<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Elastic Container Registry - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/elastic-container-registry/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 30 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/elastic-container-registry/feed.xml" rel="self" type="application/rss+xml"/><item><title>Suspicious AWS ECR Container Upload by Unknown User</title><link>https://feed.craftedsignal.io/briefs/2024-01-30-aws-ecr-container-upload/</link><pubDate>Tue, 30 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-30-aws-ecr-container-upload/</guid><description>This alert detects a container image upload to an AWS Elastic Container Registry (ECR) repository by a user that is not typically associated with such actions, potentially indicating account compromise or insider threat activity.</description><content:encoded><![CDATA[<p>This detection identifies unusual activity related to AWS Elastic Container Registry (ECR). Specifically, it focuses on container image uploads performed by users or roles that do not typically execute such actions. This activity might indicate a compromised AWS account, a malicious insider, or the use of stolen credentials. While the provided source material lacks specific details on observed campaigns or threat actors, detecting anomalous ECR upload behavior is crucial for maintaining the integrity of containerized applications and preventing the deployment of malicious images. The alert helps defenders identify deviations from the established baseline of ECR usage within their AWS environment.</p>
<h2 id="attack-chain">Attack Chain</h2>
<p>Given the limited information, a generic attack chain is constructed based on the <em>potential</em> exploitation of this type of event:</p>
<ol>
<li><strong>Initial Access:</strong> An attacker gains unauthorized access to an AWS account, potentially through compromised credentials or exploiting a misconfigured IAM role.</li>
<li><strong>Privilege Escalation (Optional):</strong> The attacker may attempt to elevate privileges within the AWS environment to gain broader control over resources.</li>
<li><strong>ECR Access:</strong> The attacker gains access to the AWS ECR service, potentially using the compromised credentials or a role with sufficient permissions.</li>
<li><strong>Image Modification/Upload:</strong> The attacker uploads a malicious container image to an existing ECR repository, replacing or adding to the available images.</li>
<li><strong>Deployment Manipulation:</strong> The attacker modifies deployment configurations (e.g., Kubernetes manifests, ECS task definitions) to utilize the newly uploaded malicious image.</li>
<li><strong>Execution:</strong> The malicious container image is deployed and executed within the environment, leading to further compromise or data exfiltration.</li>
<li><strong>Persistence:</strong> The attacker may establish persistence within the compromised environment by maintaining access to the AWS account or through other means.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation could lead to the deployment of compromised applications within the AWS environment. This could result in data breaches, system compromise, or disruption of services. The number of potential victims depends on the scope of the compromised AWS account and the applications deployed using the affected container images. The targeted sectors are highly variable but could include any organization utilizing AWS ECR for containerized application deployment. The financial and reputational damage could be significant, especially if sensitive data is exposed or services are disrupted.</p>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>aws</category><category>ecr</category><category>cloud</category><category>container</category></item><item><title>AWS ECR Container Upload Outside Business Hours</title><link>https://feed.craftedsignal.io/briefs/2024-01-09-aws-ecr-upload-outside-hours/</link><pubDate>Tue, 09 Jan 2024 18:23:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-09-aws-ecr-upload-outside-hours/</guid><description>This analytic detects the upload of a new container image to AWS Elastic Container Registry (ECR) outside of standard business hours, indicating potential unauthorized activity and leveraging AWS CloudTrail logs to identify `PutImage` events during non-business hours.</description><content:encoded><![CDATA[<p>This detection focuses on identifying anomalous container image uploads to AWS Elastic Container Registry (ECR). Specifically, it flags <code>PutImage</code> events logged in AWS CloudTrail that occur outside of typical business hours (between 8 PM and 8 AM, or on weekends). The detection aims to uncover potentially malicious activity such as unauthorized uploads from compromised accounts or insider threats. The version of the Splunk detection being used is 11, published on 2026-04-15. Successful exploitation could result in the deployment of unauthorized or malicious containers, potentially leading to data breaches, service disruptions, or supply chain compromise. Defenders should investigate any detected activity promptly to validate its legitimacy and prevent further malicious actions. The scope includes all AWS accounts utilizing ECR.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains unauthorized access to an AWS account, potentially through compromised credentials or a misconfigured IAM role.</li>
