Massive PII Data Leak Resulting from SSRF Attack on EC2 Instance Using IMDSv1

Introduction:

A multi-phased attack which involved infrastructure scanning, reconnaissance & further abuse of the underlying abstraction layers offered by cloud-hosted platforms.

I have tried to map it with MITRE ATT&CK Framework to capture the different stages of the attack.

Reconnaissance:

The attacker targeted the attack with reconnaissance to see the publicly exposed assets of the victim to identify if there are any vulnerabilities?or misconfigurations to take advantage of.

The attacker noticed that the victim had an AWS infrastructure hosting Adminer. .

• Adminer is a popular database management tool used to link web applications with cloud database instances.?
• It is also a tool written in PHP.?
• The attacker was able to fingerprint the version of the adminer during his reconnaissance phase.?
• The attacker found the adminer tool is running on version 4.0-4.7.9 which is vulnerable to CVE-2021-21311, a SSRF attack.

Now the attacker shifted the gear to perform deep level reconnaissance which helped them to exploit the web server.

Exploitation & C&C phase:

1. The attacker hosted a pre-configured web server on a relay box with a 301 redirect script back to the?https://169.254.169.254/latest/meta-data/iam/security-credentials/

2. Through the adminer interface, the attacker entered the address of the relay box hosting the redirect script and then pressed the login button.

3. This maneuver deceived the targeted server into succumbing to a 301 redirect attack. Let us understand what a 301 redirect is.

• A 301 redirect is an HTTP status code that redirects users (and search engines) from one page to another. It indicates that a page has moved permanently. It also passes ranking power from the old URL to the new one.
• The attacker found that the EC2 instance metadata was enabled but did not require Http tokens.

Credentials Theft:

Because of the above, the victim's server returned an error which included the redirect output, which contained the AWS API credentials belonging to the victim (IMDSv1 vulnerability). AWS Instance Metadata Service (IMDS) provides the complete metadata of your instance. It presents all the necessary information required for configuring and managing the instance. The retried metadata included information to understand configuration, topology, and even obtain user role and credentialing.

From the response of the IMDS, the attacker got hold of AWS API credentials. Since least privilege was not followed and the access key has the admin privileges.

Lateral Movement:

Once the keys are there with the hands of the attacker, the attacker tried laterally move within the cloud estate and found some sensitive S3 buckets holding millions of PII data.

Exfiltration:

Using the AWS API credentials, the attacker targeted a S3 bucket which had millions of PII data which was exfiltrated and this turned out to be one of the worst nightmares of the cloud security breaches.

Lessons learned:?

1. Mitigation through IMDSv2 Update: This type of attack can be effectively countered by transitioning to IMDSv2. IMDSv2 offers protection by generating a token through a PUT statement, which is subsequently utilized and validated for all IMDS requests via a dedicated header
2. Inadequate IAM Role/Credential Boundaries: The scope of access attributed to IAM roles/credentials for S3 buckets was not properly restricted.
3. Unrestricted Internet-based Credential Usage: The absence of controls allowed credentials to be leveraged directly from the internet, exacerbating the vulnerability.
4. Lack of Outbound Traffic Filtering: The omission of internet egress filtering resulted in unimpeded outbound server traffic, facilitating potential data exfiltration.
5. Absence of S3 Bucket Policies: The implementation of S3 Bucket Policies, which could have further confined access to the S3 Bucket, was omitted.
6. Unrestricted Service Ports: Failure to limit inbound and outbound service ports added to the overall exposure of the server."

Conclusion:

So, here's the scoop: I've got this knack for tuning into what's going on in your noggin. And guess what? It's not all that hard to spot! But wait, there's more – we can totally automate the whole detection shindig.

If you're curious to dive deeper into this mind-bending territory, just give me a shout. I'm all ears and ready to spill the beans on some seriously slick methods to handle these mind-reading scenarios like a champ. Hit me up anytime!

I hope you find this article useful and informative. If you're vibing with what you read, a comment or a thumbs-up would seriously make my day. Let's team up and make sure folks all around the world are in the know, so they can shield their cloud gear from those pesky attacks. Your two cents could be a game-changer!

--

Best Regards,

Vignesh Kannan

Cyber Security Evangelist