S3 Browser Used to Create IAM Login Profiles

The threat involves the use of the S3 Browser utility, a Windows application, to interact with Amazon Web Services (AWS) Identity and Access Management (IAM). Attackers are leveraging S3 Browser to perform reconnaissance, specifically targeting IAM users that do not have a login profile configured. Upon identifying such users, the attacker proceeds to create a login profile for them. This tactic may be indicative of an attempt to gain unauthorized access or maintain persistence within the AWS environment. The activity is detectable via AWS CloudTrail logs and was first publicly reported in May 2023 in connection with the threat actor GUIVIL.

Attack Chain

1. Attacker gains initial access to a system with AWS CLI tools installed or uses a compromised IAM user with sufficient permissions.
2. The attacker configures S3 Browser with valid AWS credentials, enabling interaction with the AWS environment.
3. S3 Browser initiates a GetLoginProfile API call in AWS CloudTrail, to enumerate IAM users and identify those without existing login profiles.
4. S3 Browser, upon finding an IAM user without a login profile, initiates a CreateLoginProfile API call.
5. The attacker sets a password for the newly created login profile, gaining console access to the targeted IAM user account.
6. The attacker logs into the AWS console using the newly created credentials.
7. The attacker leverages the IAM user’s permissions to perform further reconnaissance, lateral movement, or data exfiltration within the AWS environment.
8. The attacker establishes persistence by maintaining access through the created login profile, even if other access methods are revoked.

Impact

Successful exploitation allows attackers to gain unauthorized console access to previously unprotected IAM user accounts. This can lead to privilege escalation, data breaches, and disruption of cloud services. The lack of multi-factor authentication on newly created login profiles increases the risk of account compromise. The impact can range from reconnaissance to full-scale control of the AWS environment, depending on the permissions associated with the compromised IAM users.

Recommendation

• Deploy the provided Sigma rule to your SIEM to detect GetLoginProfile and CreateLoginProfile events originating from the S3 Browser user agent in AWS CloudTrail logs.
• Investigate any instances of IAM LoginProfile creation originating from unusual user agents or IP addresses.
• Implement multi-factor authentication (MFA) for all IAM users, including those with console access to mitigate the impact of compromised credentials.
• Review IAM policies to ensure least privilege and restrict the ability to create or modify LoginProfiles to authorized personnel only.