In 2009, Amazon Web Services was the source of a significant number of Zeus botnet command-and-control connections, largely due to AWS customers’ systems being hijacked and compromised.
Using cloud services for malware distribution has become fairly common, with the SpyEye Trojan misusing AWS Simple Storage Service buckets to spread malware in 2011. In 2017, point of sale (POS) malware targeting POS servers was hosted on nearly 4,000 Elasticsearch servers in AWS.
Many of the major threats to AWS and other major cloud service environments stem from account and credential theft and hijacking. Code Spaces, a code hosting and sharing service hosted by Amazon, was breached by an attacker in June 2014.
The attacker broke into the service by guessing its AWS credentials for the management login page and then demanded a ransom. When Amazon refused to pay and tried to delete the attacker’s account, the hacker retaliated by deleting everything. The company had not enabled AWS multifactor authentication, nor had it backed up any data or systems outside of its primary AWS account, which made the attacker’s job easy.
This demonstrates how attackers focus on AWS accounts as viable targets for compromise. Another developer had credentials hijacked from code on GitHub, and the attackers used them to create AWS instances and rack up a $2,375 bill mining bitcoin before he found out.
This problem has become so pervasive that organizations need to come up with innovative ways to discover compromised credential use or malicious attempts to attack AWS and other cloud resources both within and outside of the targeted cloud accounts.
In early 2018, researchers at Rhino Labs detailed a comprehensive list of possible AWS privilege escalation issues that could be readily exploited by internal and external attackers. The researchers released a tool called aws_escalate to scan identities in AWS and report on possible issues.
Monitoring AWS credentials with Trailblazer
Another researcher, Will Bengtson, a senior security engineer at Netflix, introduced an open source tool called Trailblazer at Black Hat USA 2018 that aims to simplify the monitoring of AWS credentials. The tool was designed in response to unauthorized users setting up infrastructures in AWS, stealing user credentials and using those credentials for malicious activities.
Trailblazer uses a relatively complex series of API call assessments in the AWS CloudTrail logs that align the assumption of roles within AWS service environments, systems and identities. Those calls and assumptions of normal behavior assume the first time a call is made is from legitimate identity/account credentials. The Trailblazer tool then flags any calls originating from a different source as possible AWS credential compromises, an innovative approach that can function well in a massive deployment like the one Netflix has within AWS.
Other options for mitigation
This is a great way to handle incredibly dynamic and broadly scaled AWS infrastructures overall, but it’s likely that many organizations can protect their AWS environments with a combination of other tools and services that may be easier to use.
First, AWS CloudTrail logs should be enabled, with a focus on looking for account and general identity use. Implementing VPC Flow Logs can also generate traffic that could indicate lateral movement activity or unusual access attempts between resources.
AWS GuardDuty leverages both of these event sources, along with others, to alert IT of behavioral elements of account use and the implementation of multifactor authentication and bastion hosts for all privileged activity within the environment. This can severely limit an attacker’s ability to make use of stolen AWS credentials in the first place.
Ensuring AWS Identity and Access Management policies and network access rules are properly configured is also critical to ensure that AWS accounts are properly locked down and protected from account misuse and internal attacks.