us-16-Amiga-Knafo-Account Jumping Post Infection ......Dan Amiga Co-Founder and CTO Account Jumping,...
Transcript of us-16-Amiga-Knafo-Account Jumping Post Infection ......Dan Amiga Co-Founder and CTO Account Jumping,...
![Page 1: us-16-Amiga-Knafo-Account Jumping Post Infection ......Dan Amiga Co-Founder and CTO Account Jumping, Post Infection Persistency & Lateral Movement in AWS Dor Knafo Security Research](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ee0e710ad6a402d666bf92d/html5/thumbnails/1.jpg)
Dan AmigaCo-Founder and CTO
Account Jumping, Post Infection Persistency & Lateral Movement in AWS
Dor KnafoSecurity Research Leader
![Page 2: us-16-Amiga-Knafo-Account Jumping Post Infection ......Dan Amiga Co-Founder and CTO Account Jumping, Post Infection Persistency & Lateral Movement in AWS Dor Knafo Security Research](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ee0e710ad6a402d666bf92d/html5/thumbnails/2.jpg)
![Page 3: us-16-Amiga-Knafo-Account Jumping Post Infection ......Dan Amiga Co-Founder and CTO Account Jumping, Post Infection Persistency & Lateral Movement in AWS Dor Knafo Security Research](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ee0e710ad6a402d666bf92d/html5/thumbnails/3.jpg)
Agenda§ Two minutes about AWS security§ Infection§ Survival + Persistency§ Remaining Undetected§ Lateral Movement§ Solutions
![Page 4: us-16-Amiga-Knafo-Account Jumping Post Infection ......Dan Amiga Co-Founder and CTO Account Jumping, Post Infection Persistency & Lateral Movement in AWS Dor Knafo Security Research](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ee0e710ad6a402d666bf92d/html5/thumbnails/4.jpg)
QUICKINTRO
![Page 5: us-16-Amiga-Knafo-Account Jumping Post Infection ......Dan Amiga Co-Founder and CTO Account Jumping, Post Infection Persistency & Lateral Movement in AWS Dor Knafo Security Research](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ee0e710ad6a402d666bf92d/html5/thumbnails/5.jpg)
AWS Infection Potential
![Page 6: us-16-Amiga-Knafo-Account Jumping Post Infection ......Dan Amiga Co-Founder and CTO Account Jumping, Post Infection Persistency & Lateral Movement in AWS Dor Knafo Security Research](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ee0e710ad6a402d666bf92d/html5/thumbnails/6.jpg)
Identity and Access Management (IAM)
EC2
Lambda
S3
![Page 7: us-16-Amiga-Knafo-Account Jumping Post Infection ......Dan Amiga Co-Founder and CTO Account Jumping, Post Infection Persistency & Lateral Movement in AWS Dor Knafo Security Research](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ee0e710ad6a402d666bf92d/html5/thumbnails/7.jpg)
AWS Primary Auditing Capability - CloudTrail
S3Virtual Private CloudLambdaEC2
CloudTrailBucket
5 min
![Page 8: us-16-Amiga-Knafo-Account Jumping Post Infection ......Dan Amiga Co-Founder and CTO Account Jumping, Post Infection Persistency & Lateral Movement in AWS Dor Knafo Security Research](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ee0e710ad6a402d666bf92d/html5/thumbnails/8.jpg)
INFECTION
![Page 9: us-16-Amiga-Knafo-Account Jumping Post Infection ......Dan Amiga Co-Founder and CTO Account Jumping, Post Infection Persistency & Lateral Movement in AWS Dor Knafo Security Research](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ee0e710ad6a402d666bf92d/html5/thumbnails/9.jpg)
User Fault Infection
Infected Machines Phishing
AWS S3
Source Repo
![Page 10: us-16-Amiga-Knafo-Account Jumping Post Infection ......Dan Amiga Co-Founder and CTO Account Jumping, Post Infection Persistency & Lateral Movement in AWS Dor Knafo Security Research](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ee0e710ad6a402d666bf92d/html5/thumbnails/10.jpg)
Infection through AWS
Cloud Metadata Poisoned AMI Account Jumping
![Page 11: us-16-Amiga-Knafo-Account Jumping Post Infection ......Dan Amiga Co-Founder and CTO Account Jumping, Post Infection Persistency & Lateral Movement in AWS Dor Knafo Security Research](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ee0e710ad6a402d666bf92d/html5/thumbnails/11.jpg)
Infection through 3rd party services§ AWS ECS task definition
§ API call to task definition is recorded via CloudTrail§ Contains sensitive information (e.g. environment variables - keys)
![Page 12: us-16-Amiga-Knafo-Account Jumping Post Infection ......Dan Amiga Co-Founder and CTO Account Jumping, Post Infection Persistency & Lateral Movement in AWS Dor Knafo Security Research](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ee0e710ad6a402d666bf92d/html5/thumbnails/12.jpg)
SURVIVAL
