{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/access_key/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Identity and Access Management"],"_cs_severities":["medium"],"_cs_tags":["aws","iam","access_key","encryption","mfa"],"_cs_type":"advisory","_cs_vendors":["AWS"],"content_html":"\u003cp\u003eThis threat brief focuses on identifying potentially malicious activity within Amazon Web Services (AWS) environments related to Identity and Access Management (IAM). Specifically, it addresses the scenario where an IAM user creates a new access key and associates an encryption policy with it, but does not authenticate using multi-factor authentication (MFA). Such behavior can indicate a compromised user account being used to escalate privileges or establish persistent access, or an insider threat attempting to bypass security controls. This activity is important to detect as it allows attackers to encrypt data and make it inaccessible without proper authorization.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to an AWS account, potentially through credential theft or other means.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to create a new IAM user or assume an existing IAM role to gain greater control over AWS resources.\u003c/li\u003e\n\u003cli\u003eThe attacker creates a new access key associated with either the compromised user or newly created/assumed role.\u003c/li\u003e\n\u003cli\u003eThe attacker attaches an encryption policy to the created access key, granting it the ability to encrypt data at rest or in transit.\u003c/li\u003e\n\u003cli\u003eThe creation of the access key and attachment of the encryption policy occurs without requiring MFA, indicating a bypass of security best practices.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the newly created access key to encrypt sensitive data stored in services like S3, EBS, or RDS.\u003c/li\u003e\n\u003cli\u003eThe attacker might then attempt to exfiltrate the encrypted data or hold it for ransom, impacting confidentiality and availability.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation could lead to unauthorized encryption of sensitive data within AWS, rendering it inaccessible to legitimate users without the attacker's keys. This could result in significant business disruption, data loss, and compliance violations. The number of affected resources would depend on the scope of the compromised access key's permissions and the attacker's objectives. The impact could range from encrypting a single critical database to locking down an entire AWS environment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eAWS IAM Key Creation with Encryption Policy but Without MFA\u003c/code\u003e to your SIEM to detect this specific activity.\u003c/li\u003e\n\u003cli\u003eEnable and enforce MFA for all IAM users, especially those with administrative privileges or access to sensitive resources, to prevent unauthorized access key creation.\u003c/li\u003e\n\u003cli\u003eReview IAM policies to ensure least privilege and limit the scope of access keys.\u003c/li\u003e\n\u003cli\u003eMonitor AWS CloudTrail logs for suspicious IAM activity, including access key creation and policy attachments, as indicated by the logsource in the Sigma rules.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-aws-key-creation-no-mfa/","summary":"Detection of AWS IAM users creating access keys with encryption policies applied while failing to use multi-factor authentication, potentially indicating compromised accounts or malicious privilege escalation.","title":"AWS IAM Key Creation with Encryption Policy but Without MFA","url":"https://feed.craftedsignal.io/briefs/2024-01-aws-key-creation-no-mfa/"}],"language":"en","title":"CraftedSignal Threat Feed - Access_key","version":"https://jsonfeed.org/version/1.1"}