{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/aws-management-console/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["AWS Management Console"],"_cs_severities":["medium"],"_cs_tags":["aws","cloudtrail","mfa","initial-access"],"_cs_type":"advisory","_cs_vendors":["Amazon"],"content_html":"\u003cp\u003eThe absence of multi-factor authentication (MFA) during AWS console logins presents a significant security risk. Threat actors often target AWS environments due to the high value of data and services hosted within. An attacker gaining initial access through compromised credentials can move laterally, escalate privileges, and potentially exfiltrate sensitive data, deploy malicious workloads, or disrupt critical services. This activity can go unnoticed for extended periods, increasing the potential for damage. Detecting successful console logins without MFA is crucial for identifying potential breaches and ensuring the enforcement of security best practices. This brief focuses on detecting these logins to mitigate the risk of unauthorized access and potential data breaches.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker obtains valid AWS credentials, possibly through phishing, credential stuffing, or by exploiting a vulnerable service.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised credentials to attempt to log in to the AWS Management Console.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully authenticates without providing an MFA code, indicating MFA is not enabled or is bypassed for the compromised user.\u003c/li\u003e\n\u003cli\u003eAfter successful login, the attacker enumerates existing AWS resources, including EC2 instances, S3 buckets, and IAM roles, using the AWS CLI or Console.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to escalate privileges by exploiting IAM misconfigurations or vulnerabilities to gain access to more sensitive resources.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies security configurations, such as disabling CloudTrail logging or creating new IAM users with elevated permissions, to establish persistence.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses sensitive data stored in S3 buckets or databases, potentially exfiltrating it to an external location.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful AWS console login without MFA can lead to a full compromise of the AWS environment. Attackers can gain unauthorized access to sensitive data, disrupt critical services, and deploy malicious workloads. The lack of MFA increases the likelihood of successful credential-based attacks, potentially affecting a large number of organizations hosting data and applications in AWS. Consequences include data breaches, financial losses, reputational damage, and legal liabilities.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;AWS Successful Console Login Without MFA\u0026rdquo; Sigma rule to your SIEM to detect logins without MFA (rule).\u003c/li\u003e\n\u003cli\u003eEnforce MFA for all AWS IAM users, especially those with administrative privileges to prevent initial access (reference: \u003ca href=\"https://securitylabs.datadoghq.com/cloud-security-atlas/vulnerabilities/iam-user-without-mfa/)\"\u003ehttps://securitylabs.datadoghq.com/cloud-security-atlas/vulnerabilities/iam-user-without-mfa/)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eRegularly audit IAM configurations to identify and remediate misconfigurations that could allow privilege escalation.\u003c/li\u003e\n\u003cli\u003eMonitor CloudTrail logs for suspicious activity following a console login, such as resource enumeration or IAM policy changes (logsource).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T15:00:00Z","date_published":"2024-01-09T15:00:00Z","id":"/briefs/2024-01-09-aws-console-login-no-mfa/","summary":"Successful AWS console logins without multi-factor authentication can indicate compromised credentials, misconfigured security settings, or unauthorized access attempts.","title":"Successful AWS Console Login Without MFA","url":"https://feed.craftedsignal.io/briefs/2024-01-09-aws-console-login-no-mfa/"}],"language":"en","title":"CraftedSignal Threat Feed — AWS Management Console","version":"https://jsonfeed.org/version/1.1"}