Alert: Threat Actors Can Leverage AWS STS to Infiltrate Cloud Accounts

Cyber Security

Products You May Like

Dec 06, 2023NewsroomAccess Management / Cloud Security

Threat actors can take advantage of Amazon Web Services Security Token Service (AWS STS) as a way to infiltrate cloud accounts and conduct follow-on attacks.

The service enables threat actors to impersonate user identities and roles in cloud environments, Red Canary researchers Thomas Gardner and Cody Betsworth said in a Tuesday analysis.

AWS STS is a web service that enables users to request temporary, limited-privilege credentials for users to access AWS resources without needing to create an AWS identity. These STS tokens can be valid anywhere from 15 minutes to 36 hours.

Threat actors can steal long-term IAM tokens through a variety of methods like malware infections, publicly exposed credentials, and phishing emails, subsequently using them to determine roles and privileges associated with those tokens via API calls.

Cybersecurity

“Depending on the token’s permission level, adversaries may also be able to use it to create additional IAM users with long-term AKIA tokens to ensure persistence in the event that their initial AKIA token and all of the ASIA short term tokens it generated are discovered and revoked,” the researcher said.

In the next stage, an MFA-authenticated STS token is used to create multiple new short-term tokens, followed by conducting post-exploitation actions such as data exfiltration.

To mitigate such AWS token abuse, it’s recommended to log CloudTrail event data, detect role-chaining events and MFA abuse, and rotate long-term IAM user access keys.

“AWS STS is a critical security control for limiting the use of static credentials and the duration of access for users across their cloud infrastructure,” the researchers said.

“However, under certain IAM configurations that are common across many organizations, adversaries can also create and abuse these STS tokens to access cloud resources and perform malicious actions.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Products You May Like

Articles You May Like

Iranian Hackers Set Up New Network to Target U.S. Political Campaigns
SANS Institute Unveils Critical Infrastructure Strategy Guide for 2024: A Call to Action for Securing ICS/OT Environments
Xiaomi 14T, Xiaomi 14T Pro Pricing and Key Specifications Leaked Ahead of Anticipated Debut
ISRO and IIT Guwahati Discover New Challenges in Theories of X-Ray Pulsar
Scientists Uncover Invisible Ambipolar Electric Field Around Earth for First Time, New Study Reveals

Leave a Reply

Your email address will not be published. Required fields are marked *