<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Bucket_versioning - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/bucket_versioning/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 10:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/bucket_versioning/feed.xml" rel="self" type="application/rss+xml"/><item><title>AWS S3 Bucket Versioning Disabled</title><link>https://feed.craftedsignal.io/briefs/2024-01-03-aws-disable-bucket-versioning/</link><pubDate>Wed, 03 Jan 2024 10:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-03-aws-disable-bucket-versioning/</guid><description>An adversary disables AWS S3 bucket versioning, preventing recovery of deleted or modified data as a potential precursor to data exfiltration or ransomware activity.</description><content:encoded><![CDATA[<p>This detection identifies instances where an AWS user suspends versioning on an S3 bucket. The activity is logged via AWS CloudTrail and surfaced through Amazon Security Lake. This action is performed using the <code>PutBucketVersioning</code> API call and setting the <code>VersioningConfiguration.Status</code> to <code>Suspended</code>. While legitimate administrators may disable versioning for cost reasons, this activity can also be a precursor to malicious actions, such as data exfiltration or ransomware deployment by preventing recovery of previous object versions. Identifying this activity allows defenders to proactively respond to potential data compromise or data loss scenarios.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains unauthorized access to an AWS account, possibly through compromised credentials or exploiting an IAM role.</li>
<li>The attacker enumerates existing S3 buckets to identify potential targets for data exfiltration or disruption.</li>
<li>The attacker executes the <code>PutBucketVersioning</code> API call, setting the <code>VersioningConfiguration.Status</code> to <code>Suspended</code> for a target S3 bucket.</li>
<li>The S3 bucket no longer retains previous versions of objects. Any subsequent modification or deletion of objects is permanent.</li>
<li>The attacker uploads malicious files to the S3 bucket, or encrypts existing data rendering it unusable.</li>
<li>The attacker may then attempt to exfiltrate the data from the compromised S3 bucket.</li>
<li>The attacker covers their tracks by deleting CloudTrail logs, if possible.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Disabling S3 bucket versioning can lead to significant data loss, especially in the event of accidental or malicious deletion or modification. This can impact business continuity and recovery efforts. If followed by ransomware activity, the organization may suffer data encryption, system downtime, and financial losses related to recovery and potential ransom payments. The number of affected buckets and the sensitivity of the data contained within them will determine the extent of the impact.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>Detect AWS S3 Bucket Versioning Suspension</code> to your SIEM and tune for your environment to detect suspicious disabling of bucket versioning.</li>
<li>Investigate any instances of disabled bucket versioning using the provided <code>drilldown_searches</code> to identify the user, source IP, and other related events.</li>
<li>Implement multi-factor authentication (MFA) for all AWS accounts and IAM roles to reduce the risk of unauthorized access.</li>
<li>Monitor CloudTrail logs for unusual API activity, particularly changes to S3 bucket configurations.</li>
<li>Enforce the principle of least privilege to limit the IAM permissions available to users and roles.</li>
<li>Review bucket access policies to ensure that only authorized users and services have access to sensitive data.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>aws</category><category>s3</category><category>bucket_versioning</category><category>data_protection</category><category>ransomware</category></item></channel></rss>