{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/aws-rds/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["AWS RDS"],"_cs_severities":["medium"],"_cs_tags":["aws","rds","snapshot","exfiltration"],"_cs_type":"advisory","_cs_vendors":["AWS"],"content_html":"\u003cp\u003eThis threat focuses on the exfiltration of data from AWS RDS DB snapshots. Adversaries with valid credentials or through misconfigurations may modify snapshot attributes to grant access to accounts they control, bypassing existing security measures. This allows the attacker to restore the snapshot in an environment they control, enabling unauthorized access, offline analysis, or data exfiltration. The attack starts when modifications are made to snapshot attributes adding one or more additional AWS accounts to the snapshot's restore permissions. The rule \u0026quot;AWS RDS DB Snapshot Shared with Another Account\u0026quot; from Elastic detects these successful modifications. This is a critical issue, as DB snapshots contain complete backups of database instances, including schemas, table data, and sensitive application content.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e The attacker gains access to an AWS account through compromised credentials or exploiting a misconfiguration.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDiscovery:\u003c/strong\u003e The attacker uses reconnaissance actions such as \u003ccode\u003eDescribeDBSnapshots\u003c/code\u003e or \u003ccode\u003eDescribeDBInstances\u003c/code\u003e to identify valuable RDS DB snapshots.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation (Optional):\u003c/strong\u003e The attacker may attempt to escalate privileges using techniques like \u003ccode\u003eAttachRolePolicy\u003c/code\u003e, \u003ccode\u003ePutUserPolicy\u003c/code\u003e, or \u003ccode\u003eAssumeRole\u003c/code\u003e to gain the necessary permissions to modify snapshot attributes.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eModify DBSnapshotAttribute:\u003c/strong\u003e The attacker modifies the snapshot's attributes using the \u003ccode\u003eModifyDBSnapshotAttribute\u003c/code\u003e or \u003ccode\u003eModifyDBClusterSnapshotAttribute\u003c/code\u003e API calls, adding the attacker's AWS account to the restore permissions.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSnapshot Copying (Optional):\u003c/strong\u003e The attacker may copy the snapshot using the \u003ccode\u003eCopyDBSnapshot\u003c/code\u003e event to another region or account under their control.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSnapshot Restoration:\u003c/strong\u003e The attacker restores the snapshot in their AWS environment. This creates a new DB instance or cluster with the data from the snapshot.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration:\u003c/strong\u003e The attacker accesses the restored database instance and extracts the sensitive data.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCleanup (Optional):\u003c/strong\u003e The attacker may attempt to cover their tracks by deleting CloudTrail logs or modifying other security configurations.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows the attacker to exfiltrate sensitive data contained within the RDS DB snapshot. The number of potential victims is dependent on how widely these snapshots are shared and on the value of the data contained within. Sectors that rely heavily on cloud databases are at increased risk. Consequences of successful attacks include data breaches, financial loss, reputational damage, and legal liabilities.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Elastic EQL rule \u0026quot;AWS RDS DB Snapshot Shared with Another Account\u0026quot; to your SIEM to detect unauthorized snapshot modifications, tuning it for your environment.\u003c/li\u003e\n\u003cli\u003eRestrict snapshot sharing using IAM condition keys (\u003ccode\u003ekms:ViaService\u003c/code\u003e, \u003ccode\u003erds:dbSnapshotArn\u003c/code\u003e, \u003ccode\u003eaws:PrincipalArn\u003c/code\u003e) as noted in the overview, and remediate existing cross-account access.\u003c/li\u003e\n\u003cli\u003eEnable AWS Config rules and Security Hub controls for public or cross-account snapshot access, based on the recommendation in the overview section.