Skip to content
Threat Feed
high advisory

AWS Account Compromise via New MFA Registration

An adversary may register a new Multi-Factor Authentication (MFA) method for an AWS account using the `CreateVirtualMFADevice` event in AWS CloudTrail logs to maintain persistence and evade detection in a compromised AWS account.

This threat brief focuses on the potential for adversaries to register new MFA methods in compromised AWS accounts to maintain persistent access and evade detection. The technique involves leveraging the CreateVirtualMFADevice event logged by AWS CloudTrail. An attacker who has gained initial access to an AWS account can register a new MFA device, effectively locking out legitimate users and securing their own access to the environment. This activity is critical because it allows attackers to maintain a foothold, making subsequent unauthorized activities more difficult to detect and remediate. This can lead to data breaches, resource hijacking, and other malicious activities. The scope of targeting includes any AWS account without adequate MFA monitoring and alerting in place.

Attack Chain

  1. Initial Access: The attacker gains initial access to an AWS account through compromised credentials (e.g., stolen passwords or leaked API keys).
  2. Privilege Escalation (if needed): The attacker escalates privileges within the AWS account to obtain the necessary permissions to create MFA devices.
  3. Identify Target User: The attacker identifies a user account (potentially an administrator account) to associate the new MFA device with.
  4. Create Virtual MFA Device: The attacker invokes the CreateVirtualMFADevice API call to create a new virtual MFA device.
  5. Associate MFA Device: The attacker associates the newly created virtual MFA device with the target user account.
  6. Activate MFA Device: The attacker activates the virtual MFA device using the activation code.
  7. Persistence: With the new MFA device activated, the attacker now has persistent access to the AWS account, even if the original compromised credentials are revoked.
  8. Lateral Movement/Data Exfiltration: Using the persistent access, the attacker moves laterally within the AWS environment, accesses sensitive data, and potentially exfiltrates it.

Impact

Compromised AWS accounts can lead to significant data breaches, denial of service, and financial losses. If an attacker successfully registers a new MFA device, they can effectively lock out legitimate users and maintain persistent access. This can lead to the exfiltration of sensitive data, modification or deletion of critical resources, and the deployment of malicious workloads. The impact is especially high for organizations that rely heavily on AWS for their infrastructure and services.

Recommendation

  • Deploy the Sigma rule AWS New Virtual MFA Device Creation to detect the CreateVirtualMFADevice event in AWS CloudTrail logs.
  • Investigate any alerts generated by the Sigma rule, paying close attention to the user, source IP address, and user agent associated with the event.
  • Implement multi-factor authentication (MFA) for all AWS users, especially those with administrative privileges, as described in the AWS documentation.
  • Monitor AWS CloudTrail logs for other suspicious activities, such as unusual API calls or unauthorized access attempts.
  • Review and enforce least privilege access controls to limit the impact of compromised credentials.

Detection coverage 2

AWS New Virtual MFA Device Creation

high

Detects the creation of a new virtual MFA device in AWS, which could indicate malicious activity.

sigma tactics: defense_evasion, persistence techniques: T1556.006 sources: cloudtrail, aws

AWS MFA Device Associated with User

medium

Detects the association of a new MFA Device with an IAM user.

sigma tactics: defense_evasion, persistence techniques: T1556.006 sources: cloudtrail, aws

Detection queries are available on the platform. Get full rules →