Suspicious AWS EC2 Key Pair Import Activity

hello@craftedsignal.io — Thu, 19 Dec 2024 00:00:00 +0000

The unauthorized import of SSH key pairs into Amazon Elastic Compute Cloud (EC2) is a technique that malicious actors can leverage to gain unauthorized access to EC2 instances. By importing their own key pairs, attackers can bypass existing security measures and gain persistent access to compromised systems. This activity is often part of a broader attack campaign aimed at compromising sensitive data, disrupting services, or establishing a foothold within an organization’s cloud infrastructure. The initial publication of the detection rule was in December 2024, highlighting the ongoing relevance of this technique in cloud security. Monitoring for this activity can help defenders identify and respond to potential security breaches in a timely manner.

Attack Chain

An attacker gains initial access to an AWS account, potentially through compromised credentials or exploiting a misconfigured IAM role.
The attacker attempts to enumerate existing EC2 instances to identify potential targets.
The attacker generates or obtains an SSH key pair, which they intend to use for unauthorized access.
The attacker uses the ImportKeyPair API call within the EC2 service to import the generated or obtained SSH key pair.
The attacker modifies the EC2 instance’s configuration to associate the newly imported key pair with the instance. This might involve stopping and restarting the instance.
The attacker uses the imported SSH key pair to gain SSH access to the EC2 instance.
Once inside the instance, the attacker attempts to escalate privileges and move laterally within the AWS environment.
The attacker exfiltrates sensitive data, deploys malware, or disrupts critical services.

Impact

A successful key pair import can lead to complete compromise of the affected EC2 instances, potentially impacting dozens of servers depending on the environment. Sensitive data stored on or accessible from these instances could be exfiltrated, leading to financial loss, reputational damage, and regulatory fines. Furthermore, compromised instances can be used as a launchpad for further attacks within the AWS environment, leading to a wider breach. The financial impact can range from tens of thousands to millions of dollars, depending on the scale of the breach and the sensitivity of the data compromised.

Recommendation

Deploy the provided Sigma rule to your SIEM to detect ImportKeyPair events in CloudTrail logs (logsource: aws, service: cloudtrail).
Review IAM policies to ensure that only authorized users and roles have the necessary permissions to import key pairs (eventSource: ’ec2.amazonaws.com’, eventName: ‘ImportKeyPair’).
Investigate any detected ImportKeyPair events, validating the user identity, user agent, and source IP address to ensure they are expected (detection block).
Implement multi-factor authentication (MFA) for all AWS accounts to reduce the risk of credential compromise.

AWS VPC Flow Logs Deletion for Defense Evasion

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

An adversary with sufficient privileges within an AWS environment may attempt to delete VPC Flow Logs. These logs are crucial for monitoring network traffic within a VPC, and their removal can significantly impede incident response and forensic investigations. The deletion is accomplished by making a DeleteFlowLogs API call. This action is often taken to remove evidence of malicious activity, such as lateral movement, command and control communication, or data exfiltration. The impact of this activity can be severe, potentially allowing attackers to operate undetected for extended periods.

Attack Chain

The attacker gains initial access to the AWS environment through compromised credentials or an exploited vulnerability (not detailed in source).
The attacker escalates privileges within the AWS environment to gain the necessary permissions to delete VPC Flow Logs (not detailed in source).
The attacker uses the AWS CLI or AWS Management Console to execute the DeleteFlowLogs API call.
The attacker identifies the specific Flow Log IDs that need to be deleted.
The attacker authenticates to the AWS API using stolen or generated credentials.
The DeleteFlowLogs API call is made, specifying the Flow Log IDs to be deleted.
AWS processes the request and deletes the specified VPC Flow Logs.
The attacker verifies the deletion of the Flow Logs to ensure that their actions are no longer being logged.

Impact

Successful deletion of VPC Flow Logs prevents security teams from detecting malicious activity within the AWS environment. Without these logs, it becomes significantly more difficult to investigate security incidents, track attacker movements, and understand the scope of a compromise. This can lead to delayed incident response, increased dwell time for attackers, and greater overall damage. The absence of flow logs severely limits network visibility, hindering any attempt to reconstruct events or identify compromised assets.

Recommendation

Implement the Sigma rule “AWS VPC Flow Logs Deleted” to detect instances of DeleteFlowLogs API calls (reference: rules section).
Monitor CloudTrail logs for DeleteFlowLogs events and investigate any unexpected occurrences (reference: logsource).
Enforce the principle of least privilege to restrict IAM users and roles from having the ec2:DeleteFlowLogs permission unless absolutely necessary.
Implement multi-factor authentication (MFA) for all AWS accounts, especially those with administrative privileges.
Regularly review and audit IAM policies to ensure that permissions are appropriately scoped and not overly permissive.

Elastic Compute Cloud (EC2) — CraftedSignal Threat Feed

Suspicious AWS EC2 Key Pair Import Activity

Attack Chain

Impact

Recommendation

AWS VPC Flow Logs Deletion for Defense Evasion

Attack Chain

Impact

Recommendation