<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Network ACL - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/network-acl/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 14:30:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/network-acl/feed.xml" rel="self" type="application/rss+xml"/><item><title>AWS Network ACL Created with All Ports Open</title><link>https://feed.craftedsignal.io/briefs/2024-01-03-aws-acl-open-ports/</link><pubDate>Wed, 03 Jan 2024 14:30:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-03-aws-acl-open-ports/</guid><description>An AWS Network Access Control List (ACL) is created with all ports open, potentially exposing resources to unrestricted network access.</description><content:encoded><![CDATA[<p>This alert detects the creation of an AWS Network Access Control List (ACL) that allows traffic on all ports. While not directly indicative of malicious activity, such a configuration significantly broadens the attack surface. An overly permissive ACL makes it easier for attackers to establish unauthorized connections to resources within the VPC and potentially move laterally within the network. It is a common misconfiguration that can lead to data breaches and other security incidents. Defenders should investigate such events to confirm the business justification and ensure appropriate compensating controls are in place.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains initial access to an AWS account, possibly through compromised credentials or by exploiting a misconfigured IAM role.</li>
<li>The attacker leverages the AWS CLI or Management Console to create a new Network ACL.</li>
<li>The attacker configures the Network ACL to allow inbound and outbound traffic on all ports (0-65535), effectively bypassing network segmentation controls.</li>
<li>The attacker associates the newly created, overly permissive Network ACL with one or more subnets within a Virtual Private Cloud (VPC).</li>
<li>The attacker probes the exposed resources within the subnet to identify potential targets.</li>
<li>The attacker exploits vulnerabilities in exposed services, such as databases or web applications, due to the lack of network filtering.</li>
<li>The attacker gains unauthorized access to sensitive data or systems within the VPC.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Creating an AWS Network ACL with all ports open significantly increases the risk of unauthorized access to resources within a VPC. This misconfiguration can lead to data breaches, service disruptions, and other security incidents. The impact depends on the sensitivity of the data and systems exposed, but could potentially affect thousands of customers if it involves a multi-tenant environment. It is critical to monitor for and remediate overly permissive Network ACLs to maintain a strong security posture.</p>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>cloud</category><category>aws</category><category>network acl</category></item></channel></rss>