<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>RDS - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/rds/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jul 2024 10:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/rds/feed.xml" rel="self" type="application/rss+xml"/><item><title>AWS RDS DB Instance or Cluster Password Modification</title><link>https://feed.craftedsignal.io/briefs/2024-07-aws-rds-password-modified/</link><pubDate>Wed, 03 Jul 2024 10:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-07-aws-rds-password-modified/</guid><description>The modification of the master password for an AWS RDS DB instance or cluster can indicate malicious activity used for persistence, privilege escalation, or defense evasion.</description><content:encoded><![CDATA[<p>This threat brief focuses on the modification of master passwords for AWS RDS DB instances or clusters. While password changes can be legitimate for recovery actions, attackers with sufficient permissions can exploit this to regain access, establish persistence, bypass existing controls, or escalate privileges within a compromised environment. The primary concern arises because RDS does not expose passwords in API responses, making any such modification a meaningful change to access pathways, potentially impacting sensitive data stores. This activity is detected via <code>ModifyDBInstance</code> or <code>ModifyDBCluster</code> events in AWS CloudTrail.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains initial access to an AWS account through compromised credentials, exploiting a vulnerable application, or other means.</li>
<li>The attacker enumerates existing RDS DB instances and clusters using AWS CLI or API calls, such as <code>DescribeDBInstances</code>.</li>
<li>The attacker identifies a target RDS DB instance or cluster containing sensitive data or critical functionality.</li>
<li>The attacker executes <code>ModifyDBInstance</code> or <code>ModifyDBCluster</code> via the AWS CLI or API, changing the master user password. This requires appropriate IAM permissions.</li>
<li>The attacker uses the newly modified password to authenticate to the database and gain privileged access.</li>
<li>The attacker performs malicious actions within the database, such as exfiltrating data, modifying data, or creating new accounts with elevated privileges.</li>
<li>The attacker may disable deletion protection or modify backup retention policies to further ensure persistence or cover their tracks.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful modification of RDS master passwords can lead to significant data breaches, service disruption, and financial losses. While specific victim numbers and sectors aren't available, the impact of a compromised RDS instance can be severe. If an attacker successfully modifies the password, they can gain complete control over the database, potentially leading to the exfiltration of sensitive information, modification or deletion of critical data, and the compromise of applications relying on the database.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule &quot;AWS RDS DB Instance or Cluster Password Modified&quot; to detect unauthorized password modifications (rule).</li>
<li>Review <code>aws.cloudtrail.user_identity.arn</code> and <code>aws.cloudtrail.user_identity.access_key_id</code> in AWS CloudTrail logs to identify the source of password modification events (log source).</li>
<li>Limit IAM permissions for <code>rds:ModifyDBInstance</code> and <code>rds:ModifyDBCluster</code>, especially when modifying authentication parameters (reference).</li>
<li>Implement multi-factor authentication (MFA) and role-based access control (RBAC) for DB administrators (reference).</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>cloud</category><category>aws</category><category>rds</category><category>persistence</category></item><item><title>AWS RDS DB Instance Restored for Defense Evasion or Data Collection</title><link>https://feed.craftedsignal.io/briefs/2024-01-09-aws-rds-restore/</link><pubDate>Tue, 09 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-09-aws-rds-restore/</guid><description>Detection of AWS RDS database instance restoration from a snapshot or S3 backup, potentially indicating unauthorized data access, defense evasion, or data collection by adversaries recreating database environments to bypass controls or exfiltrate sensitive data.</description><content:encoded><![CDATA[<p>This rule detects the restoration of an AWS RDS database instance, a technique that can be abused by adversaries for defense evasion or data collection. Attackers may restore databases from snapshots or S3 backups to bypass logging and monitoring, create shadow environments for data exfiltration, or access older data. The activity is triggered by the successful execution of <code>RestoreDBInstanceFromDBSnapshot</code> or <code>RestoreDBInstanceFromS3</code> events within AWS CloudTrail logs. Defenders should monitor for unexpected RDS restores to identify potential malicious activity and data compromise. This activity can occur post-compromise after an attacker gains access to AWS credentials with sufficient privileges to manage RDS instances.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains access to an AWS account through compromised credentials or privilege escalation.</li>
<li>The attacker enumerates available RDS snapshots and S3 backups using AWS CLI or API calls (<code>DescribeDBSnapshots</code>, <code>DescribeDBInstances</code>).</li>
<li>The attacker identifies a target RDS database instance containing sensitive data.</li>
<li>The attacker initiates a <code>RestoreDBInstanceFromDBSnapshot</code> or <code>RestoreDBInstanceFromS3</code> operation to create a new RDS instance from a snapshot or backup.</li>
<li>A new RDS instance is created with the data from the snapshot or backup.</li>
<li>The attacker accesses the restored database instance, bypassing monitoring on the original instance.</li>
