{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/aws-ec2/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["AWS EC2","AWS CloudTrail"],"_cs_severities":["medium"],"_cs_tags":["cloud","aws","network-routing"],"_cs_type":"advisory","_cs_vendors":["Amazon"],"content_html":"\u003cp\u003eThe addition of a new route to an AWS route table can be a sign of malicious activity, especially if the route redirects traffic to an unexpected or unauthorized destination. This activity is typically logged in AWS CloudTrail. Attackers might add routes to intercept network traffic, conduct man-in-the-middle attacks, or impair defenses by routing traffic away from security appliances. Understanding who is performing this action and the destination of the new route is critical for identifying potential threats within an AWS environment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to an AWS account, potentially through compromised credentials or an exploited vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the AWS CLI or the AWS Management Console to interact with the EC2 service.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the target route table to modify.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the \u003ccode\u003eCreateRoute\u003c/code\u003e API call, specifying the destination CIDR block and target (e.g., an internet gateway, virtual private gateway, or network interface).\u003c/li\u003e\n\u003cli\u003eCloudTrail logs the \u003ccode\u003eCreateRoute\u003c/code\u003e event, capturing details of the action, including the user identity, source IP address, and the route table modification.\u003c/li\u003e\n\u003cli\u003eNetwork traffic matching the new route\u0026rsquo;s destination CIDR block is now redirected to the attacker-controlled target.\u003c/li\u003e\n\u003cli\u003eThe attacker monitors and potentially modifies the redirected traffic for reconnaissance or data exfiltration purposes.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful modification of AWS route tables can lead to significant security breaches. An attacker could redirect critical network traffic to a malicious endpoint, enabling them to intercept sensitive data or disrupt services. This could lead to data breaches, financial loss, and reputational damage. The scope of the impact depends on the criticality of the redirected traffic and the attacker\u0026rsquo;s objectives.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Detect AWS Route Table Modification via CloudTrail\u0026rdquo; Sigma rule to your SIEM and tune for your environment to detect suspicious route creation events in AWS CloudTrail logs.\u003c/li\u003e\n\u003cli\u003eInvestigate any \u003ccode\u003eCreateRoute\u003c/code\u003e events where the user identity is unexpected or the destination CIDR block and target are suspicious.\u003c/li\u003e\n\u003cli\u003eMonitor AWS CloudTrail logs for \u003ccode\u003eCreateRoute\u003c/code\u003e events and correlate them with other suspicious activities.\u003c/li\u003e\n\u003cli\u003eImplement strict IAM policies to limit who can modify route tables (reference the \u003ccode\u003eeventSource\u003c/code\u003e and \u003ccode\u003eeventName\u003c/code\u003e fields in the rule below).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-11-01T12:00:00Z","date_published":"2024-11-01T12:00:00Z","id":"/briefs/2024-11-aws-route-added/","summary":"An attacker may add a new route to an AWS route table, potentially redirecting network traffic for malicious purposes such as defense impairment or data exfiltration.","title":"Detect AWS Route Table Modification via CloudTrail","url":"https://feed.craftedsignal.io/briefs/2024-11-aws-route-added/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["AWS CloudTrail","AWS EC2"],"_cs_severities":["low"],"_cs_tags":["attack.defense-impairment","attack.t1686.001","cloud"],"_cs_type":"advisory","_cs_vendors":["Amazon"],"content_html":"\u003cp\u003eThe creation of new Network Access Control List (ACL) entries in Amazon Web Services (AWS) environments can be a sign of malicious activity. While legitimate use cases exist, adversaries can leverage these ACL changes to impair existing defenses, create new pathways for lateral movement, or establish persistence mechanisms. This activity is logged by CloudTrail and can be monitored to identify unauthorized or suspicious modifications to network security configurations. Attackers could create overly permissive rules that allow unauthorized access to critical resources or restrictive rules that disrupt legitimate traffic. Monitoring the creation of Network ACL entries is important for maintaining the integrity and security of AWS environments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to an AWS account, potentially through compromised credentials or an exploited vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the existing Network ACLs within the target Virtual Private Cloud (VPC).\u003c/li\u003e\n\u003cli\u003eThe attacker uses the AWS Management Console, CLI, or API to create a new Network ACL entry. The \u003ccode\u003eCreateNetworkAclEntry\u003c/code\u003e event is logged in CloudTrail.\u003c/li\u003e\n\u003cli\u003eThe new ACL entry may be configured to allow specific inbound or outbound traffic that was previously blocked, effectively opening a new attack vector.\u003c/li\u003e\n\u003cli\u003eAlternatively, the new ACL entry may be configured to deny legitimate traffic, causing a denial-of-service condition for specific services or resources.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the newly created ACL entry to move laterally within the AWS environment, accessing previously inaccessible resources.\u003c/li\u003e\n\u003cli\u003eThe attacker performs malicious actions, such as data exfiltration or resource compromise, using the newly opened network pathways.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe creation of unauthorized Network ACL entries can have significant consequences. It can lead to the opening of new attack vectors, allowing unauthorized access to sensitive data and critical resources. In some scenarios, it can result in a denial-of-service condition, disrupting legitimate business operations. Depending on the scope of the compromised resources and data, the impact can range from minor inconvenience to significant financial loss and reputational damage. Early detection of this activity is crucial to mitigating potential risks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;New Network ACL Entry Added\u0026rdquo; to your SIEM to detect suspicious ACL modifications (logsource: aws, service: cloudtrail).\u003c/li\u003e\n\u003cli\u003eInvestigate any \u003ccode\u003eCreateNetworkAclEntry\u003c/code\u003e events that deviate from established baseline configurations or involve unexpected source/destination IP ranges.\u003c/li\u003e\n\u003cli\u003eReview and audit existing Network ACL configurations regularly to identify and remediate any overly permissive or restrictive rules.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all AWS accounts to reduce the risk of credential compromise and unauthorized access.\u003c/li\u003e\n\u003cli\u003eMonitor CloudTrail logs for other related events, such as \u003ccode\u003eDeleteNetworkAclEntry\u003c/code\u003e or \u003ccode\u003eReplaceNetworkAclEntry\u003c/code\u003e, which may indicate further tampering with network security configurations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-10-26T14:27:00Z","date_published":"2024-10-26T14:27:00Z","id":"/briefs/2024-10-aws-network-acl-created/","summary":"Detection of new Network ACL entries in AWS CloudTrail logs can indicate potential defense impairment or the opening of new attack vectors within an AWS account by an adversary.","title":"New AWS Network ACL Entry Creation Detected","url":"https://feed.craftedsignal.io/briefs/2024-10-aws-network-acl-created/"}],"language":"en","title":"CraftedSignal Threat Feed — AWS EC2","version":"https://jsonfeed.org/version/1.1"}