Exfiltration Unseen: How Attackers Exploit AWS Snapshots
...And 12 Cybersecurity Posts from around LinkedIn
In this Issue
Foreword | 12 Posts on Cyber |?Featured Leader | From Cyngular's Founder | Afterword
Foreword
We're excited to share 12 more posts about cybersecurity from across LinkedIn. Useful content this week includes the rise in ransom attacks on the manufacturing industry, a useful IT risk assessment checklist, and the importance of cloud security posture management.
We highlight a Featured Leader again this week.
Finally, a piece from Cyngular Security which highlights how attackers exploit snapshots in AWS, why it can be difficult to uncover, and what organizations can do to mitigate this threat.
We're happy to send out our thirty-second issue, written to deliver content of value that is easily digestible.
We welcome all feedback, submissions, and input from our readers. If you have questions, submissions, or concerns, contact Rebecca Fera .
12 Posts on Cyber
Useful LinkedIn Posts This Week in Cybersecurity
A recent article entitled, “Bringing Security Out of the Shadows”, was shared and written by Chris H. on shadow usage in cybersecurity
G M Faruk Ahmed, CISSP, CISA underscored an interesting article on the increasing threat of deep fake technology and its risks within cybersecurity
A breakdown of the staggering rise in ransom attacks on the manufacturing industry, underscored by Dr. Atif Ali
Aditi Patil shared her weekly cybersecurity update, diving into exploits and payloads in a step-by-step breakdown
Joussef Bassim compiled a useful IT risk assessment checklist
An article entitled, "Ransomware in 2024: Trends and Defense Strategies", written and shared by Aditya Hemant Chine
The importance of cloud security posture management , detailed in a helpful article by Surendra Bairagi
Ana Paula Calistro 's recent article highlighted the need to understand cybercriminal tactics to combat cybercrime
Featured Leader
Sourabh Chakraborty
Currently a TPRM (Third-Party Risk Management) Manager at 安永 , Sourabh Chakraborty CISA,CISM,CRISC(Q)?? is a seasoned professional in Third-Party Risk Management and Information Security, bringing over 10 years of experience to the table. His experiences span from mitigating risks, building robust vendor risk management programs, and ensuring compliance with global regulatory standards. His expertise lies mainly in bridging the gap between security, operations, and business goals by way of implementing strategic solutions that safeguard critical assets and enhance operational efficiency. In his current role, Sourabh manages TPRM engagements related to the client’s third-party service providers.
In a recent post made by Sourabh, he discusses that compliance with regulations like GDPR and DORA is crucial for businesses to safeguard data and maintain operational resilience. Read the full post here.
Sourabh is another featured leader we are happy to share with you this week.
From Cyngular's Research Team
In cloud environments, data exfiltration often presents a significant risk to organizations. Among the many ways attackers can exfiltrate sensitive data, leveraging snapshots in AWS is particularly stealthy and can lead to serious consequences. This article explores how attackers exploit snapshots, why it can be difficult to uncover, and what organizations can do to mitigate this threat.
What Are Snapshots in AWS?
Snapshots in AWS are backups of the data volumes (EBS - Elastic Block Store) that store critical data for applications. They allow users to create point-in-time copies of their volumes, enabling quick recovery from data loss, application deployment across multiple regions, or scaling up environments. Snapshots can be shared between AWS accounts, and they play a crucial role in maintaining data redundancy and availability.
How Attackers Exfiltrate Snapshots
1. Creating and Sharing Snapshots with a Compromised Account
One common attack method involves creating snapshots of EBS volumes and sharing them with external accounts. If an attacker gains access to an account with sufficient permissions, they can create snapshots of any critical volume, such as databases or file storage, and share them with an account they control. Once shared, the attacker can copy the snapshot to their environment, effectively exfiltrating the data.
2. Cross-Region Replication of Snapshots
Another tactic is to replicate snapshots to another AWS region. By doing this, the attacker can bypass monitoring tools that might be region-specific. Once the snapshots are replicated, they can be shared or downloaded from a different region, making it difficult to track the unauthorized movement of data.
领英推荐
3. Using IAM Roles and Temporary Credentials
Attackers can exploit compromised IAM roles with permissions to create and share snapshots. By using temporary credentials, they can execute these actions without leaving behind significant evidence, further masking their activities. For example, an attacker might create an IAM role with limited permissions to avoid suspicion, but still include snapshot operations.
