Amazon GuardDuty Enhances Detection of EC2 Occasion Credential Exfiltration

0
59


[This blog post was updated on Jan. 23rd to show how to use imdsv2 instead of imdsv1]

Amazon GuardDuty is a menace detection service that constantly screens for malicious exercise and unauthorized conduct to guard your AWS accounts, workloads, and information saved in Amazon Easy Storage Service (Amazon S3). Knowledgeable by a mess of public and AWS-generated information feeds and powered by machine studying, GuardDuty analyzes billions of occasions in pursuit of tendencies, patterns, and anomalies which might be recognizable indicators that one thing is amiss. You possibly can allow it with a click on and see the primary findings inside minutes.

Immediately, we’re including to GuardDuty the power to detect when your Amazon Elastic Compute Cloud (Amazon EC2) occasion credentials are getting used from one other AWS Account. EC2 occasion credentials are the momentary credentials made accessible by way of the EC2 metadata service to any functions operating on an occasion, when an AWS Identification and Entry Administration (IAM) function is hooked up to it.

What Are the Dangers?
When your workloads deployed on EC2 cases entry AWS companies, they use an entry key, a secret entry key, and a session token. The safe mechanism to go entry key credentials to your workloads is to outline the permissions required by your workload, create one or a number of IAM insurance policies with the permissions, connect the insurance policies to an IAM function and, lastly, connect the function to the occasion.

Any course of operating on an EC2 occasion with a task hooked up can retrieve the safety credentials by calling the EC2 metadata service v2:

TOKEN=$(curl -s -X PUT "http://169.254.169.254/newest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
curl -s "-ec2-metadata-token: $TOKEN" http://169.254.169.254/newest/meta-data/iam/security-credentials/role-name
{
  "Code" : "Success",
  "LastUpdated" : "2021-09-05T18:24:45Z",
  "Kind" : "AWS-HMAC",
  "AccessKeyId" : "AS...J5",
  "SecretAccessKey" : "r1...9m",
  "Token" : "IQ...z5Q==",
  "Expiration" : "2021-09-06T00:44:06Z"
}

These credentials are restricted in time and in scope. They’re legitimate for a most of six hours. They’re restricted to the scope of the permissions hooked up to the IAM function related to the EC2 occasion. The token obtained by the primary command is barely legitimate on the occasion on which it was generated.

All AWS SDK are capable of retrieve and renew such credentials mechanically. No further code is important in your software.

Now think about that your software operating on the EC2 occasion is compromised and a malicious actor managed to entry the occasion’s meta information service. The malicious actor would extract the credentials. These credentials have the permissions you outlined within the IAM function hooked up to the occasion. Relying in your software, attackers may need the likelihood to exfiltrate information from S3 or DynamoDB, to begin or terminate EC2 cases, and even to create new IAM customers or roles.

For the reason that launch of GuardDuty, it has detected when such credentials are used from IP addresses exterior of AWS. Good attackers due to this fact would possibly disguise their exercise from one other AWS account to function exterior of the sight of GuardDuty. Beginning at the moment, GuardDuty additionally detects when the credentials are used from different AWS accounts, contained in the AWS community.

What Alerts Are Generated?
There are authentic the reason why the supply IP tackle speaking with AWS Companies APIs may be completely different than the EC2 occasion IP tackle. Take into consideration complicated community topologies that route site visitors to 1 or a number of VPCs; AWS Transit Gateway, or AWS Direct Join for instance. As well as, multi-Area configurations, or not utilizing AWS Organizations, makes it non trivial to detect if the AWS account utilizing the credentials belongs to you or not. Giant firms have applied their very own resolution to detect such safety compromises, however these sort of options aren’t straightforward to construct and to take care of. Solely a handful of organizations have the assets required to deal with this problem. After they achieve this, they distract their engineering efforts from their core enterprise. Because of this we determined to deal with this.

Beginning at the moment, GuardDuty generates alerts when it detects a misuse of EC2 occasion credentials. When the credentials are used from an affiliated account, the alert is labeled as medium-severity. In any other case, a high-severity alert is generated. Affiliated accounts are accounts monitored by the identical GuardDuty administrator account, often known as GuardDuty member accounts. They may be a part of your group or not.

In Follow
To study the way it’s working, let’s seize and exfiltrate a set of EC2 credentials from one in every of my EC2 cases. I exploit SSH to hook up with one in every of my cases, and I exploit curl to retrieve the credentials, as proven earlier:

TOKEN=$(curl -s -X PUT "http://169.254.169.254/newest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
curl -s "-ec2-metadata-token: $TOKEN" http://169.254.169.254/newest/meta-data/iam/security-credentials/role-name
{
  "Code" : "Success",
  "LastUpdated" : "2021-09-05T18:24:45Z",
  "Kind" : "AWS-HMAC",
  "AccessKeyId" : "AS...J5",
  "SecretAccessKey" : "r1...9m",
  "Token" : "IQ...z5Q==",
  "Expiration" : "2021-09-06T00:44:06Z"
}

The occasion has an IAM function with permissions permitting to learn S3 buckets on this AWS account. I copy and paste the credentials. Then I join to a different EC2 occasion operating in a unique AWS account, not affiliated with the identical GuardDuty administrator account. I exploit SSH to hook up with that different occasion, after which I configure the AWS CLI with the compromised credentials. I try to entry a non-public S3 bucket.


# first confirm I wouldn't have entry 
[ec2-user@ip-1-1-0-79 ~]$ aws s3 ls s3://my-private-bucket

An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Entry Denied

# then I configure the CLI utilizing the compromised credentials
[ec2-user@ip-1-1-0-79 ~]$ aws configure
AWS Entry Key ID [None]: AS...J5
AWS Secret Entry Key [None]: r1...9m
Default area title [None]: us-east-1
Default output format [None]:

[ec2-user@ip-1-1-0-79 ~]$ aws configure set aws_session_token IQ...z5Q==

# Lastly, I try to entry S3 once more
[ec2-user@ip-1-1-0-79 ~]$ aws s3 ls s3://my-private-bucket
                     PRE folder1/
                     PRE folder2/
                     PRE folder3/
2021-01-22 16:37:48 6148 .DS_Store

Shortly after, I exploit the AWS Administration Console to entry GuardDuty within the AWS account the place I stole the credentials. I can confirm a high-severity alert was generated.

GuardDuty EC2 credentials exfiltration alarm

And So What?
Attackers might extract credentials once they have distant code execution (RCE), native presence on the occasion, or by exploiting application-level vulnerabilities like Server Facet Request Forgery (SSRF) and XML Exterior Entity (XXE) injection. There are a number of strategies to mitigate RCE or native entry, together with rebuilding the cases from a secured and patched AMI to get rid of distant entry, rotate entry credentials, and so forth. When the vulnerability is on the software degree, you or the appliance vendor are required to patch the appliance code to get rid of the vulnerability.

Once you obtain an alert indicating a threat of compromised credentials, the very first thing to do is to confirm the account ID. Is it one in every of your organization accounts or not? Throughout the evaluation, when the enterprise case permits, chances are you’ll terminate the compromised cases or shut down the appliance. This prevents the attacker from extracting renewed occasion credentials upon expiration. When unsure, contact the AWS Belief & Security group utilizing the Report Amazon AWS abuse type or by contacting abuse@amazonaws.com. Present all the required data, together with the suspicious AWS account ID, logs in plaintext, and so forth, while you submit your request.

Availability
This new skill is on the market in all AWS Areas at no further value. It’s enabled by default when GuardDuty is already enabled in your AWS account.

In any other case, allow GuardDuty now, and begin the 30-day trial interval.

— seb