{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/elastic-container-registry/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Elastic Container Registry"],"_cs_severities":["medium"],"_cs_tags":["aws","ecr","cloud","container"],"_cs_type":"advisory","_cs_vendors":["AWS"],"content_html":"\u003cp\u003eThis detection identifies unusual activity related to AWS Elastic Container Registry (ECR). Specifically, it focuses on container image uploads performed by users or roles that do not typically execute such actions. This activity might indicate a compromised AWS account, a malicious insider, or the use of stolen credentials. While the provided source material lacks specific details on observed campaigns or threat actors, detecting anomalous ECR upload behavior is crucial for maintaining the integrity of containerized applications and preventing the deployment of malicious images. The alert helps defenders identify deviations from the established baseline of ECR usage within their AWS environment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003cp\u003eGiven the limited information, a generic attack chain is constructed based on the \u003cem\u003epotential\u003c/em\u003e exploitation of this type of event:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e An attacker gains unauthorized access to an AWS account, potentially through compromised credentials or exploiting a misconfigured IAM role.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation (Optional):\u003c/strong\u003e The attacker may attempt to elevate privileges within the AWS environment to gain broader control over resources.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eECR Access:\u003c/strong\u003e The attacker gains access to the AWS ECR service, potentially using the compromised credentials or a role with sufficient permissions.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImage Modification/Upload:\u003c/strong\u003e The attacker uploads a malicious container image to an existing ECR repository, replacing or adding to the available images.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDeployment Manipulation:\u003c/strong\u003e The attacker modifies deployment configurations (e.g., Kubernetes manifests, ECS task definitions) to utilize the newly uploaded malicious image.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExecution:\u003c/strong\u003e The malicious container image is deployed and executed within the environment, leading to further compromise or data exfiltration.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence:\u003c/strong\u003e The attacker may establish persistence within the compromised environment by maintaining access to the AWS account or through other means.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation could lead to the deployment of compromised applications within the AWS environment. This could result in data breaches, system compromise, or disruption of services. The number of potential victims depends on the scope of the compromised AWS account and the applications deployed using the affected container images. The targeted sectors are highly variable but could include any organization utilizing AWS ECR for containerized application deployment. The financial and reputational damage could be significant, especially if sensitive data is exposed or services are disrupted.\u003c/p\u003e\n","date_modified":"2024-01-30T12:00:00Z","date_published":"2024-01-30T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-30-aws-ecr-container-upload/","summary":"This alert detects a container image upload to an AWS Elastic Container Registry (ECR) repository by a user that is not typically associated with such actions, potentially indicating account compromise or insider threat activity.","title":"Suspicious AWS ECR Container Upload by Unknown User","url":"https://feed.craftedsignal.io/briefs/2024-01-30-aws-ecr-container-upload/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Elastic Container Registry"],"_cs_severities":["medium"],"_cs_tags":["cloud","aws","ecr","container"],"_cs_type":"advisory","_cs_vendors":["AWS"],"content_html":"\u003cp\u003eThis detection focuses on identifying anomalous container image uploads to AWS Elastic Container Registry (ECR). Specifically, it flags \u003ccode\u003ePutImage\u003c/code\u003e events logged in AWS CloudTrail that occur outside of typical business hours (between 8 PM and 8 AM, or on weekends). The detection aims to uncover potentially malicious activity such as unauthorized uploads from compromised accounts or insider threats. The version of the Splunk detection being used is 11, published on 2026-04-15. Successful exploitation could result in the deployment of unauthorized or malicious containers, potentially leading to data breaches, service disruptions, or supply chain compromise. Defenders should investigate any detected activity promptly to validate its legitimacy and prevent further malicious actions. The scope includes all AWS accounts utilizing ECR.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to an AWS account, potentially through compromised credentials or a misconfigured IAM role.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the AWS CLI or SDK to interact with the ECR service.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to ECR using the compromised credentials or assumed role.