{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/amazon-elastic-compute-cloud-ec2/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Amazon Elastic Compute Cloud (EC2)"],"_cs_severities":["high"],"_cs_tags":["aws","ami","data-exfiltration","cloudtrail"],"_cs_type":"advisory","_cs_vendors":["Amazon"],"content_html":"\u003cp\u003eAn attacker leverages compromised AWS credentials or exploits a misconfigured IAM role to modify Amazon Machine Image (AMI) attributes. This modification can involve sharing the AMI with an external AWS account or making it publicly accessible. The primary goal is to exfiltrate sensitive data stored within the AMI, such as proprietary code, customer data, or internal configurations. This activity is particularly concerning due to the potential for unauthorized access to critical resources and subsequent data breaches. The technique abuses legitimate AWS functionality, making it harder to detect without specific monitoring in place. The sharing of AMI's is a common tactic to enable data exfiltration by threat actors.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Compromise:\u003c/strong\u003e The attacker gains access to an AWS account through compromised credentials, exploiting a vulnerability in a web application, or leveraging a misconfigured IAM role.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eEnumeration:\u003c/strong\u003e The attacker enumerates available AMIs within the AWS environment to identify those containing sensitive data.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation (If Needed):\u003c/strong\u003e If the initial access doesn't have sufficient privileges, the attacker attempts to escalate privileges to gain the ability to modify AMI attributes.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAMI Attribute Modification:\u003c/strong\u003e The attacker uses the \u003ccode\u003eModifyImageAttribute\u003c/code\u003e API call to modify the AMI's launch permissions. This involves adding external AWS accounts or setting the group to \u0026quot;all\u0026quot;, making the AMI public.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration:\u003c/strong\u003e The attacker or a collaborator in the external AWS account copies the now-shared AMI to their own environment.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Extraction:\u003c/strong\u003e The attacker launches an EC2 instance from the copied AMI and extracts the sensitive data stored within it.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCleanup (Optional):\u003c/strong\u003e The attacker may attempt to remove CloudTrail logs or other evidence of their activity to hinder detection.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement or Further Attacks:\u003c/strong\u003e The attacker uses the exfiltrated data for further attacks, such as lateral movement within the organization's network or direct extortion.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful AMI attribute modification and exfiltration can lead to significant data breaches, exposing sensitive customer data, proprietary code, or internal configurations. This can result in financial losses, reputational damage, legal liabilities, and regulatory fines. The scope of the impact depends on the sensitivity and volume of data stored within the compromised AMIs. This technique directly targets data confidentiality and integrity, potentially affecting thousands or millions of users if customer data is involved.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable and monitor AWS CloudTrail logs for \u003ccode\u003eModifyImageAttribute\u003c/code\u003e API calls (AWS CloudTrail ModifyImageAttribute Data Source).\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect suspicious AMI attribute modifications in your SIEM (Sigma Rule: \u0026quot;Detect Publicly Shared AWS AMI\u0026quot;).\u003c/li\u003e\n\u003cli\u003eImplement strict IAM policies to limit the ability to modify AMI attributes to only authorized personnel (Reference: \u003ca href=\"https://labs.nettitude.com/blog/how-to-exfiltrate-aws-ec2-data/)\"\u003ehttps://labs.nettitude.com/blog/how-to-exfiltrate-aws-ec2-data/)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eRegularly review AMI launch permissions to identify any publicly shared or externally shared AMIs (Reference: \u003ca href=\"https://hackingthe.cloud/aws/enumeration/loot_public_ebs_snapshots/)\"\u003ehttps://hackingthe.cloud/aws/enumeration/loot_public_ebs_snapshots/)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eConfigure AWS Config rules to automatically detect and remediate publicly shared AMIs (Reference: \u003ca href=\"https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ami/)\"\u003ehttps://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ami/)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eAlert on users who are modifying AMI attributes and do not typically perform that action.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-aws-ami-exfiltration/","summary":"An attacker modifies AWS AMI attributes, potentially sharing an AMI with another AWS account or making it publicly accessible, to exfiltrate sensitive data stored in AWS resources.","title":"AWS AMI Attribute Modification for Data Exfiltration","url":"https://feed.craftedsignal.io/briefs/2024-01-aws-ami-exfiltration/"}],"language":"en","title":"CraftedSignal Threat Feed - Amazon Elastic Compute Cloud (EC2)","version":"https://jsonfeed.org/version/1.1"}