{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/data_protection/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["S3"],"_cs_severities":["high"],"_cs_tags":["aws","s3","bucket_versioning","data_protection","ransomware"],"_cs_type":"advisory","_cs_vendors":["AWS"],"content_html":"\u003cp\u003eThis detection identifies instances where an AWS user suspends versioning on an S3 bucket. The activity is logged via AWS CloudTrail and surfaced through Amazon Security Lake. This action is performed using the \u003ccode\u003ePutBucketVersioning\u003c/code\u003e API call and setting the \u003ccode\u003eVersioningConfiguration.Status\u003c/code\u003e to \u003ccode\u003eSuspended\u003c/code\u003e. While legitimate administrators may disable versioning for cost reasons, this activity can also be a precursor to malicious actions, such as data exfiltration or ransomware deployment by preventing recovery of previous object versions. Identifying this activity allows defenders to proactively respond to potential data compromise or data loss scenarios.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to an AWS account, possibly through compromised credentials or exploiting an IAM role.\u003c/li\u003e\n\u003cli\u003eThe attacker enumerates existing S3 buckets to identify potential targets for data exfiltration or disruption.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the \u003ccode\u003ePutBucketVersioning\u003c/code\u003e API call, setting the \u003ccode\u003eVersioningConfiguration.Status\u003c/code\u003e to \u003ccode\u003eSuspended\u003c/code\u003e for a target S3 bucket.\u003c/li\u003e\n\u003cli\u003eThe S3 bucket no longer retains previous versions of objects. Any subsequent modification or deletion of objects is permanent.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads malicious files to the S3 bucket, or encrypts existing data rendering it unusable.\u003c/li\u003e\n\u003cli\u003eThe attacker may then attempt to exfiltrate the data from the compromised S3 bucket.\u003c/li\u003e\n\u003cli\u003eThe attacker covers their tracks by deleting CloudTrail logs, if possible.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eDisabling S3 bucket versioning can lead to significant data loss, especially in the event of accidental or malicious deletion or modification. This can impact business continuity and recovery efforts. If followed by ransomware activity, the organization may suffer data encryption, system downtime, and financial losses related to recovery and potential ransom payments. The number of affected buckets and the sensitivity of the data contained within them will determine the extent of the impact.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect AWS S3 Bucket Versioning Suspension\u003c/code\u003e to your SIEM and tune for your environment to detect suspicious disabling of bucket versioning.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of disabled bucket versioning using the provided \u003ccode\u003edrilldown_searches\u003c/code\u003e to identify the user, source IP, and other related events.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all AWS accounts and IAM roles to reduce the risk of unauthorized access.\u003c/li\u003e\n\u003cli\u003eMonitor CloudTrail logs for unusual API activity, particularly changes to S3 bucket configurations.\u003c/li\u003e\n\u003cli\u003eEnforce the principle of least privilege to limit the IAM permissions available to users and roles.\u003c/li\u003e\n\u003cli\u003eReview bucket access policies to ensure that only authorized users and services have access to sensitive data.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-aws-disable-bucket-versioning/","summary":"An adversary disables AWS S3 bucket versioning, preventing recovery of deleted or modified data as a potential precursor to data exfiltration or ransomware activity.","title":"AWS S3 Bucket Versioning Disabled","url":"https://feed.craftedsignal.io/briefs/2024-01-03-aws-disable-bucket-versioning/"}],"language":"en","title":"CraftedSignal Threat Feed - Data_protection","version":"https://jsonfeed.org/version/1.1"}