{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/rds/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["RDS"],"_cs_severities":["medium"],"_cs_tags":["cloud","aws","rds","persistence"],"_cs_type":"advisory","_cs_vendors":["AWS"],"content_html":"\u003cp\u003eThis threat brief focuses on the modification of master passwords for AWS RDS DB instances or clusters. While password changes can be legitimate for recovery actions, attackers with sufficient permissions can exploit this to regain access, establish persistence, bypass existing controls, or escalate privileges within a compromised environment. The primary concern arises because RDS does not expose passwords in API responses, making any such modification a meaningful change to access pathways, potentially impacting sensitive data stores. This activity is detected via \u003ccode\u003eModifyDBInstance\u003c/code\u003e or \u003ccode\u003eModifyDBCluster\u003c/code\u003e events in AWS CloudTrail.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to an AWS account through compromised credentials, exploiting a vulnerable application, or other means.\u003c/li\u003e\n\u003cli\u003eThe attacker enumerates existing RDS DB instances and clusters using AWS CLI or API calls, such as \u003ccode\u003eDescribeDBInstances\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a target RDS DB instance or cluster containing sensitive data or critical functionality.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003eModifyDBInstance\u003c/code\u003e or \u003ccode\u003eModifyDBCluster\u003c/code\u003e via the AWS CLI or API, changing the master user password. This requires appropriate IAM permissions.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the newly modified password to authenticate to the database and gain privileged access.\u003c/li\u003e\n\u003cli\u003eThe attacker performs malicious actions within the database, such as exfiltrating data, modifying data, or creating new accounts with elevated privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker may disable deletion protection or modify backup retention policies to further ensure persistence or cover their tracks.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful modification of RDS master passwords can lead to significant data breaches, service disruption, and financial losses. While specific victim numbers and sectors aren't available, the impact of a compromised RDS instance can be severe. If an attacker successfully modifies the password, they can gain complete control over the database, potentially leading to the exfiltration of sensitive information, modification or deletion of critical data, and the compromise of applications relying on the database.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;AWS RDS DB Instance or Cluster Password Modified\u0026quot; to detect unauthorized password modifications (rule).\u003c/li\u003e\n\u003cli\u003eReview \u003ccode\u003eaws.cloudtrail.user_identity.arn\u003c/code\u003e and \u003ccode\u003eaws.cloudtrail.user_identity.access_key_id\u003c/code\u003e in AWS CloudTrail logs to identify the source of password modification events (log source).\u003c/li\u003e\n\u003cli\u003eLimit IAM permissions for \u003ccode\u003erds:ModifyDBInstance\u003c/code\u003e and \u003ccode\u003erds:ModifyDBCluster\u003c/code\u003e, especially when modifying authentication parameters (reference).\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) and role-based access control (RBAC) for DB administrators (reference).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-07-03T10:00:00Z","date_published":"2024-07-03T10:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-07-aws-rds-password-modified/","summary":"The modification of the master password for an AWS RDS DB instance or cluster can indicate malicious activity used for persistence, privilege escalation, or defense evasion.","title":"AWS RDS DB Instance or Cluster Password Modification","url":"https://feed.craftedsignal.io/briefs/2024-07-aws-rds-password-modified/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["RDS"],"_cs_severities":["medium"],"_cs_tags":["cloud","aws","rds","defense-evasion","data-collection"],"_cs_type":"advisory","_cs_vendors":["AWS"],"content_html":"\u003cp\u003eThis rule detects the restoration of an AWS RDS database instance, a technique that can be abused by adversaries for defense evasion or data collection. Attackers may restore databases from snapshots or S3 backups to bypass logging and monitoring, create shadow environments for data exfiltration, or access older data. The activity is triggered by the successful execution of \u003ccode\u003eRestoreDBInstanceFromDBSnapshot\u003c/code\u003e or \u003ccode\u003eRestoreDBInstanceFromS3\u003c/code\u003e events within AWS CloudTrail logs. Defenders should monitor for unexpected RDS restores to identify potential malicious activity and data compromise. This activity can occur post-compromise after an attacker gains access to AWS credentials with sufficient privileges to manage RDS instances.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains access to an AWS account through compromised credentials or privilege escalation.\u003c/li\u003e\n\u003cli\u003eThe attacker enumerates available RDS snapshots and S3 backups using AWS CLI or API calls (\u003ccode\u003eDescribeDBSnapshots\u003c/code\u003e, \u003ccode\u003eDescribeDBInstances\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a target RDS database instance containing sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates a \u003ccode\u003eRestoreDBInstanceFromDBSnapshot\u003c/code\u003e or \u003ccode\u003eRestoreDBInstanceFromS3\u003c/code\u003e operation to create a new RDS instance from a snapshot or backup.\u003c/li\u003e\n\u003cli\u003eA new RDS instance is created with the data from the snapshot or backup.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses the restored database instance, bypassing monitoring on the original instance.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data from the restored instance.\u003c/li\u003e\n\u003cli\u003eThe attacker may attempt to delete the restored instance and snapshots to remove traces of their activity.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to bypass existing security controls and gain unauthorized access to sensitive data stored within the RDS database. This can lead to data breaches, financial loss, and reputational damage. If the attacker gains access to a production database copy, the impact can be significant, potentially affecting thousands of users. The sectors most likely impacted include those that rely heavily on cloud-based database solutions, such as finance, healthcare, and technology.