![Page 13: us-16-Amiga-Knafo-Account Jumping Post Infection ......Dan Amiga Co-Founder and CTO Account Jumping, Post Infection Persistency & Lateral Movement in AWS Dor Knafo Security Research](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ee0e710ad6a402d666bf92d/html5/thumbnails/13.jpg)
Surviving key rotation or deletion
• AWS Security Token Service
Access KeyTemporary Access
Key
MFA info
IAM
![Page 14: us-16-Amiga-Knafo-Account Jumping Post Infection ......Dan Amiga Co-Founder and CTO Account Jumping, Post Infection Persistency & Lateral Movement in AWS Dor Knafo Security Research](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ee0e710ad6a402d666bf92d/html5/thumbnails/14.jpg)
DEMO
![Page 15: us-16-Amiga-Knafo-Account Jumping Post Infection ......Dan Amiga Co-Founder and CTO Account Jumping, Post Infection Persistency & Lateral Movement in AWS Dor Knafo Security Research](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ee0e710ad6a402d666bf92d/html5/thumbnails/15.jpg)
HIDE
![Page 16: us-16-Amiga-Knafo-Account Jumping Post Infection ......Dan Amiga Co-Founder and CTO Account Jumping, Post Infection Persistency & Lateral Movement in AWS Dor Knafo Security Research](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ee0e710ad6a402d666bf92d/html5/thumbnails/16.jpg)
Staying Undetected – Altering CloudTrail§ Delete the trails
§ Stop the trails
§ Disable multi-region logging
$ aws cloudtrail delete-trail –name [trail-name]
$ aws cloudtrail stop-logging –name [trail-name]
$ aws cloudtrail update-trail –name [trail-name] --no-is-multi-region –no-include-global-services
![Page 17: us-16-Amiga-Knafo-Account Jumping Post Infection ......Dan Amiga Co-Founder and CTO Account Jumping, Post Infection Persistency & Lateral Movement in AWS Dor Knafo Security Research](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ee0e710ad6a402d666bf92d/html5/thumbnails/17.jpg)
Staying Undetected – Altering S3 Trail§ S3 lifecycle retention policy§ AWS Lambda
§ Triggers on every new file in the bucket§ The Lambda free tier includes 1M free requests per month
S3Virtual Private CloudLambdaEC2
CloudTrailBucket
5 min 1 day
![Page 18: us-16-Amiga-Knafo-Account Jumping Post Infection ......Dan Amiga Co-Founder and CTO Account Jumping, Post Infection Persistency & Lateral Movement in AWS Dor Knafo Security Research](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ee0e710ad6a402d666bf92d/html5/thumbnails/18.jpg)
Staying Undetected§ AWS Key Management Service
§ Integrated with CloudTrail§ S3’s Server Side Encryption (SSE)
Policy
AWS S3 AWS KMS
![Page 19: us-16-Amiga-Knafo-Account Jumping Post Infection ......Dan Amiga Co-Founder and CTO Account Jumping, Post Infection Persistency & Lateral Movement in AWS Dor Knafo Security Research](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ee0e710ad6a402d666bf92d/html5/thumbnails/19.jpg)
DEMO
![Page 20: us-16-Amiga-Knafo-Account Jumping Post Infection ......Dan Amiga Co-Founder and CTO Account Jumping, Post Infection Persistency & Lateral Movement in AWS Dor Knafo Security Research](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ee0e710ad6a402d666bf92d/html5/thumbnails/20.jpg)
PERSISTENCY
![Page 21: us-16-Amiga-Knafo-Account Jumping Post Infection ......Dan Amiga Co-Founder and CTO Account Jumping, Post Infection Persistency & Lateral Movement in AWS Dor Knafo Security Research](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ee0e710ad6a402d666bf92d/html5/thumbnails/21.jpg)
Persistency§ Create new users (typosquatting for extra stealth)
§ Or – Iterate existings users and create a second access token
$ aws iam create-user --user-name [username]$ aws iam create-access-key --user-name [username]
![Page 22: us-16-Amiga-Knafo-Account Jumping Post Infection ......Dan Amiga Co-Founder and CTO Account Jumping, Post Infection Persistency & Lateral Movement in AWS Dor Knafo Security Research](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ee0e710ad6a402d666bf92d/html5/thumbnails/22.jpg)
Persistency§ Creating a second access key to exisiting users is not enough§ AWS Lambda saves tha day, again!§ Create an access key on newly created users, and post it back to you
![Page 23: us-16-Amiga-Knafo-Account Jumping Post Infection ......Dan Amiga Co-Founder and CTO Account Jumping, Post Infection Persistency & Lateral Movement in AWS Dor Knafo Security Research](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ee0e710ad6a402d666bf92d/html5/thumbnails/23.jpg)
Persistency§ Backdoor existing roles§ Use your newly retained tokens to assume the modified roles.§ Create a lambda that responds to role creation and adds a backdoor§ Register to UpdateAssumeRolePolicy to reintroduce backdoors that
are removed.
