect the function to the occasion.

Any course of working on an EC2 occasion with a job hooked up can retrieve the safety credentials by calling the EC2 metadata service v2:

TOKEN=$(curl -s -X PUT "http://169.254.169.254/newest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
curl -s "-ec2-metadata-token: $TOKEN" http://169.254.169.254/newest/meta-data/iam/security-credentials/role-name
{
  "Code" : "Success",
  "LastUpdated" : "2021-09-05T18:24:45Z",
  "Sort" : "AWS-HMAC",
  "AccessKeyId" : "AS...J5",
  "SecretAccessKey" : "r1...9m",
  "Token" : "IQ...z5Q==",
  "Expiration" : "2021-09-06T00:44:06Z"
}

These credentials are restricted in time and in scope. They’re legitimate for a most of six hours. They’re restricted to the scope of the permissions hooked up to the IAM function related to the EC2 occasion. The token obtained by the primary command is just legitimate on the occasion on which it was generated.

All AWS SDK are capable of retrieve and renew such credentials routinely. No further code is critical in your software.

Now think about that your software working on the EC2 occasion is compromised and a malicious actor managed to entry the occasion’s meta information service. The malicious actor would extract the credentials. These credentials have the permissions you outlined within the IAM function hooked up to the occasion. Relying in your software, attackers might need the likelihood to exfiltrate information from S3 or DynamoDB, to start out or terminate EC2 cases, and even to create new IAM customers or roles.

For the reason that launch of GuardDuty, it has detected when such credentials are used from IP addresses outdoors of AWS. Sensible attackers subsequently would possibly cover their exercise from one other AWS account to function outdoors of the sight of GuardDuty. Beginning right this moment, GuardDuty additionally detects when the credentials are used from different AWS accounts, contained in the AWS community.

What Alerts Are Generated?
There are authentic the explanation why the supply IP tackle speaking with AWS Companies APIs is likely to be totally different than the EC2 occasion IP tackle. Take into consideration advanced community topologies that route visitors to 1 or a number of VPCs; AWS Transit Gateway, or AWS Direct Join for instance. As well as, multi-Area configurations, or not utilizing AWS Organizations, makes it non trivial to detect if the AWS account utilizing the credentials belongs to you or not. Giant corporations have applied their very own resolution to detect such safety compromises, however these kind of options will not be simple to construct and to take care of. Solely a handful of organizations have the assets required to sort out this problem. After they accomplish that, they distract their engineering efforts from their core enterprise. For this reason we determined to deal with this.

Beginning right this moment, GuardDuty generates alerts when it detects a misuse of EC2 occasion credentials. When the credentials are used from an affiliated account, the alert is labeled as medium-severity. In any other case, a high-severity alert is generated. Affiliated accounts are accounts monitored by the identical GuardDuty administrator account, also called GuardDuty member accounts. They is likely to be a part of your group or not.

In Observe
To study the way it’s working, let’s seize and exfiltrate a set of EC2 credentials from one in every of my EC2 cases. I take advantage of SSH to connect with one in every of my cases, and I take advantage of curl to retrieve the credentials, as proven earlier:

TOKEN=$(curl -s -X PUT "http://169.254.169.254/newest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
curl -s "-ec2-metadata-token: $TOKEN" http://169.254.169.254/newest/meta-data/iam/security-credentials/role-name
{
  "Code" : "Success",
  "LastUpdated" : "2021-09-05T18:24:45Z",
  "Sort" : "AWS-HMAC",
  "AccessKeyId" : "AS...J5",
  "SecretAccessKey" : "r1...9m",
  "Token" : "IQ...z5Q==",
  "Expiration" : "2021-09-06T00:44:06Z"
}

The occasion has an IAM function with permissions permitting to learn S3 buckets on this AWS account. I copy and paste the credentials. Then I join to a different EC2 occasion working in a distinct AWS account, not affiliated with the identical GuardDuty administrator account. I take advantage of SSH to connect with that different occasion, after which I configure the AWS CLI with the compromised credentials. I try and entry a non-public S3 bucket.


# first confirm I would not have entry 
[ec2-user@ip-1-1-0-79 ~]$ aws s3 ls s3://my-private-bucket

An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Entry Denied

# then I configure the CLI utilizing the compromised credentials
[ec2-user@ip-1-1-0-79 ~]$ aws configure
AWS Entry Key ID [None]: AS...J5
AWS Secret Entry Key [None]: r1...9m
Default area identify [None]: us-east-1
Default output format [None]:

[ec2-user@ip-1-1-0-79 ~]$ aws configure set aws_session_token IQ...z5Q==

# Lastly, I try and entry S3 once more
[ec2-user@ip-1-1-0-79 ~]$ aws s3 ls s3://my-private-bucket
                     PRE folder1/
                     PRE folder2/
                     PRE folder3/
2021-01-22 16:37:48 6148 .DS_Store

Shortly after, I take advantage of the AWS Administration Console to entry GuardDuty within the AWS account the place I stole the credentials. I can confirm a high-severity alert was generated.

GuardDuty EC2 credentials exfiltration alarm

And So What?
Attackers could extract credentials once they have distant code execution (RCE), native presence on the occasion, or by exploiting application-level vulnerabilities like Server Facet Request Forgery (SSRF) and XML Exterior Entity (XXE) injection. There are a number of strategies to mitigate RCE or native entry, together with rebuilding the cases from a secured and patched AMI to eradicate distant entry, rotate entry credentials, and so forth. When the vulnerability is on the software stage, you or the applying vendor are required to patch the applying code to eradicate the vulnerability.

If you obtain an alert indicating a danger of compromised credentials, the very first thing to do is to confirm the account ID. Is it one in every of your organization accounts or not? Throughout the evaluation, when the enterprise case permits, chances are you’ll terminate the compromised cases or shut down the applying. This prevents the attacker from extracting renewed occasion credentials upon expiration. When unsure, contact the AWS Belief & Security workforce utilizing the Report Amazon AWS abuse kind or by contacting abuse@amazonaws.com. Present all the required data, together with the suspicious AWS account ID, logs in plaintext, and so forth, if you submit your request.

Availability
This new potential is on the market in all AWS Areas at no further value. It’s enabled by default when GuardDuty is already enabled in your AWS account.

In any other case, allow GuardDuty now, and begin the 30-day trial interval.

— seb



RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Most Popular

Recent Comments