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;AWS RDS DB Instance Restored\u0026quot; to your SIEM, tuned for your specific environment, to detect unauthorized RDS instance restorations.\u003c/li\u003e\n\u003cli\u003eEnforce least privilege for \u003ccode\u003erds:RestoreDBInstanceFromDBSnapshot\u003c/code\u003e and \u003ccode\u003erds:RestoreDBInstanceFromS3\u003c/code\u003e actions using IAM policies, restricting restore actions by network, principal, or region.\u003c/li\u003e\n\u003cli\u003eEnable AWS CloudTrail logging and monitor for unexpected RDS events, focusing on \u003ccode\u003eRestoreDBInstanceFromDBSnapshot\u003c/code\u003e and \u003ccode\u003eRestoreDBInstanceFromS3\u003c/code\u003e actions.\u003c/li\u003e\n\u003cli\u003eImplement AWS Config and Security Hub controls for monitoring unapproved RDS restores and misconfigured restored instances.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the user identity, source IP, and the snapshot or S3 location used for the restore.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T12:00:00Z","date_published":"2024-01-09T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-09-aws-rds-restore/","summary":"Detection of AWS RDS database instance restoration from a snapshot or S3 backup, potentially indicating unauthorized data access, defense evasion, or data collection by adversaries recreating database environments to bypass controls or exfiltrate sensitive data.","title":"AWS RDS DB Instance Restored for Defense Evasion or Data Collection","url":"https://feed.craftedsignal.io/briefs/2024-01-09-aws-rds-restore/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["RDS","S3"],"_cs_severities":["medium"],"_cs_tags":["aws","rds","s3","exfiltration","cloudtrail"],"_cs_type":"advisory","_cs_vendors":["AWS"],"content_html":"\u003cp\u003eThe exporting of RDS (Relational Database Service) snapshots to Amazon S3 buckets can be a legitimate operation for analytics, migration, or backup purposes. However, adversaries can abuse this functionality by exporting sensitive database snapshots to S3 buckets they control or can access, bypassing RDS's built-in security controls. This poses a significant risk of data exfiltration, as the exported snapshot is essentially a portable copy of the database contents. The activity is triggered via the \u003ccode\u003eStartExportTask\u003c/code\u003e API call. The scope of targeting is broad, as any organization utilizing AWS RDS is potentially vulnerable, with the impact being dependent on the sensitivity of the data stored in the RDS instances.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains unauthorized access to an AWS account with sufficient privileges to interact with RDS and S3 services. This can be achieved through compromised credentials, privilege escalation, or exploiting misconfigured IAM roles.\u003c/li\u003e\n\u003cli\u003eThe attacker enumerates available RDS instances and identifies those containing sensitive data using \u003ccode\u003eDescribeDBSnapshots\u003c/code\u003e or similar API calls.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates a snapshot of the target RDS instance, creating a point-in-time copy of the database.\u003c/li\u003e\n\u003cli\u003eThe attacker calls the \u003ccode\u003eStartExportTask\u003c/code\u003e API to export the RDS snapshot to a specified S3 bucket. This involves specifying the snapshot identifier, the destination S3 bucket name and path, and optionally a KMS key for encryption.\u003c/li\u003e\n\u003cli\u003eThe exported snapshot is stored in the S3 bucket as a set of data files.\u003c/li\u003e\n\u003cli\u003eThe attacker configures the S3 bucket's access controls (ACLs or bucket policies) to allow access from an external AWS account or identity they control.\u003c/li\u003e\n\u003cli\u003eThe attacker downloads the exported snapshot files from the S3 bucket to their local system or a different cloud environment.\u003c/li\u003e\n\u003cli\u003eThe attacker imports the snapshot into a database instance they control, gaining access to the sensitive data contained within the RDS instance. The end objective is successful exfiltration of the database contents to a location outside the organization's control.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to the exfiltration of sensitive data, including personally identifiable information (PII), financial data, or trade secrets. The number of affected victims depends on the scope of the compromised AWS environment. Organizations in highly regulated sectors like finance and healthcare are at particularly high risk. The compromise can result in significant financial losses, reputational damage, legal repercussions, and loss of customer trust.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eAWS RDS Snapshot Export to S3\u003c/code\u003e to your SIEM to detect unauthorized RDS snapshot exports by monitoring \u003ccode\u003eStartExportTask\u003c/code\u003e events in CloudTrail logs.\u003c/li\u003e\n\u003cli\u003eImplement IAM least-privilege policies to restrict the ability to call \u003ccode\u003eStartExportTask\u003c/code\u003e to authorized users and roles only, as mentioned in the overview.\u003c/li\u003e\n\u003cli\u003eContinuously monitor and review S3 bucket ACLs and policies to ensure that access is restricted to authorized principals, as described in the remediation steps.\u003c/li\u003e\n\u003cli\u003eEnable AWS Config or Security Hub controls to monitor snapshot policy changes and alert for exports to buckets outside approved accounts, per the hardening and preventive controls advice.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:00:00Z","date_published":"2024-01-03T18:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-aws-rds-snapshot-exfiltration/","summary":"An adversary may export RDS snapshots to Amazon S3 to exfiltrate sensitive data outside of RDS-managed storage, potentially bypassing database access controls and leading to unauthorized data theft.","title":"AWS RDS Snapshot Export to S3 for Potential Data Exfiltration","url":"https://feed.craftedsignal.io/briefs/2024-01-aws-rds-snapshot-exfiltration/"}],"language":"en","title":"CraftedSignal Threat Feed - RDS","version":"https://jsonfeed.org/version/1.1"}