\u003c/li\u003e\n\u003cli\u003eMonitor AWS CloudTrail logs for \u003ccode\u003eModifyDBSnapshotAttribute\u003c/code\u003e and \u003ccode\u003eModifyDBClusterSnapshotAttribute\u003c/code\u003e events (as seen in the Attack Chain) to identify suspicious activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-11-15T12:00:00Z","date_published":"2024-11-15T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-11-aws-rds-snapshot-shared/","summary":"An AWS RDS DB snapshot is shared with another AWS account or made public, potentially enabling unauthorized access, offline analysis, or data exfiltration by allowing adversaries to restore the snapshot in their controlled infrastructure.","title":"AWS RDS DB Snapshot Shared with Another Account","url":"https://feed.craftedsignal.io/briefs/2024-11-aws-rds-snapshot-shared/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["AWS RDS"],"_cs_severities":["medium"],"_cs_tags":["cloud","aws","rds","datadestruction"],"_cs_type":"advisory","_cs_vendors":["AWS"],"content_html":"\u003cp\u003eThis alert identifies instances where the deletionProtection feature of an AWS RDS DB instance or cluster is disabled. Deletion protection is a security mechanism that prevents accidental or unauthorized deletion of RDS resources. An adversary with sufficient permissions within a compromised AWS environment may disable this protection to pave the way for destructive activities, including the deletion of databases that hold sensitive or business-critical information. The detection focuses on explicit modifications setting \u003ccode\u003edeletionProtection\u003c/code\u003e to \u003ccode\u003efalse\u003c/code\u003e on RDS DB instances or clusters. This activity is often a precursor to a \u003ccode\u003eDeleteDBInstance\u003c/code\u003e or \u003ccode\u003eDeleteDBCluster\u003c/code\u003e action.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe adversary gains access to an AWS account with sufficient privileges to modify RDS instances or clusters, potentially through compromised credentials or an insider threat.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the AWS Management Console, CLI, or API using the compromised credentials or assumed role.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the \u003ccode\u003eModifyDBInstance\u003c/code\u003e or \u003ccode\u003eModifyDBCluster\u003c/code\u003e API call to target a specific RDS DB instance or cluster.\u003c/li\u003e\n\u003cli\u003eWithin the \u003ccode\u003eModifyDBInstance\u003c/code\u003e or \u003ccode\u003eModifyDBCluster\u003c/code\u003e API call, the attacker sets the \u003ccode\u003edeletionProtection\u003c/code\u003e parameter to \u003ccode\u003efalse\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAWS CloudTrail logs the \u003ccode\u003eModifyDBInstance\u003c/code\u003e or \u003ccode\u003eModifyDBCluster\u003c/code\u003e event with \u003ccode\u003edeletionProtection=false\u003c/code\u003e in the \u003ccode\u003erequestParameters\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker may then initiate a \u003ccode\u003eDeleteDBInstance\u003c/code\u003e or \u003ccode\u003eDeleteDBCluster\u003c/code\u003e API call to remove the targeted RDS resource.\u003c/li\u003e\n\u003cli\u003eThe database instance or cluster is deleted, resulting in data loss and potential disruption of services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eDisabling deletion protection on AWS RDS instances or clusters can lead to the unauthorized or accidental deletion of critical databases. Successful execution of this attack can result in significant data loss, business disruption, and potential financial repercussions. The impact can range from temporary service outages to permanent data loss, depending on the affected systems and backup policies.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eAWS RDS Deletion Protection Disabled via CloudTrail\u003c/code\u003e to your SIEM and tune for your environment to detect when deletion protection is disabled (refer to the rule definition below).\u003c/li\u003e\n\u003cli\u003eReview \u003ccode\u003eaws.cloudtrail.user_identity.arn\u003c/code\u003e to determine the IAM principal that made the change, and validate whether this principal normally performs RDS lifecycle operations as outlined in the investigation guide.\u003c/li\u003e\n\u003cli\u003eImmediately re-enable deletion protection (\u003ccode\u003edeletionProtection=true\u003c/code\u003e) on the affected DB instance or cluster if the change was unauthorized, as described in the remediation steps in the overview.\u003c/li\u003e\n\u003cli\u003eRestrict who can modify \u003ccode\u003eModifyDBInstance\u003c/code\u003e or \u003ccode\u003eModifyDBCluster\u003c/code\u003e destructive settings, such as deletion protection, backup retention, and public accessibility.