<li>The attacker leverages the AWS CLI or SDK to interact with the ECR service.</li>
<li>The attacker authenticates to ECR using the compromised credentials or assumed role.</li>
<li>The attacker builds or obtains a malicious container image.</li>
<li>The attacker uses the <code>aws ecr get-login-password</code> command to retrieve an authentication token for Docker.</li>
<li>The attacker authenticates Docker to the ECR registry using the retrieved token.</li>
<li>The attacker executes a <code>docker push</code> command to upload the malicious container image to a target ECR repository using the <code>PutImage</code> API call. This occurs outside of normal business hours.</li>
<li>The malicious container image is subsequently deployed within the AWS environment, leading to code execution and further compromise.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful attack could allow an attacker to deploy unauthorized or malicious containers within the AWS environment. This can lead to data breaches, service disruptions, or the injection of malicious code into production systems. The number of affected organizations and the extent of the damage are dependent on the attacker's objectives and the security posture of the targeted AWS environment. The sectors most at risk are those heavily reliant on containerized applications, such as software development, financial services, and e-commerce.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>Detect AWS ECR Container Upload Outside Business Hours</code> to your SIEM and tune for your environment.</li>
<li>Investigate any <code>PutImage</code> events flagged by the detection during non-business hours, focusing on the user identified by the <code>user</code> field in the logs.</li>
<li>Review IAM policies associated with the user identified in the logs, ensuring they adhere to the principle of least privilege.</li>
<li>Monitor AWS CloudTrail logs for suspicious activity related to container image uploads, using the <code>data_source</code> field as a reference.</li>
<li>Implement multi-factor authentication (MFA) for all AWS accounts and IAM users to mitigate the risk of credential compromise.</li>
<li>Review and update container image security policies to prevent the deployment of unauthorized or vulnerable images.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>cloud</category><category>aws</category><category>ecr</category><category>container</category></item><item><title>AWS ECR Container Scanning Reveals Low Severity Vulnerabilities</title><link>https://feed.craftedsignal.io/briefs/2024-01-03-aws-ecr-low-severity-findings/</link><pubDate>Wed, 03 Jan 2024 15:30:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-03-aws-ecr-low-severity-findings/</guid><description>This analytic identifies low, informational, or unknown severity findings from AWS Elastic Container Registry (ECR) image scans using AWS CloudTrail logs, indicating potential vulnerabilities or misconfigurations in container images that could lead to unauthorized access or data breaches.</description><content:encoded><![CDATA[<p>This threat brief addresses the risk associated with low severity findings identified during AWS Elastic Container Registry (ECR) image scans. The focus is on detecting these findings through AWS CloudTrail logs, specifically using the <code>DescribeImageScanFindings</code> event. While individually low severity, the accumulation of these vulnerabilities or misconfigurations can create attack pathways or be chained together for greater impact. Defenders need to identify and remediate these issues promptly to prevent potential exploitation. This activity helps in early identification of potential vulnerabilities or misconfigurations in container images, which could be exploited if left unaddressed. If confirmed malicious, these findings could lead to unauthorized access, data breaches, or further exploitation within the containerized environment. The scope of targeting focuses on organizations utilizing AWS ECR for container image storage.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>A developer introduces a container image into the AWS ECR, potentially containing low severity vulnerabilities due to outdated packages or misconfigurations.</li>
<li>AWS ECR automatically scans the image for vulnerabilities upon creation or via scheduled scans using the <code>DescribeImageScanFindings</code> event in CloudTrail.</li>
<li>The scan identifies low, informational, or unknown severity findings, which are logged in CloudTrail.</li>
