<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Access_key - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/access_key/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 02 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/access_key/feed.xml" rel="self" type="application/rss+xml"/><item><title>AWS IAM Key Creation with Encryption Policy but Without MFA</title><link>https://feed.craftedsignal.io/briefs/2024-01-aws-key-creation-no-mfa/</link><pubDate>Tue, 02 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-aws-key-creation-no-mfa/</guid><description>Detection of AWS IAM users creating access keys with encryption policies applied while failing to use multi-factor authentication, potentially indicating compromised accounts or malicious privilege escalation.</description><content:encoded><![CDATA[<p>This threat brief focuses on identifying potentially malicious activity within Amazon Web Services (AWS) environments related to Identity and Access Management (IAM). Specifically, it addresses the scenario where an IAM user creates a new access key and associates an encryption policy with it, but does not authenticate using multi-factor authentication (MFA). Such behavior can indicate a compromised user account being used to escalate privileges or establish persistent access, or an insider threat attempting to bypass security controls. This activity is important to detect as it allows attackers to encrypt data and make it inaccessible without proper authorization.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains unauthorized access to an AWS account, potentially through credential theft or other means.</li>
<li>The attacker attempts to create a new IAM user or assume an existing IAM role to gain greater control over AWS resources.</li>
<li>The attacker creates a new access key associated with either the compromised user or newly created/assumed role.</li>
<li>The attacker attaches an encryption policy to the created access key, granting it the ability to encrypt data at rest or in transit.</li>
<li>The creation of the access key and attachment of the encryption policy occurs without requiring MFA, indicating a bypass of security best practices.</li>
<li>The attacker uses the newly created access key to encrypt sensitive data stored in services like S3, EBS, or RDS.</li>
<li>The attacker might then attempt to exfiltrate the encrypted data or hold it for ransom, impacting confidentiality and availability.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation could lead to unauthorized encryption of sensitive data within AWS, rendering it inaccessible to legitimate users without the attacker's keys. This could result in significant business disruption, data loss, and compliance violations. The number of affected resources would depend on the scope of the compromised access key's permissions and the attacker's objectives. The impact could range from encrypting a single critical database to locking down an entire AWS environment.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>AWS IAM Key Creation with Encryption Policy but Without MFA</code> to your SIEM to detect this specific activity.</li>
<li>Enable and enforce MFA for all IAM users, especially those with administrative privileges or access to sensitive resources, to prevent unauthorized access key creation.</li>
<li>Review IAM policies to ensure least privilege and limit the scope of access keys.</li>
<li>Monitor AWS CloudTrail logs for suspicious IAM activity, including access key creation and policy attachments, as indicated by the logsource in the Sigma rules.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>aws</category><category>iam</category><category>access_key</category><category>encryption</category><category>mfa</category></item></channel></rss>