{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/amazon-ebs/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Amazon EC2","Amazon EBS"],"_cs_severities":["medium"],"_cs_tags":["cloud","aws","exfiltration"],"_cs_type":"advisory","_cs_vendors":["Amazon"],"content_html":"\u003cp\u003eThis rule detects when an Amazon Elastic Block Store (EBS) snapshot is shared with another AWS account or made public. EBS snapshots contain copies of data volumes that may include sensitive or regulated information. Adversaries may exploit \u003ccode\u003eModifySnapshotAttribute\u003c/code\u003e to share snapshots with external accounts or the public, allowing them to copy and access data in an environment they control. Public sharing (\u003ccode\u003egroup=all\u003c/code\u003e) represents a severe data exposure risk, as it makes the snapshot globally readable. This activity often precedes data exfiltration or persistence operations, where the attacker transfers stolen data out of the victim account or prepares a staging area for further exploitation. The original detection rule was published on 2024/04/16 and updated on 2026/04/10.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to an AWS account, potentially through compromised credentials or an exploited vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies EBS snapshots containing sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the \u003ccode\u003eModifySnapshotAttribute\u003c/code\u003e API to modify the snapshot's permissions, adding an external AWS account or making it publicly accessible (\u003ccode\u003egroup=all\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker may also disable EBS encryption to facilitate easier access to the data.\u003c/li\u003e\n\u003cli\u003eThe external AWS account copies the shared snapshot using \u003ccode\u003eCopySnapshot\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe copied snapshot is then mounted as a volume on an EC2 instance within the attacker's AWS account.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses and exfiltrates the sensitive data from the mounted volume.\u003c/li\u003e\n\u003cli\u003eThe attacker may then cover their tracks by deleting the copied snapshot and associated resources in their account.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromise of EBS snapshots can lead to the exfiltration of sensitive data, including personally identifiable information (PII), financial records, and proprietary business data. A successful attack could result in regulatory fines, reputational damage, and financial losses. Sharing snapshots publicly can expose data to a wide range of malicious actors, increasing the risk of unauthorized access and misuse. The number of affected snapshots and the sensitivity of the contained data determine the magnitude of the impact.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;AWS EC2 EBS Snapshot Shared or Made Public\u0026quot; to your SIEM and tune for your environment, focusing on \u003ccode\u003eModifySnapshotAttribute\u003c/code\u003e events (see rules section).\u003c/li\u003e\n\u003cli\u003eReview \u003ccode\u003eaws.cloudtrail.user_identity.arn\u003c/code\u003e and \u003ccode\u003eaws.cloudtrail.user_identity.access_key_id\u003c/code\u003e to identify who modified the snapshot’s permissions. Evaluate whether this identity is authorized to share EBS snapshots, as described in the overview section.\u003c/li\u003e\n\u003cli\u003eRestrict \u003ccode\u003eec2:ModifySnapshotAttribute\u003c/code\u003e permissions to trusted administrative roles only and enforce multi-factor authentication (MFA) for these accounts, as described in the overview section.\u003c/li\u003e\n\u003cli\u003eEnable AWS Config rules such as \u003ccode\u003eebs-snapshot-public-restorable-check\u003c/code\u003e to continuously monitor for public EBS snapshots, as described in the overview section.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-05-10T10:00:00Z","date_published":"2024-05-10T10:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-05-aws-ebs-snapshot-shared/","summary":"An AWS Elastic Block Store (EBS) snapshot is shared with another AWS account or made public, potentially leading to data exfiltration and persistence operations.","title":"AWS EC2 EBS Snapshot Shared or Made Public","url":"https://feed.craftedsignal.io/briefs/2024-05-aws-ebs-snapshot-shared/"}],"language":"en","title":"CraftedSignal Threat Feed - Amazon EBS","version":"https://jsonfeed.org/version/1.1"}