\u003c/li\u003e\n\u003cli\u003eThe attacker builds or obtains a malicious container image.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the \u003ccode\u003eaws ecr get-login-password\u003c/code\u003e command to retrieve an authentication token for Docker.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates Docker to the ECR registry using the retrieved token.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a \u003ccode\u003edocker push\u003c/code\u003e command to upload the malicious container image to a target ECR repository using the \u003ccode\u003ePutImage\u003c/code\u003e API call. This occurs outside of normal business hours.\u003c/li\u003e\n\u003cli\u003eThe malicious container image is subsequently deployed within the AWS environment, leading to code execution and further compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack could allow an attacker to deploy unauthorized or malicious containers within the AWS environment. This can lead to data breaches, service disruptions, or the injection of malicious code into production systems. The number of affected organizations and the extent of the damage are dependent on the attacker's objectives and the security posture of the targeted AWS environment. The sectors most at risk are those heavily reliant on containerized applications, such as software development, financial services, and e-commerce.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect AWS ECR Container Upload Outside Business Hours\u003c/code\u003e to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any \u003ccode\u003ePutImage\u003c/code\u003e events flagged by the detection during non-business hours, focusing on the user identified by the \u003ccode\u003euser\u003c/code\u003e field in the logs.\u003c/li\u003e\n\u003cli\u003eReview IAM policies associated with the user identified in the logs, ensuring they adhere to the principle of least privilege.\u003c/li\u003e\n\u003cli\u003eMonitor AWS CloudTrail logs for suspicious activity related to container image uploads, using the \u003ccode\u003edata_source\u003c/code\u003e field as a reference.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all AWS accounts and IAM users to mitigate the risk of credential compromise.\u003c/li\u003e\n\u003cli\u003eReview and update container image security policies to prevent the deployment of unauthorized or vulnerable images.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T18:23:00Z","date_published":"2024-01-09T18:23:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-09-aws-ecr-upload-outside-hours/","summary":"This analytic detects the upload of a new container image to AWS Elastic Container Registry (ECR) outside of standard business hours, indicating potential unauthorized activity and leveraging AWS CloudTrail logs to identify `PutImage` events during non-business hours.","title":"AWS ECR Container Upload Outside Business Hours","url":"https://feed.craftedsignal.io/briefs/2024-01-09-aws-ecr-upload-outside-hours/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":5.5,"id":"CVE-2023-54321"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Elastic Container Registry"],"_cs_severities":["medium"],"_cs_tags":["aws","ecr","container","vulnerability"],"_cs_type":"advisory","_cs_vendors":["AWS"],"content_html":"\u003cp\u003eThis threat brief addresses the risk associated with low severity findings identified during AWS Elastic Container Registry (ECR) image scans. The focus is on detecting these findings through AWS CloudTrail logs, specifically using the \u003ccode\u003eDescribeImageScanFindings\u003c/code\u003e event. While individually low severity, the accumulation of these vulnerabilities or misconfigurations can create attack pathways or be chained together for greater impact. Defenders need to identify and remediate these issues promptly to prevent potential exploitation. This activity helps in early identification of potential vulnerabilities or misconfigurations in container images, which could be exploited if left unaddressed. If confirmed malicious, these findings could lead to unauthorized access, data breaches, or further exploitation within the containerized environment. The scope of targeting focuses on organizations utilizing AWS ECR for container image storage.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA developer introduces a container image into the AWS ECR, potentially containing low severity vulnerabilities due to outdated packages or misconfigurations.\u003c/li\u003e\n\u003cli\u003eAWS ECR automatically scans the image for vulnerabilities upon creation or via scheduled scans using the \u003ccode\u003eDescribeImageScanFindings\u003c/code\u003e event in CloudTrail.\u003c/li\u003e\n\u003cli\u003eThe scan identifies low, informational, or unknown severity findings, which are logged in CloudTrail.\u003c/li\u003e\n\u003cli\u003eAn attacker identifies these vulnerabilities through public sources or by gaining access to internal reports/dashboards, which are based on the AWS CloudTrail logs.\u003c/li\u003e\n\u003cli\u003eThe attacker chains together multiple low severity vulnerabilities or combines them with other weaknesses in the application or infrastructure.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits these vulnerabilities to gain unauthorized access to the container or the underlying host.