Why Is It So Difficult to Uncover?
1. Legitimate Use Cases Make Detection Challenging
Snapshots are commonly used for backup, disaster recovery, and environment scaling. Because of their legitimate applications, the creation and sharing of snapshots might not raise immediate red flags. Without proper monitoring, distinguishing between normal activity and malicious behavior can be extremely difficult.
2. Lack of Visibility Across Accounts and Regions
AWS accounts often span multiple regions, making it easy for attackers to operate in regions not actively monitored. Furthermore, security teams may focus on the primary account without accounting for the possibility of data being shared or copied to external accounts. This lack of cross-account and cross-region visibility can lead to missed exfiltration attempts.
3. Stealthy IAM Role Exploitation
Attackers may use sophisticated techniques to exploit IAM roles, such as chaining roles across multiple services or assuming roles temporarily. These actions can be challenging to trace, particularly if the roles have been configured to perform snapshot-related tasks as part of their normal operation.
Relevant MITRE ATT&CK Techniques
The techniques related to AWS snapshot exfiltration align closely with the MITRE ATT&CK framework:
T1003.008 - OS Credential Dumping: Cloud Instance Metadata API: Attackers might exploit cloud instance metadata to obtain temporary credentials, enabling them to interact with AWS services.
T1530 - Data from Cloud Storage Object: This technique encompasses data exfiltration methods involving cloud storage, which can include snapshots.
T1078 - Valid Accounts: Attackers leverage valid accounts, including stolen credentials, to create snapshots and share them externally.
T1537 - Transfer Data to Cloud Account: Attackers might transfer data by creating snapshots and copying them to different accounts or regions.
Why Snapshot Exfiltration Can Be a Game Over
Snapshot exfiltration can lead to "game over" scenarios for several reasons:
Direct Access to Critical Data: Snapshots contain the exact data from volumes, including databases, sensitive files, and application configurations. An attacker who exfiltrates a snapshot essentially obtains a copy of all the data on the volume, which can include sensitive information, customer data, intellectual property, and more.
Low Detection: If the attacker has set up snapshots to be automatically replicated or shared across accounts, they can retrieve data over time without triggering significant alerts. Once the data is out of the organization's control, it becomes challenging to assess and mitigate the breach.
Further Attacks Enabled by Stolen Data: Access to sensitive data can lead to subsequent attacks, such as ransomware, financial fraud, or identity theft, amplifying the damage beyond the initial data breach.
Mitigation Strategies
Implement Least Privilege IAM Policies
Ensure that IAM roles and users only have the permissions they need. Restrict access to the ec2:CreateSnapshot, ec2:CopySnapshot, and ec2:ModifySnapshotAttribute actions to trusted roles. Use the principle of least privilege to minimize the attack surface.
Enable CloudTrail and Monitor Snapshot Operations
Use AWS CloudTrail to monitor and log all snapshot-related activities. Look for actions like CreateSnapshot, ShareSnapshot, and ModifySnapshotAttribute to detect unusual behavior. Setting up alerts for these activities can help security teams respond quickly to suspicious actions.
Regularly Audit and Review IAM Roles
Regular audits of IAM roles and permissions can help identify excessive privileges and potential security gaps. Use AWS IAM Access Analyzer to review resource policies and identify risky permissions.
Monitor Cross-Account Sharing of Snapshots
Regularly review any shared snapshots using the describe-snapshots command to identify unexpected external shares. Configure alerts for any cross-account sharing of snapshots to quickly react to potential exfiltration attempts.
Afterword
That's all for this week's newsletter. Our next issue will include another piece from Cyngular's Founder, a Featured Leader, and a new batch of 12 useful posts. Connect with us if you have anything to submit for our next issue or want to know more about Cyngular.
Notice:
The posts in this issue reflect the views only of the individual LinkedIn users and do not reflect the views of Cyngular Security, its employees, or any other entities. The links shared in this issue were written by LinkedIn users and do not constitute an endorsement of Cyngular Security, any other entities, or this newsletter by those users, entities, or the "Featured Leader."
Reach out to Rebecca Fera if you have any concerns about CISO Signal.