<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>AWS Batch - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/aws-batch/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 09 Jan 2024 10:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/aws-batch/feed.xml" rel="self" type="application/rss+xml"/><item><title>AWS S3 Bucket Replication Abuse via Batch Service for Data Exfiltration</title><link>https://feed.craftedsignal.io/briefs/2024-01-aws-batch-exfiltration/</link><pubDate>Tue, 09 Jan 2024 10:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-aws-batch-exfiltration/</guid><description>Attackers can abuse the AWS Batch service to exfiltrate data from S3 buckets by creating malicious batch jobs that leverage S3 bucket replication.</description><content:encoded><![CDATA[<p>This threat involves the abuse of the AWS Batch service to facilitate data exfiltration from S3 buckets. Attackers exploit the S3 bucket replication feature by creating malicious AWS Batch jobs. These jobs are designed to initiate unauthorized data transfers between S3 buckets, potentially leading to data breaches. This activity is detected through the analysis of AWS CloudTrail logs, specifically looking for <code>JobCreated</code> events and their associated details. This technique allows attackers to bypass traditional data exfiltration methods and leverage native AWS functionalities for malicious purposes. Successful exploitation can lead to significant data loss, regulatory compliance violations, and reputational damage. The scope of targeting depends on the attacker's objectives and the compromised AWS environment.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains unauthorized access to an AWS account. This could be through compromised credentials, a vulnerable application, or other means.</li>
<li>The attacker identifies a target S3 bucket containing sensitive data.</li>
<li>The attacker creates a new S3 bucket under their control or with permissive access policies in a different AWS account or region.</li>
<li>The attacker crafts a malicious AWS Batch job designed to initiate S3 bucket replication from the target bucket to the attacker-controlled bucket. This job configures the replication settings to copy the data.</li>
<li>The attacker submits the malicious AWS Batch job, triggering the replication process. The job leverages the <code>JobCreated</code> event in CloudTrail logs.</li>
<li>S3 bucket replication begins, and the data is transferred from the target bucket to the attacker's bucket.</li>
<li>Once the replication is complete, the attacker has a copy of the sensitive data in their control.</li>
<li>The attacker can then access, analyze, or further exfiltrate the data from their controlled S3 bucket.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this technique can result in significant data loss and potential data breaches. The number of affected victims depends on the scope of the compromised AWS account and the amount of data stored in the targeted S3 buckets. Sectors that heavily rely on cloud storage, such as finance, healthcare, and government, are particularly at risk. If the attack succeeds, sensitive data, including personal information, financial records, and intellectual property, can be exposed, leading to financial losses, reputational damage, and regulatory penalties.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the &quot;AWS Exfiltration via Batch Service&quot; analytic to your SIEM to detect suspicious <code>JobCreated</code> events related to S3 bucket replication (Splunk search string).</li>
<li>Implement strict IAM policies to limit the ability of users and roles to create and manage AWS Batch jobs, specifically those involving S3 bucket replication.</li>
<li>Monitor AWS CloudTrail logs for unusual S3 bucket replication configurations and job creation activities.</li>
<li>Enable and review S3 bucket access logging to detect unauthorized access and data transfers.</li>
<li>Investigate and remediate any identified <code>JobCreated</code> events with source IPs that are not within expected ranges.</li>
<li>Enforce multi-factor authentication (MFA) for all AWS accounts to prevent unauthorized access and credential compromise.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>aws</category><category>s3</category><category>data-exfiltration</category><category>batch-service</category></item></channel></rss>