<li>The attacker exfiltrates sensitive data from the restored instance.</li>
<li>The attacker may attempt to delete the restored instance and snapshots to remove traces of their activity.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation allows attackers to bypass existing security controls and gain unauthorized access to sensitive data stored within the RDS database. This can lead to data breaches, financial loss, and reputational damage. If the attacker gains access to a production database copy, the impact can be significant, potentially affecting thousands of users. The sectors most likely impacted include those that rely heavily on cloud-based database solutions, such as finance, healthcare, and technology.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule &quot;AWS RDS DB Instance Restored&quot; to your SIEM, tuned for your specific environment, to detect unauthorized RDS instance restorations.</li>
<li>Enforce least privilege for <code>rds:RestoreDBInstanceFromDBSnapshot</code> and <code>rds:RestoreDBInstanceFromS3</code> actions using IAM policies, restricting restore actions by network, principal, or region.</li>
<li>Enable AWS CloudTrail logging and monitor for unexpected RDS events, focusing on <code>RestoreDBInstanceFromDBSnapshot</code> and <code>RestoreDBInstanceFromS3</code> actions.</li>
<li>Implement AWS Config and Security Hub controls for monitoring unapproved RDS restores and misconfigured restored instances.</li>
<li>Investigate any alerts generated by the Sigma rule, focusing on the user identity, source IP, and the snapshot or S3 location used for the restore.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>cloud</category><category>aws</category><category>rds</category><category>defense-evasion</category><category>data-collection</category></item><item><title>AWS RDS Snapshot Export to S3 for Potential Data Exfiltration</title><link>https://feed.craftedsignal.io/briefs/2024-01-aws-rds-snapshot-exfiltration/</link><pubDate>Wed, 03 Jan 2024 18:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-aws-rds-snapshot-exfiltration/</guid><description>An adversary may export RDS snapshots to Amazon S3 to exfiltrate sensitive data outside of RDS-managed storage, potentially bypassing database access controls and leading to unauthorized data theft.</description><content:encoded><![CDATA[<p>The exporting of RDS (Relational Database Service) snapshots to Amazon S3 buckets can be a legitimate operation for analytics, migration, or backup purposes. However, adversaries can abuse this functionality by exporting sensitive database snapshots to S3 buckets they control or can access, bypassing RDS's built-in security controls. This poses a significant risk of data exfiltration, as the exported snapshot is essentially a portable copy of the database contents. The activity is triggered via the <code>StartExportTask</code> API call. The scope of targeting is broad, as any organization utilizing AWS RDS is potentially vulnerable, with the impact being dependent on the sensitivity of the data stored in the RDS instances.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker gains unauthorized access to an AWS account with sufficient privileges to interact with RDS and S3 services. This can be achieved through compromised credentials, privilege escalation, or exploiting misconfigured IAM roles.</li>
<li>The attacker enumerates available RDS instances and identifies those containing sensitive data using <code>DescribeDBSnapshots</code> or similar API calls.</li>
<li>The attacker initiates a snapshot of the target RDS instance, creating a point-in-time copy of the database.</li>
<li>The attacker calls the <code>StartExportTask</code> API to export the RDS snapshot to a specified S3 bucket. This involves specifying the snapshot identifier, the destination S3 bucket name and path, and optionally a KMS key for encryption.</li>
<li>The exported snapshot is stored in the S3 bucket as a set of data files.</li>
<li>The attacker configures the S3 bucket's access controls (ACLs or bucket policies) to allow access from an external AWS account or identity they control.</li>
<li>The attacker downloads the exported snapshot files from the S3 bucket to their local system or a different cloud environment.</li>
<li>The attacker imports the snapshot into a database instance they control, gaining access to the sensitive data contained within the RDS instance. The end objective is successful exfiltration of the database contents to a location outside the organization's control.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation can lead to the exfiltration of sensitive data, including personally identifiable information (PII), financial data, or trade secrets. The number of affected victims depends on the scope of the compromised AWS environment. Organizations in highly regulated sectors like finance and healthcare are at particularly high risk. The compromise can result in significant financial losses, reputational damage, legal repercussions, and loss of customer trust.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>AWS RDS Snapshot Export to S3</code> to your SIEM to detect unauthorized RDS snapshot exports by monitoring <code>StartExportTask</code> events in CloudTrail logs.</li>
<li>Implement IAM least-privilege policies to restrict the ability to call <code>StartExportTask</code> to authorized users and roles only, as mentioned in the overview.</li>
<li>Continuously monitor and review S3 bucket ACLs and policies to ensure that access is restricted to authorized principals, as described in the remediation steps.</li>
<li>Enable AWS Config or Security Hub controls to monitor snapshot policy changes and alert for exports to buckets outside approved accounts, per the hardening and preventive controls advice.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>aws</category><category>rds</category><category>s3</category><category>exfiltration</category><category>cloudtrail</category></item></channel></rss>