Nearly Two Dozen AWS APIs Are Vulnerable to Abuse

guest · Nov 18, 2020

Nearly Two Dozen AWS APIs Are Vulnerable to Abuse
November 17, 2020
https://www.darkreading.com/cloud/nearly-two-dozen-aws-apis-are-vulnerable-to-abuse/d/d-id/1339471

Nearly two dozen application programming interfaces (APIs) across 16 different Amazon Web Services offerings can be abused to allow attackers to obtain the roster and internal structure of an organization's cloud account in order to launch targeted attacks against individuals.

All that a threat actor would require in order to carry out the attack is the target organization's 12-digit AWS ID — something that is used and shared publicly — Palo Alto Networks said this week.
Click to expand...

The Amazon services that are vulnerable include Amazon Simple Storage Service (S3), Amazon Key Management Service (KMS), and Amazon Simple Queue Service (SQS).

According to Palo Alto Networks, AWS resource-based policies include a field that specifies the users or roles that are allowed to access specific resources.

"For example, if an attacker knows a company's AWS account ID, the attacker could use this information to ask in a resource-based policy 'does user X exist in this account?'," explains Chen.
"The attacker can keep asking this question with different names and eventually map out all the users/roles in this account," Chen says.
Click to expand...

With enough time, an attacker could brute-force a list of users and role policies and look for misconfigurations that would enable account takeover, says Charles Ragland, security engineer at Digital Shadows. "The major issue with the vulnerability is that the error messages are logged in the attacker's account; therefore, the victim will be unaware of this attack."
Click to expand...

Palo Alto Networks - Unit42: Information Leakage in AWS Resource-Based Policy APIs

Conclusion
Detecting and preventing identity reconnaissance using this technique is difficult as there are no observable logs in the targeted accounts. However, good IAM security hygiene can still effectively mitigate the threats from this type of attack.

Although it’s not possible to prevent an attacker from enumerating identities in AWS accounts, the enumeration can be made more difficult and you can monitor for suspicious activities taken after the reconnaissance.
Click to expand...

guest · Nov 23, 2020

mood said: ↑

Palo Alto Networks - Unit42: Information Leakage in AWS Resource-Based Policy APIs
Click to expand...

IAMFinder: Open Source Tool to Identify Information Leaked from AWS IAM Reconnaissance
November 19, 2020
https://unit42.paloaltonetworks.com/iamfinder/

In a recent blog, “Information Leakage in AWS Resource-Based Policy APIs,” Unit 42 researchers disclosed a class of Amazon Web Services (AWS) APIs that can be abused to find existing users and Identity and Access Management (IAM) roles in arbitrary accounts.

Based on those findings, Unit 42 developed IAMFinder, a custom open-source tool that currently implements APIs of four AWS services: Amazon Simple Storage Service (S3), Amazon Key Management Service (KMS), Amazon Simple Queue Service (SQS) and AWS Identity and Access Management (IAM). With only the AWS account number of the targeted account, IAMFinder is able to identify users and roles in that environment.
Click to expand...

Organizations can use IAMFinder to identify the information leaked from IAM reconnaissance. With this tool, organizations can then adjust and reinforce their IAM configuration to mitigate the potential impact of an attacker knowing the users and roles in their AWS account.
Click to expand...

Log in or Sign up

Nearly Two Dozen AWS APIs Are Vulnerable to Abuse

guest Guest

guest Guest

Log in or Sign up

Nearly Two Dozen AWS APIs Are Vulnerable to Abuse

guest Guest

guest Guest

Useful Searches