\u003c/li\u003e\n\u003cli\u003eThe attacker uses this initial access to escalate privileges within the environment.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally to access sensitive data or systems, ultimately achieving their objective, such as data exfiltration or disruption of services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eWhile individual low severity findings might seem insignificant, their accumulation or combination with other vulnerabilities can create a significant attack surface. Successful exploitation could lead to unauthorized access to containerized applications and data, potentially impacting confidentiality, integrity, and availability. The number of affected victims is highly variable depending on the scope and severity of the vulnerabilities and the overall security posture of the organization. Targeted sectors include any organization using AWS ECR to store and manage container images.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u003ccode\u003eDetect AWS ECR Low Severity Findings\u003c/code\u003e to your SIEM and tune it to your environment to detect the described activity.\u003c/li\u003e\n\u003cli\u003eInvestigate any findings identified by the Sigma rule \u003ccode\u003eDetect AWS ECR Low Severity Findings\u003c/code\u003e to determine their potential impact and prioritize remediation.\u003c/li\u003e\n\u003cli\u003eImplement a vulnerability management program to regularly scan container images for vulnerabilities and track remediation efforts as documented in the references.\u003c/li\u003e\n\u003cli\u003eReview and harden container deployment configurations to minimize the attack surface, including limiting privileges and enabling network segmentation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:30:00Z","date_published":"2024-01-03T15:30:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-aws-ecr-low-severity-findings/","summary":"This analytic identifies low, informational, or unknown severity findings from AWS Elastic Container Registry (ECR) image scans using AWS CloudTrail logs, indicating potential vulnerabilities or misconfigurations in container images that could lead to unauthorized access or data breaches.","title":"AWS ECR Container Scanning Reveals Low Severity Vulnerabilities","url":"https://feed.craftedsignal.io/briefs/2024-01-03-aws-ecr-low-severity-findings/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":4.3,"id":"CVE-2023-1234"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Elastic Container Registry"],"_cs_severities":["medium"],"_cs_tags":["cloud","aws","ecr","container","vulnerability"],"_cs_type":"advisory","_cs_vendors":["AWS"],"content_html":"\u003cp\u003eThis analytic identifies medium-severity findings from AWS Elastic Container Registry (ECR) image scans. It leverages AWS CloudTrail logs, specifically the DescribeImageScanFindings event, to detect vulnerabilities in container images within AWS environments. The activity is significant for security operations centers (SOCs) as it highlights potential security risks in containerized applications. The presence of medium severity vulnerabilities suggests that attackers could potentially exploit these weaknesses. Addressing these findings is crucial to reduce the attack surface of containerized applications and prevent potential breaches. The focus is on identifying and mitigating vulnerabilities within the AWS ECR service.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies an organization using AWS ECR to store container images.\u003c/li\u003e\n\u003cli\u003eThe attacker scans publicly accessible ECR repositories or gains access through compromised credentials.\u003c/li\u003e\n\u003cli\u003eUsing information gathering techniques, the attacker identifies container images with known medium-severity vulnerabilities.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious container image leveraging the identified vulnerabilities.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads the malicious container image to a compromised or vulnerable ECR repository or replaces existing images if possible.\u003c/li\u003e\n\u003cli\u003eThe vulnerable container images are deployed into the target environment (e.g., Kubernetes cluster, ECS).\u003c/li\u003e\n\u003cli\u003eUpon execution, the vulnerable code within the container image allows the attacker to gain unauthorized access.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves code execution within the container environment, enabling lateral movement, data exfiltration, or other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromised container images can lead to unauthorized access, data breaches, and further exploitation within the container environment. A successful attack targeting medium severity vulnerabilities in AWS ECR could result in data breaches, service disruption, or unauthorized resource access. The number of affected systems depends on the scope of the vulnerable container deployments. If unaddressed, these vulnerabilities can serve as entry points for broader network intrusions, impacting the overall security posture of the organization.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect medium-severity findings in AWS ECR image scans, utilizing \u003ccode\u003eAWS CloudTrail DescribeImageScanFindings\u003c/code\u003e events.