<li>An attacker identifies these vulnerabilities through public sources or by gaining access to internal reports/dashboards, which are based on the AWS CloudTrail logs.</li>
<li>The attacker chains together multiple low severity vulnerabilities or combines them with other weaknesses in the application or infrastructure.</li>
<li>The attacker exploits these vulnerabilities to gain unauthorized access to the container or the underlying host.</li>
<li>The attacker uses this initial access to escalate privileges within the environment.</li>
<li>The attacker moves laterally to access sensitive data or systems, ultimately achieving their objective, such as data exfiltration or disruption of services.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>While individual low severity findings might seem insignificant, their accumulation or combination with other vulnerabilities can create a significant attack surface. Successful exploitation could lead to unauthorized access to containerized applications and data, potentially impacting confidentiality, integrity, and availability. The number of affected victims is highly variable depending on the scope and severity of the vulnerabilities and the overall security posture of the organization. Targeted sectors include any organization using AWS ECR to store and manage container images.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the provided Sigma rule <code>Detect AWS ECR Low Severity Findings</code> to your SIEM and tune it to your environment to detect the described activity.</li>
<li>Investigate any findings identified by the Sigma rule <code>Detect AWS ECR Low Severity Findings</code> to determine their potential impact and prioritize remediation.</li>
<li>Implement a vulnerability management program to regularly scan container images for vulnerabilities and track remediation efforts as documented in the references.</li>
<li>Review and harden container deployment configurations to minimize the attack surface, including limiting privileges and enabling network segmentation.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>aws</category><category>ecr</category><category>container</category><category>vulnerability</category></item><item><title>AWS ECR Container Scanning Reveals Medium Severity Vulnerabilities</title><link>https://feed.craftedsignal.io/briefs/2024-01-aws-ecr-medium-vuln/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-aws-ecr-medium-vuln/</guid><description>AWS Elastic Container Registry (ECR) image scans reveal medium-severity vulnerabilities, potentially leading to unauthorized access and data breaches if exploited within containerized applications.</description><content:encoded><![CDATA[<p>This analytic identifies medium-severity findings from AWS Elastic Container Registry (ECR) image scans. It leverages AWS CloudTrail logs, specifically the DescribeImageScanFindings event, to detect vulnerabilities in container images within AWS environments. The activity is significant for security operations centers (SOCs) as it highlights potential security risks in containerized applications. The presence of medium severity vulnerabilities suggests that attackers could potentially exploit these weaknesses. Addressing these findings is crucial to reduce the attack surface of containerized applications and prevent potential breaches. The focus is on identifying and mitigating vulnerabilities within the AWS ECR service.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker identifies an organization using AWS ECR to store container images.</li>
<li>The attacker scans publicly accessible ECR repositories or gains access through compromised credentials.</li>
<li>Using information gathering techniques, the attacker identifies container images with known medium-severity vulnerabilities.</li>
<li>The attacker crafts a malicious container image leveraging the identified vulnerabilities.</li>
<li>The attacker uploads the malicious container image to a compromised or vulnerable ECR repository or replaces existing images if possible.</li>
<li>The vulnerable container images are deployed into the target environment (e.g., Kubernetes cluster, ECS).</li>
<li>Upon execution, the vulnerable code within the container image allows the attacker to gain unauthorized access.</li>
<li>The attacker achieves code execution within the container environment, enabling lateral movement, data exfiltration, or other malicious activities.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Compromised container images can lead to unauthorized access, data breaches, and further exploitation within the container environment. A successful attack targeting medium severity vulnerabilities in AWS ECR could result in data breaches, service disruption, or unauthorized resource access. The number of affected systems depends on the scope of the vulnerable container deployments. If unaddressed, these vulnerabilities can serve as entry points for broader network intrusions, impacting the overall security posture of the organization.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the provided Sigma rule to detect medium-severity findings in AWS ECR image scans, utilizing <code>AWS CloudTrail DescribeImageScanFindings</code> events.</li>
