AWS SecurityHub Findings Evasion via API Calls

Attackers with sufficient AWS privileges can manipulate SecurityHub findings to evade detection and maintain persistence within a compromised environment. This involves using SecurityHub’s API to either modify existing findings, delete insights altogether, or update insights to mask malicious activity. This activity is conducted via API calls to securityhub.amazonaws.com, specifically targeting the BatchUpdateFindings, DeleteInsight, UpdateFindings, and UpdateInsight actions. Successful evasion allows malicious actors to operate without triggering alarms or attracting attention from security personnel, leading to prolonged compromise and potentially greater damage. This is especially critical in production environments where SecurityHub findings are actively monitored.

Attack Chain

1. The attacker gains initial access to an AWS account, potentially through compromised credentials or exploiting a misconfigured IAM role (T1078).
2. The attacker enumerates existing SecurityHub findings and insights to identify potential targets for modification or deletion.
3. The attacker calls the BatchUpdateFindings API to modify the severity, confidence, or resolution status of specific findings, effectively silencing alerts (T1562.003).
4. Alternatively, the attacker calls the UpdateFindings API to modify individual findings.
5. The attacker calls the DeleteInsight API to remove custom insights that could reveal their activities (T1562).
6. As another option, the attacker calls the UpdateInsight API to modify the criteria of existing insights, causing them to miss malicious activities.
7. The attacker validates the changes by querying SecurityHub to confirm that the targeted findings and insights have been successfully altered or removed.
8. The attacker continues malicious activities, such as data exfiltration or lateral movement, with a reduced risk of detection due to the modified SecurityHub state (TA0005).

Impact

Successful evasion of SecurityHub findings can lead to delayed incident response, prolonged attacker presence within the AWS environment, and increased data exfiltration or system compromise. The impact is particularly severe in production environments where SecurityHub is relied upon for real-time threat detection and alerting. By modifying or deleting findings, attackers can effectively blind security teams, enabling them to operate undetected for extended periods. The number of potential victims is directly proportional to the scale of AWS deployments relying on SecurityHub.

Recommendation

• Deploy the Sigma rule “AWS SecurityHub Findings Evasion” to your SIEM and tune for your environment to detect suspicious API calls related to findings manipulation (logsource: aws, service: cloudtrail).
• Review and harden IAM policies to restrict access to SecurityHub API actions such as BatchUpdateFindings, DeleteInsight, UpdateFindings, and UpdateInsight to only authorized users and roles.
• Implement multi-factor authentication (MFA) for all AWS accounts and roles, especially those with permissions to modify SecurityHub configurations.
• Regularly audit CloudTrail logs for suspicious activity related to SecurityHub configuration changes.