<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Bucket-Replication - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/bucket-replication/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 15:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/bucket-replication/feed.xml" rel="self" type="application/rss+xml"/><item><title>AWS S3 Bucket Replication for Data Exfiltration</title><link>https://feed.craftedsignal.io/briefs/2024-01-03-aws-bucket-replication-exfiltration/</link><pubDate>Wed, 03 Jan 2024 15:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-03-aws-bucket-replication-exfiltration/</guid><description>An attacker enables S3 bucket replication to exfiltrate data to an external AWS account by creating a bucket replication rule.</description><content:encoded><![CDATA[<p>This analytic detects the creation of S3 bucket replication rules, which can be abused to exfiltrate data to an attacker-controlled AWS account. The attacker leverages the <code>PutBucketReplication</code> API call within AWS CloudTrail logs to set up replication from a target S3 bucket to a destination bucket, which may be outside of the organization's control. This technique can bypass traditional perimeter defenses since the data transfer occurs within the AWS infrastructure. The activity is significant because it can indicate unauthorized data replication, potentially leading to data breaches and compliance violations. Defenders should monitor these events closely, especially when the destination bucket is outside the organization's AWS account or in an unexpected region.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker gains access to an AWS account with sufficient privileges to modify S3 bucket replication settings.</li>
<li>The attacker identifies a target S3 bucket containing sensitive data.</li>
<li>The attacker creates an S3 bucket in an external AWS account under their control.</li>
<li>The attacker uses the <code>PutBucketReplication</code> API call to create a replication rule for the target bucket. The rule specifies the attacker-controlled bucket as the destination.</li>
<li>AWS begins replicating objects from the target bucket to the attacker-controlled bucket.</li>
<li>The attacker monitors the destination bucket to ensure successful data replication.</li>
<li>The attacker downloads the replicated data from their bucket.</li>
<li>The attacker deletes the replication rule to cover their tracks, although CloudTrail logs will still record the event.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation allows attackers to exfiltrate potentially terabytes of data from S3 buckets without triggering typical network-based data exfiltration alerts. This could lead to significant data breaches, affecting customer PII, financial records, or intellectual property. The number of affected users/records depends on the contents of the S3 bucket. This can lead to compliance violations such as GDPR, HIPAA, or PCI DSS.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Enable AWS CloudTrail logging for all S3 buckets and monitor for <code>PutBucketReplication</code> events.</li>
<li>Deploy the Sigma rule <code>Detect AWS S3 Bucket Replication Creation</code> to your SIEM and tune for your environment.</li>
<li>Investigate any <code>PutBucketReplication</code> events where the destination bucket is outside of your organization's AWS accounts.</li>
<li>Review S3 bucket policies and IAM roles to ensure least privilege and restrict access to S3 replication settings.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>aws</category><category>s3</category><category>exfiltration</category><category>bucket-replication</category></item></channel></rss>