\u003c/li\u003e\n\u003cli\u003eReview and remediate all findings identified by AWS ECR container scanning with \u003ccode\u003eseverity=MEDIUM\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement robust access controls and monitoring for AWS ECR repositories to prevent unauthorized image uploads or modifications.\u003c/li\u003e\n\u003cli\u003eRegularly update container images to address known vulnerabilities and ensure the latest security patches are applied.\u003c/li\u003e\n\u003cli\u003eUtilize AWS CloudTrail logs and the provided search queries to investigate user activity associated with detected findings.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-aws-ecr-medium-vuln/","summary":"AWS Elastic Container Registry (ECR) image scans reveal medium-severity vulnerabilities, potentially leading to unauthorized access and data breaches if exploited within containerized applications.","title":"AWS ECR Container Scanning Reveals Medium Severity Vulnerabilities","url":"https://feed.craftedsignal.io/briefs/2024-01-aws-ecr-medium-vuln/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Elastic Container Registry"],"_cs_severities":["low"],"_cs_tags":["cloud","aws","ecr","container-security"],"_cs_type":"advisory","_cs_vendors":["AWS"],"content_html":"\u003cp\u003eThis brief serves as a placeholder due to the inability to extract meaningful threat intelligence from the provided source, which is a GitHub navigation page. When specific information regarding threats targeting AWS Elastic Container Registry (ECR) becomes available, this brief will be updated with details on threat actors, their tactics, techniques, and procedures (TTPs), and indicators of compromise (IOCs). The goal is to provide actionable intelligence for detection engineers to proactively defend against emerging threats targeting container images and deployments within AWS ECR. This includes details on vulnerability exploits, malware injection, and other malicious activities affecting containerized environments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003cp\u003eDue to the lack of specific threat information, the following attack chain is a hypothetical scenario that could be associated with compromised container images within AWS ECR.\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e A malicious actor gains unauthorized access to an AWS account with permissions to push images to ECR, potentially through compromised credentials.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImage Modification:\u003c/strong\u003e The attacker modifies an existing, legitimate container image or uploads a completely new, malicious image to the ECR repository. This image contains malware or vulnerabilities.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDeployment:\u003c/strong\u003e An application deployment pipeline pulls the compromised image from ECR to deploy a new container instance.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMalware Execution:\u003c/strong\u003e The malware within the container image executes upon startup, potentially establishing a reverse shell or performing other malicious actions.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e The attacker uses the compromised container as a foothold to move laterally within the AWS environment, exploiting misconfigurations or vulnerabilities in other services.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration/Impact:\u003c/strong\u003e The attacker exfiltrates sensitive data from other AWS services or achieves other objectives such as disrupting services or deploying ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack targeting AWS ECR can lead to the compromise of containerized applications, data breaches, and significant disruptions to cloud services. Depending on the severity of the injected malware, this could result in data exfiltration, system downtime, or further compromise of the AWS environment. The impact could affect organizations across various sectors leveraging AWS ECR for containerized deployments.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement strong access controls and multi-factor authentication for AWS accounts with permissions to manage ECR repositories.\u003c/li\u003e\n\u003cli\u003eRegularly scan container images in ECR for vulnerabilities using container scanning tools, such as AWS Inspector or third-party solutions (reference: AWS ECR container scanning mentioned in title).\u003c/li\u003e\n\u003cli\u003eMonitor AWS CloudTrail logs for suspicious API calls related to ECR image modifications and deployments.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the potential impact of compromised containers.\u003c/li\u003e\n\u003cli\u003eEnforce the principle of least privilege for container deployments to minimize the attack surface.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-aws-ecr-container-scanning/","summary":"This is a placeholder brief due to the provided text being a GitHub navigation page, indicating no specific threat or attack details are available, and therefore serves as a template for future threat intelligence extraction related to AWS ECR container scanning.","title":"AWS ECR Container Scanning Findings Placeholder","url":"https://feed.craftedsignal.io/briefs/2024-01-aws-ecr-container-scanning/"}],"language":"en","title":"CraftedSignal Threat Feed - Elastic Container Registry","version":"https://jsonfeed.org/version/1.1"}