{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/aws-route-53/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["AWS GuardDuty","AWS WAF","AWS CloudWatch","AWS CloudWatch Logs","AWS Route 53"],"_cs_severities":["high"],"_cs_tags":["aws","cloudtrail","defense-evasion"],"_cs_type":"advisory","_cs_vendors":["AWS"],"content_html":"\u003cp\u003eThis threat brief focuses on adversaries attempting to impair or disable AWS security services to evade detection and maintain persistence within a compromised environment. The activity involves deleting critical security components across GuardDuty, AWS WAF (classic and v2), CloudWatch, Route 53, and CloudWatch Logs. These operations include deleting detectors, rule groups, IP sets, web ACLs, logging configurations, alarms, and log streams. The attacks leverage valid AWS credentials (either compromised or belonging to a rogue insider) to make legitimate API calls that have the effect of disabling security monitoring. The impact can be significant, as successful impairment of these services allows attackers to operate undetected, potentially escalating privileges, exfiltrating sensitive data, or deploying ransomware without triggering security alerts. This activity is observed via AWS CloudTrail logs, specifically monitoring for \u0026quot;Delete\u0026quot; operations targeting core security services. The scope of this threat covers any AWS environment utilizing these services.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the AWS environment, either through compromised credentials, a rogue insider, or exploiting a misconfiguration.\u003c/li\u003e\n\u003cli\u003eThe attacker enumerates existing AWS security services to identify potential targets for impairment, such as GuardDuty detectors, WAF ACLs, or CloudWatch alarms.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to delete GuardDuty detectors using the \u003ccode\u003eDeleteDetector\u003c/code\u003e API call (eventSource: guardduty.amazonaws.com).\u003c/li\u003e\n\u003cli\u003eThe attacker removes AWS WAF rule groups, IP sets, and Web ACLs using the \u003ccode\u003eDeleteRuleGroup\u003c/code\u003e, \u003ccode\u003eDeleteIPSet\u003c/code\u003e, and \u003ccode\u003eDeleteWebACL\u003c/code\u003e API calls (eventSource: wafv2.amazonaws.com, waf.amazonaws.com).\u003c/li\u003e\n\u003cli\u003eThe attacker deletes CloudWatch logging configurations and alarms using the \u003ccode\u003eDeleteLoggingConfiguration\u003c/code\u003e (eventSource: route53.amazonaws.com, wafv2.amazonaws.com, waf.amazonaws.com) and \u003ccode\u003eDeleteAlarms\u003c/code\u003e API calls.\u003c/li\u003e\n\u003cli\u003eThe attacker may delete CloudWatch Log Streams using the \u003ccode\u003eDeleteLogStream\u003c/code\u003e API call.\u003c/li\u003e\n\u003cli\u003eWith security services impaired, the attacker performs malicious activities, such as data exfiltration, lateral movement, or deploying ransomware, with reduced risk of detection.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to maintain persistence within the AWS environment by creating new IAM users or roles or modifying existing ones.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful execution of this attack can lead to a significant degradation of the AWS environment's security posture. This allows attackers to operate undetected, escalating privileges, and exfiltrating data or deploying ransomware without triggering security alerts. Organizations may face significant financial losses, reputational damage, and regulatory penalties due to data breaches and service disruptions. Observed damage includes disabled security logging, deleted detection rules, and a general loss of visibility into malicious activity within the AWS environment. The number of potential victims is vast, encompassing any organization utilizing the affected AWS security services.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable AWS CloudTrail logging and ensure logs are being ingested into your SIEM to monitor for API calls related to deleting security services.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;AWS Defense Evasion Impair Security Services\u0026quot; to your SIEM to detect attempts to disable security services. Tune the rule for known-good administrator activity (e.g., filtering based on user agent or ARN) to reduce false positives.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all AWS accounts, especially those with administrative privileges, to reduce the risk of compromised credentials.\u003c/li\u003e\n\u003cli\u003eEnforce the principle of least privilege by granting users only the necessary permissions to perform their tasks, minimizing the potential impact of compromised credentials.\u003c/li\u003e\n\u003cli\u003eReview and audit IAM policies regularly to identify and remediate overly permissive permissions that could be abused by attackers.\u003c/li\u003e\n\u003cli\u003eImplement infrastructure-as-code practices and version control for AWS infrastructure to easily detect and revert unauthorized changes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-aws-security-services-impairment/","summary":"Attackers attempt to impair or disable AWS security services such as GuardDuty, WAF, CloudWatch, Route 53 and CloudWatch Logs by deleting detectors, rule groups, IP sets, web ACLs, logging configurations, alarms and log streams, in order to evade detection and operate undetected.","title":"AWS Security Services Impairment via Deletion Operations","url":"https://feed.craftedsignal.io/briefs/2024-01-aws-security-services-impairment/"}],"language":"en","title":"CraftedSignal Threat Feed - AWS Route 53","version":"https://jsonfeed.org/version/1.1"}