<li>Review and remediate all findings identified by AWS ECR container scanning with <code>severity=MEDIUM</code>.</li>
<li>Implement robust access controls and monitoring for AWS ECR repositories to prevent unauthorized image uploads or modifications.</li>
<li>Regularly update container images to address known vulnerabilities and ensure the latest security patches are applied.</li>
<li>Utilize AWS CloudTrail logs and the provided search queries to investigate user activity associated with detected findings.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>cloud</category><category>aws</category><category>ecr</category><category>container</category><category>vulnerability</category></item><item><title>AWS ECR Container Scanning Findings Placeholder</title><link>https://feed.craftedsignal.io/briefs/2024-01-aws-ecr-container-scanning/</link><pubDate>Tue, 02 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-aws-ecr-container-scanning/</guid><description>This is a placeholder brief due to the provided text being a GitHub navigation page, indicating no specific threat or attack details are available, and therefore serves as a template for future threat intelligence extraction related to AWS ECR container scanning.</description><content:encoded><![CDATA[<p>This brief serves as a placeholder due to the inability to extract meaningful threat intelligence from the provided source, which is a GitHub navigation page. When specific information regarding threats targeting AWS Elastic Container Registry (ECR) becomes available, this brief will be updated with details on threat actors, their tactics, techniques, and procedures (TTPs), and indicators of compromise (IOCs). The goal is to provide actionable intelligence for detection engineers to proactively defend against emerging threats targeting container images and deployments within AWS ECR. This includes details on vulnerability exploits, malware injection, and other malicious activities affecting containerized environments.</p>
<h2 id="attack-chain">Attack Chain</h2>
<p>Due to the lack of specific threat information, the following attack chain is a hypothetical scenario that could be associated with compromised container images within AWS ECR.</p>
<ol>
<li><strong>Initial Access:</strong> A malicious actor gains unauthorized access to an AWS account with permissions to push images to ECR, potentially through compromised credentials.</li>
<li><strong>Image Modification:</strong> The attacker modifies an existing, legitimate container image or uploads a completely new, malicious image to the ECR repository. This image contains malware or vulnerabilities.</li>
<li><strong>Deployment:</strong> An application deployment pipeline pulls the compromised image from ECR to deploy a new container instance.</li>
<li><strong>Malware Execution:</strong> The malware within the container image executes upon startup, potentially establishing a reverse shell or performing other malicious actions.</li>
<li><strong>Lateral Movement:</strong> The attacker uses the compromised container as a foothold to move laterally within the AWS environment, exploiting misconfigurations or vulnerabilities in other services.</li>
<li><strong>Data Exfiltration/Impact:</strong> The attacker exfiltrates sensitive data from other AWS services or achieves other objectives such as disrupting services or deploying ransomware.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful attack targeting AWS ECR can lead to the compromise of containerized applications, data breaches, and significant disruptions to cloud services. Depending on the severity of the injected malware, this could result in data exfiltration, system downtime, or further compromise of the AWS environment. The impact could affect organizations across various sectors leveraging AWS ECR for containerized deployments.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Implement strong access controls and multi-factor authentication for AWS accounts with permissions to manage ECR repositories.</li>
<li>Regularly scan container images in ECR for vulnerabilities using container scanning tools, such as AWS Inspector or third-party solutions (reference: AWS ECR container scanning mentioned in title).</li>
<li>Monitor AWS CloudTrail logs for suspicious API calls related to ECR image modifications and deployments.</li>
<li>Implement network segmentation to limit the potential impact of compromised containers.</li>
<li>Enforce the principle of least privilege for container deployments to minimize the attack surface.</li>
</ul>
]]></content:encoded><category domain="severity">low</category><category domain="type">advisory</category><category>cloud</category><category>aws</category><category>ecr</category><category>container-security</category></item></channel></rss>