{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/aws-datasync/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["AWS DataSync"],"_cs_severities":["high"],"_cs_tags":["aws","datasync","data-exfiltration","cloudtrail"],"_cs_type":"advisory","_cs_vendors":["AWS"],"content_html":"\u003cp\u003eThis analytic focuses on detecting the misuse of AWS DataSync for unauthorized data exfiltration. AWS DataSync is a data transfer service that can be used to move data between on-premises storage and AWS, or between AWS storage services. An attacker with sufficient privileges can create a DataSync task to copy data from a secured or private AWS resource to a publicly accessible location, potentially leading to significant data breaches. The detection logic centers around monitoring AWS CloudTrail logs for the \u003ccode\u003eCreateTask\u003c/code\u003e event associated with the DataSync service. This activity is a strong indicator of potential data exfiltration if the destination is unexpected or unauthorized. This analytic can help security teams quickly identify and respond to potential data exfiltration attempts via AWS DataSync.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to an AWS account with sufficient privileges to use the DataSync service.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a target data source within the AWS environment (e.g., an S3 bucket, an EC2 instance with valuable data).\u003c/li\u003e\n\u003cli\u003eThe attacker creates a DataSync \u003ccode\u003esourceLocationArn\u003c/code\u003e pointing to the identified data source.\u003c/li\u003e\n\u003cli\u003eThe attacker configures a \u003ccode\u003edestinationLocationArn\u003c/code\u003e to point to an external or unauthorized AWS resource (e.g., an attacker-controlled S3 bucket).\u003c/li\u003e\n\u003cli\u003eThe attacker initiates the \u003ccode\u003eCreateTask\u003c/code\u003e event using the AWS DataSync service, configuring the task to transfer data from the source to the destination.\u003c/li\u003e\n\u003cli\u003eAWS CloudTrail logs the \u003ccode\u003eCreateTask\u003c/code\u003e event, including details about the source and destination locations, the user who initiated the task, and other relevant metadata.\u003c/li\u003e\n\u003cli\u003eThe DataSync task executes, transferring data from the source location to the attacker-controlled destination.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation could lead to the unauthorized exfiltration of sensitive data from an AWS environment. The impact includes potential data breaches, compliance violations (e.g., GDPR, HIPAA), reputational damage, and financial losses. The severity depends on the type and volume of data exfiltrated, as well as the sensitivity of the affected resources. While specific numbers of victims or targeted sectors are not available in the original report, the general impact of data exfiltration can be considered high.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eAWS DataSync Task Creation\u003c/code\u003e to your SIEM and tune for your environment to detect suspicious DataSync task creation activities.\u003c/li\u003e\n\u003cli\u003eInvestigate any identified \u003ccode\u003eCreateTask\u003c/code\u003e events from the DataSync service where the \u003ccode\u003edestinationLocationArn\u003c/code\u003e is unexpected or unauthorized based on normal business operations (see rule above).\u003c/li\u003e\n\u003cli\u003eMonitor AWS CloudTrail logs for DataSync \u003ccode\u003eCreateTask\u003c/code\u003e events, focusing on the source and destination locations to detect unusual data transfer patterns (see log source in rule above).\u003c/li\u003e\n\u003cli\u003eImplement and enforce the principle of least privilege for AWS IAM roles and policies to limit who can create DataSync tasks and access sensitive data.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:00:00Z","date_published":"2024-01-03T15:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-aws-datasync-exfiltration/","summary":"An attacker may create an AWS DataSync task to exfiltrate data from a private AWS location to a public one, leading to data compromise, detected by monitoring AWS CloudTrail logs for the `CreateTask` event from the DataSync service.","title":"AWS Data Exfiltration via DataSync Task Creation","url":"https://feed.craftedsignal.io/briefs/2024-01-03-aws-datasync-exfiltration/"}],"language":"en","title":"CraftedSignal Threat Feed - AWS DataSync","version":"https://jsonfeed.org/version/1.1"}