{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/network-acl/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Network ACL","Virtual Private Cloud"],"_cs_severities":["high"],"_cs_tags":["cloud","aws","network acl"],"_cs_type":"advisory","_cs_vendors":["AWS"],"content_html":"\u003cp\u003eThis alert detects the creation of an AWS Network Access Control List (ACL) that allows traffic on all ports. While not directly indicative of malicious activity, such a configuration significantly broadens the attack surface. An overly permissive ACL makes it easier for attackers to establish unauthorized connections to resources within the VPC and potentially move laterally within the network. It is a common misconfiguration that can lead to data breaches and other security incidents. Defenders should investigate such events to confirm the business justification and ensure appropriate compensating controls are in place.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to an AWS account, possibly through compromised credentials or by exploiting a misconfigured IAM role.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the AWS CLI or Management Console to create a new Network ACL.\u003c/li\u003e\n\u003cli\u003eThe attacker configures the Network ACL to allow inbound and outbound traffic on all ports (0-65535), effectively bypassing network segmentation controls.\u003c/li\u003e\n\u003cli\u003eThe attacker associates the newly created, overly permissive Network ACL with one or more subnets within a Virtual Private Cloud (VPC).\u003c/li\u003e\n\u003cli\u003eThe attacker probes the exposed resources within the subnet to identify potential targets.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits vulnerabilities in exposed services, such as databases or web applications, due to the lack of network filtering.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to sensitive data or systems within the VPC.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCreating an AWS Network ACL with all ports open significantly increases the risk of unauthorized access to resources within a VPC. This misconfiguration can lead to data breaches, service disruptions, and other security incidents. The impact depends on the sensitivity of the data and systems exposed, but could potentially affect thousands of customers if it involves a multi-tenant environment. It is critical to monitor for and remediate overly permissive Network ACLs to maintain a strong security posture.\u003c/p\u003e\n","date_modified":"2024-01-03T14:30:00Z","date_published":"2024-01-03T14:30:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-aws-acl-open-ports/","summary":"An AWS Network Access Control List (ACL) is created with all ports open, potentially exposing resources to unrestricted network access.","title":"AWS Network ACL Created with All Ports Open","url":"https://feed.craftedsignal.io/briefs/2024-01-03-aws-acl-open-ports/"}],"language":"en","title":"CraftedSignal Threat Feed - Network ACL","version":"https://jsonfeed.org/version/1.1"}