Lambda IAM
![Page 24: us-16-Amiga-Knafo-Account Jumping Post Infection ......Dan Amiga Co-Founder and CTO Account Jumping, Post Infection Persistency & Lateral Movement in AWS Dor Knafo Security Research](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ee0e710ad6a402d666bf92d/html5/thumbnails/24.jpg)
AWS Lambda Persistency
![Page 25: us-16-Amiga-Knafo-Account Jumping Post Infection ......Dan Amiga Co-Founder and CTO Account Jumping, Post Infection Persistency & Lateral Movement in AWS Dor Knafo Security Research](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ee0e710ad6a402d666bf92d/html5/thumbnails/25.jpg)
VPC Access Persistency§ Virtual Private Cloud (+ Security Group)§ Use a public endpoint and Lambda to bypass the security group§ SQS, AWS Gateway API, AWS S3 (with VPC endpoint)
On premiseData Center
![Page 26: us-16-Amiga-Knafo-Account Jumping Post Infection ......Dan Amiga Co-Founder and CTO Account Jumping, Post Infection Persistency & Lateral Movement in AWS Dor Knafo Security Research](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ee0e710ad6a402d666bf92d/html5/thumbnails/26.jpg)
LATERALMOVEMENT
![Page 27: us-16-Amiga-Knafo-Account Jumping Post Infection ......Dan Amiga Co-Founder and CTO Account Jumping, Post Infection Persistency & Lateral Movement in AWS Dor Knafo Security Research](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ee0e710ad6a402d666bf92d/html5/thumbnails/27.jpg)
SUMMARY
![Page 28: us-16-Amiga-Knafo-Account Jumping Post Infection ......Dan Amiga Co-Founder and CTO Account Jumping, Post Infection Persistency & Lateral Movement in AWS Dor Knafo Security Research](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ee0e710ad6a402d666bf92d/html5/thumbnails/28.jpg)
Lateral Movement§ Direct Connect§ IAM§ Amazon support tickets§ S3 Direct ConnectIAMDynamoDB
S3Virtual Private CloudLambdaEC2
AMIBeanstalkRoute53Elastic cacheSQS
![Page 29: us-16-Amiga-Knafo-Account Jumping Post Infection ......Dan Amiga Co-Founder and CTO Account Jumping, Post Infection Persistency & Lateral Movement in AWS Dor Knafo Security Research](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ee0e710ad6a402d666bf92d/html5/thumbnails/29.jpg)
Solutions
§ Details…§ Stateless architecture with focus on data protection§ Automation via code, CloudFormation, Dockers, etc. for
environment recreated from scratch§ Leverage strong account separation (dev, production1, production2)
![Page 30: us-16-Amiga-Knafo-Account Jumping Post Infection ......Dan Amiga Co-Founder and CTO Account Jumping, Post Infection Persistency & Lateral Movement in AWS Dor Knafo Security Research](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ee0e710ad6a402d666bf92d/html5/thumbnails/30.jpg)
Q&A
![Page 31: us-16-Amiga-Knafo-Account Jumping Post Infection ......Dan Amiga Co-Founder and CTO Account Jumping, Post Infection Persistency & Lateral Movement in AWS Dor Knafo Security Research](https://reader035.fdocuments.us/reader035/viewer/2022081607/5ee0e710ad6a402d666bf92d/html5/thumbnails/31.jpg)
Dan AmigaCo-Founder and CTO - [email protected]
Account Jumping, Post infection persistency & Lateral Movement in AWS
Dor KnafoSecurity Research Leader – [email protected]