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-07-03T14:30:00Z","date_published":"2024-07-03T14:30:00Z","id":"https://feed.craftedsignal.io/briefs/2024-07-aws-rds-deletion-protection-disabled/","summary":"An adversary may disable deletion protection on an AWS RDS DB instance or cluster as a precursor to destructive actions, such as deleting databases containing sensitive data.","title":"AWS RDS DB Instance or Cluster Deletion Protection Disabled","url":"https://feed.craftedsignal.io/briefs/2024-07-aws-rds-deletion-protection-disabled/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["AWS RDS"],"_cs_severities":["medium"],"_cs_tags":["cloud","aws","rds","persistence","defense_evasion"],"_cs_type":"advisory","_cs_vendors":["AWS"],"content_html":"\u003cp\u003eThis detection identifies the creation or modification of an Amazon RDS DB instance or cluster with the \u003ccode\u003epubliclyAccessible\u003c/code\u003e attribute set to \u003ccode\u003etrue\u003c/code\u003e. While legitimate use cases exist, unexpected public exposure of a database to the internet introduces significant security risks. An adversary with access to AWS credentials might modify a DB instance's public accessibility to exfiltrate data, establish persistence, or bypass internal network restrictions. The rule focuses on \u003ccode\u003eModifyDBInstance\u003c/code\u003e, \u003ccode\u003eCreateDBInstance\u003c/code\u003e, and \u003ccode\u003eCreateDBCluster\u003c/code\u003e events within AWS CloudTrail logs. Defenders should investigate any unexpected changes to RDS instance accessibility. This activity can indicate compromised credentials or insider threats, and might be correlated with other IAM and network configuration changes to assess the overall impact.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to AWS credentials (e.g., via phishing or credential stuffing).\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised credentials to authenticate to the AWS Management Console or via the AWS CLI/API.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a target RDS DB instance or cluster.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a \u003ccode\u003eModifyDBInstance\u003c/code\u003e API call, setting the \u003ccode\u003ePubliclyAccessible\u003c/code\u003e parameter to \u003ccode\u003etrue\u003c/code\u003e in the \u003ccode\u003erequest_parameters\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker executes a \u003ccode\u003eCreateDBInstance\u003c/code\u003e or \u003ccode\u003eCreateDBCluster\u003c/code\u003e API call with the \u003ccode\u003ePubliclyAccessible\u003c/code\u003e parameter set to \u003ccode\u003etrue\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies associated security groups using \u003ccode\u003eAuthorizeSecurityGroupIngress\u003c/code\u003e to allow inbound traffic from \u003ccode\u003e0.0.0.0/0\u003c/code\u003e or other broad IP ranges.\u003c/li\u003e\n\u003cli\u003eThe now publicly accessible RDS instance is used to exfiltrate data or as a pivot point to attack other internal resources.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the publicly exposed database for persistent access and further reconnaissance.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eIf an attacker successfully makes an RDS DB instance publicly accessible, they can potentially exfiltrate sensitive data, pivot to other internal resources, or establish persistent access to the environment. The number of affected instances depends on the scope of the credential compromise. Sectors that heavily rely on cloud infrastructure, such as finance, healthcare, and technology, are at higher risk. The impact can range from data breaches and compliance violations to significant financial losses and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;AWS RDS DB Instance Made Public\u0026quot; to your SIEM using \u003ccode\u003efilebeat-*\u003c/code\u003e and \u003ccode\u003elogs-aws.cloudtrail-*\u003c/code\u003e indices to detect modifications to RDS instance accessibility.\u003c/li\u003e\n\u003cli\u003eReview \u003ccode\u003eaws.cloudtrail.user_identity.arn\u003c/code\u003e and \u003ccode\u003eaws.cloudtrail.user_identity.type\u003c/code\u003e in the SIEM to identify the IAM principal that made the change and validate its legitimacy.\u003c/li\u003e\n\u003cli\u003eMonitor for \u003ccode\u003eAuthorizeSecurityGroupIngress\u003c/code\u003e events in CloudTrail logs that allow inbound traffic from \u003ccode\u003e0.0.0.0/0\u003c/code\u003e to associated security groups of RDS instances.\u003c/li\u003e\n\u003cli\u003eImplement AWS Config rules (e.g., \u003ccode\u003erds-instance-public-access-check\u003c/code\u003e) to automatically detect and remediate publicly accessible RDS instances.\u003c/li\u003e\n\u003cli\u003eEnforce Service Control Policies (SCPs) to prevent the creation of publicly accessible RDS instances.\u003c/li\u003e\n\u003cli\u003eRefer to the provided AWS IR Playbooks and AWS Customer Playbook Framework documentation for incident response guidance.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-07-03T12:00:00Z","date_published":"2024-07-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-07-aws-rds-public/","summary":"An attacker with compromised AWS credentials may modify an Amazon RDS DB instance or cluster to be publicly accessible for persistence, data exfiltration, or to bypass network restrictions.","title":"AWS RDS DB Instance Made Public","url":"https://feed.craftedsignal.io/briefs/2024-07-aws-rds-public/"}],"language":"en","title":"CraftedSignal Threat Feed - AWS RDS","version":"https://jsonfeed.org/version/1.1"}