{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/vpc/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["EC2","VPC"],"_cs_severities":["medium"],"_cs_tags":["aws","ec2","security-group","defense-evasion"],"_cs_type":"advisory","_cs_vendors":["Amazon Web Services"],"content_html":"\u003cp\u003eThis threat brief addresses the risk associated with overly permissive ingress rules in AWS EC2 VPC security groups. Specifically, it focuses on the addition of rules that allow traffic from any IP address (\u003ccode\u003e0.0.0.0/0\u003c/code\u003e or \u003ccode\u003e::/0\u003c/code\u003e) to common remote access ports such as 21 (FTP), 22 (SSH), 23 (Telnet), 445 (SMB), 3389 (RDP), 5985 (WinRM HTTP), and 5986 (WinRM HTTPS). This configuration significantly increases the attack surface of the targeted EC2 instances, making them vulnerable to brute-force attacks, credential stuffing, and other forms of unauthorized access. Elastic has identified this behavior in their detection rules as of April 2024. The targeted systems are AWS EC2 instances within a VPC.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access, potentially through compromised AWS credentials or by exploiting a vulnerability in an application running on an EC2 instance.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised credentials or instance access to interact with the AWS EC2 API.\u003c/li\u003e\n\u003cli\u003eThe attacker calls the \u003ccode\u003eAuthorizeSecurityGroupIngress\u003c/code\u003e API to modify the security group associated with the target EC2 instance.\u003c/li\u003e\n\u003cli\u003eThe attacker adds an ingress rule allowing traffic from any IP address (\u003ccode\u003e0.0.0.0/0\u003c/code\u003e or \u003ccode\u003e::/0\u003c/code\u003e) to a sensitive port (21, 22, 23, 445, 3389, 5985, or 5986). The specific parameters of the request are logged in CloudTrail.\u003c/li\u003e\n\u003cli\u003eThe security group is updated, allowing inbound connections to the target instance from any source IP.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to connect to the exposed port on the EC2 instance, potentially using brute-force attacks or known exploits for the service running on that port.\u003c/li\u003e\n\u003cli\u003eIf successful, the attacker gains unauthorized access to the EC2 instance and can perform malicious activities such as data exfiltration, lateral movement, or deploying malware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of this misconfiguration can lead to unauthorized access to sensitive data, compromise of critical systems, and potential disruption of business operations. The number of affected instances depends on the scope of the overly permissive security group. Sectors heavily reliant on cloud infrastructure, such as finance, healthcare, and e-commerce, are particularly at risk. If successful, attackers can achieve complete control over EC2 instances and the data they contain.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM and tune for your environment to detect insecure security group modifications logged by CloudTrail (\u003ccode\u003eevent.action: AuthorizeSecurityGroupIngress\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eAudit existing security groups to identify and remediate overly permissive ingress rules that allow traffic from \u003ccode\u003e0.0.0.0/0\u003c/code\u003e or \u003ccode\u003e::/0\u003c/code\u003e to sensitive ports, referencing the insecure CIDRs in the IOC list.\u003c/li\u003e\n\u003cli\u003eImplement and enforce the principle of least privilege for security group rules, restricting access to specific IP addresses or CIDR blocks that require it.\u003c/li\u003e\n\u003cli\u003eMonitor AWS CloudTrail logs for suspicious activity related to security group modifications, focusing on changes made outside of normal business hours or by unauthorized users (reference log source: \u003ccode\u003eaws.cloudtrail\u003c/code\u003e).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-05-03T12:00:00Z","date_published":"2024-05-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-05-aws-security-group-ingress/","summary":"An AWS EC2 VPC security group ingress rule was added to allow traffic from any IP address (0.0.0.0/0 or ::/0) to common remote access ports, potentially exposing instances to unauthorized access and defense evasion.","title":"Insecure AWS EC2 VPC Security Group Ingress Rule Added","url":"https://feed.craftedsignal.io/briefs/2024-05-aws-security-group-ingress/"}],"language":"en","title":"CraftedSignal Threat Feed - VPC","version":"https://jsonfeed.org/version/1.1"}