<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Datasync - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/datasync/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 15:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/datasync/feed.xml" rel="self" type="application/rss+xml"/><item><title>AWS Data Exfiltration via DataSync Task Creation</title><link>https://feed.craftedsignal.io/briefs/2024-01-03-aws-datasync-exfiltration/</link><pubDate>Wed, 03 Jan 2024 15:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-03-aws-datasync-exfiltration/</guid><description>An attacker may create an AWS DataSync task to exfiltrate data from a private AWS location to a public one, leading to data compromise, detected by monitoring AWS CloudTrail logs for the `CreateTask` event from the DataSync service.</description><content:encoded><![CDATA[<p>This analytic focuses on detecting the misuse of AWS DataSync for unauthorized data exfiltration. AWS DataSync is a data transfer service that can be used to move data between on-premises storage and AWS, or between AWS storage services. An attacker with sufficient privileges can create a DataSync task to copy data from a secured or private AWS resource to a publicly accessible location, potentially leading to significant data breaches. The detection logic centers around monitoring AWS CloudTrail logs for the <code>CreateTask</code> event associated with the DataSync service. This activity is a strong indicator of potential data exfiltration if the destination is unexpected or unauthorized. This analytic can help security teams quickly identify and respond to potential data exfiltration attempts via AWS DataSync.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains unauthorized access to an AWS account with sufficient privileges to use the DataSync service.</li>
<li>The attacker identifies a target data source within the AWS environment (e.g., an S3 bucket, an EC2 instance with valuable data).</li>
<li>The attacker creates a DataSync <code>sourceLocationArn</code> pointing to the identified data source.</li>
<li>The attacker configures a <code>destinationLocationArn</code> to point to an external or unauthorized AWS resource (e.g., an attacker-controlled S3 bucket).</li>
<li>The attacker initiates the <code>CreateTask</code> event using the AWS DataSync service, configuring the task to transfer data from the source to the destination.</li>
<li>AWS CloudTrail logs the <code>CreateTask</code> event, including details about the source and destination locations, the user who initiated the task, and other relevant metadata.</li>
<li>The DataSync task executes, transferring data from the source location to the attacker-controlled destination.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation could lead to the unauthorized exfiltration of sensitive data from an AWS environment. The impact includes potential data breaches, compliance violations (e.g., GDPR, HIPAA), reputational damage, and financial losses. The severity depends on the type and volume of data exfiltrated, as well as the sensitivity of the affected resources. While specific numbers of victims or targeted sectors are not available in the original report, the general impact of data exfiltration can be considered high.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>AWS DataSync Task Creation</code> to your SIEM and tune for your environment to detect suspicious DataSync task creation activities.</li>
<li>Investigate any identified <code>CreateTask</code> events from the DataSync service where the <code>destinationLocationArn</code> is unexpected or unauthorized based on normal business operations (see rule above).</li>
<li>Monitor AWS CloudTrail logs for DataSync <code>CreateTask</code> events, focusing on the source and destination locations to detect unusual data transfer patterns (see log source in rule above).</li>
<li>Implement and enforce the principle of least privilege for AWS IAM roles and policies to limit who can create DataSync tasks and access sensitive data.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>aws</category><category>datasync</category><category>data-exfiltration</category><category>cloudtrail</category></item></channel></rss>