{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/ebs/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Elastic Block Store (EBS)"],"_cs_severities":["medium"],"_cs_tags":["aws","ebs","encryption","cloudtrail"],"_cs_type":"advisory","_cs_vendors":["Amazon"],"content_html":"\u003cp\u003eThis detection identifies instances where Amazon Elastic Block Store (EBS) encryption by default is disabled within an AWS region. The default encryption ensures that all new EBS volumes and snapshots are automatically encrypted, protecting data at rest. Disabling this setting, detected via CloudTrail logs, introduces a significant security risk.  Attackers may disable encryption to weaken data protection measures before initiating data exfiltration or tampering with EBS volumes and snapshots. This action can serve as a precursor to data theft or ransomware attacks, as unencrypted volumes are easier to compromise. The rule focuses on the \u003ccode\u003eDisableEbsEncryptionByDefault\u003c/code\u003e event logged by CloudTrail when this configuration change occurs. Elastic has released this rule as part of their detection ruleset on 2026-04-10.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains access to an AWS account, potentially through compromised credentials or a misconfigured IAM role.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the AWS CLI or API to execute the \u003ccode\u003eDisableEbsEncryptionByDefault\u003c/code\u003e command, targeting a specific AWS region.\u003c/li\u003e\n\u003cli\u003eCloudTrail logs the \u003ccode\u003eDisableEbsEncryptionByDefault\u003c/code\u003e event, indicating that default EBS encryption has been disabled.\u003c/li\u003e\n\u003cli\u003eThe attacker creates new EBS volumes within the affected region, which are now unencrypted by default.\u003c/li\u003e\n\u003cli\u003eSensitive data is stored on these newly created, unencrypted EBS volumes.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates the data from the unencrypted EBS volumes to an external location.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker might deploy ransomware on instances using the unencrypted volumes, encrypting the data and demanding a ransom.\u003c/li\u003e\n\u003cli\u003eThe attacker covers their tracks by deleting or modifying CloudTrail logs, if possible, to hide their activity.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eDisabling EBS encryption by default can lead to the creation of unencrypted EBS volumes, exposing sensitive data at rest. A successful attack could result in data theft, data loss, or a ransomware incident. The severity depends on the type and amount of data stored on the affected volumes. Organizations in regulated industries may face compliance violations if sensitive data is stored without encryption. This could potentially impact hundreds or thousands of EBS volumes depending on the period the encryption was disabled.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule provided in this brief to detect instances of \u003ccode\u003eDisableEbsEncryptionByDefault\u003c/code\u003e in your AWS environment, leveraging CloudTrail logs.\u003c/li\u003e\n\u003cli\u003eReview IAM policies to restrict the \u003ccode\u003eec2:DisableEbsEncryptionByDefault\u003c/code\u003e permission to only authorized administrators.\u003c/li\u003e\n\u003cli\u003eEnable AWS Config rules and Security Hub controls related to EBS encryption (\u003ccode\u003eec2-ebs-encryption-by-default-enabled\u003c/code\u003e) to continuously monitor this setting, per the overview.\u003c/li\u003e\n\u003cli\u003eAfter detection, use the investigation steps in the original Elastic rule to identify affected resources and remediate the misconfiguration.\u003c/li\u003e\n\u003cli\u003eEnable organization-level service control policies (SCPs) to prevent future disabling of encryption-by-default across accounts, as per the original rule documentation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T18:25:00Z","date_published":"2024-01-09T18:25:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-09-aws-ebs-encryption-disabled/","summary":"Detects when Amazon Elastic Block Store (EBS) encryption by default is disabled in an AWS region, potentially leading to data exposure and weakening data protection against exfiltration or ransomware.","title":"AWS EBS Encryption Disabled","url":"https://feed.craftedsignal.io/briefs/2024-01-09-aws-ebs-encryption-disabled/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["EC2","EBS"],"_cs_severities":["medium"],"_cs_tags":["aws","ebs","snapshot","impact"],"_cs_type":"advisory","_cs_vendors":["AWS"],"content_html":"\u003cp\u003eThis detection identifies the removal of access permissions from shared AWS EC2 EBS snapshots using AWS CloudTrail logs. EBS snapshots are critical for data retention and disaster recovery. Threat actors may attempt to revoke or modify snapshot permissions to prevent legitimate users or processes from accessing backups, which hinders recovery efforts following data loss or destructive actions. This tactic can also be employed to evade detection or maintain exclusive access to sensitive backups, amplifying the impact of attacks and complicating incident response. This behavior matters because successful removal of access can significantly delay or prevent data recovery, leading to prolonged downtime and potential data loss. The rule focuses on identifying \u003ccode\u003eModifySnapshotAttribute\u003c/code\u003e events where access is being removed, specifically looking for changes to \u003ccode\u003eCREATE_VOLUME_PERMISSION\u003c/code\u003e via \u003ccode\u003eremove=\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains unauthorized access to an AWS account, possibly through compromised credentials or exploiting IAM misconfigurations.\u003c/li\u003e\n\u003cli\u003eThe attacker enumerates available EC2 EBS snapshots within the targeted AWS environment to identify potential targets for disruption.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the \u003ccode\u003eModifySnapshotAttribute\u003c/code\u003e API call to remove access permissions from the identified EBS snapshots, specifically targeting the \u003ccode\u003eCREATE_VOLUME_PERMISSION\u003c/code\u003e attribute.\u003c/li\u003e\n\u003cli\u003eThe request parameters in the CloudTrail logs indicate the removal of access, observed through the presence of \u003ccode\u003e\u0026quot;attributeType=CREATE_VOLUME_PERMISSION\u0026quot;\u003c/code\u003e and \u003ccode\u003e\u0026quot;remove=\u0026quot;\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eLegitimate users or automated processes attempting to restore data from the affected snapshots will fail, hindering recovery efforts.\u003c/li\u003e\n\u003cli\u003eThe attacker may repeat the process across multiple snapshots to maximize the impact and disrupt the entire recovery strategy.\u003c/li\u003e\n\u003cli\u003eThe attacker may also delete snapshots entirely using \u003ccode\u003eDeleteSnapshot\u003c/code\u003e to ensure complete data loss.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective of disrupting business operations, holding data for ransom, or covering tracks by preventing forensic analysis and recovery.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful removal of EBS snapshot access can have significant consequences. Organizations may face extended downtime, data loss, and reputational damage. Depending on the criticality of the affected systems, financial losses and regulatory penalties may also occur. The number of victims and sectors targeted can vary, but any organization relying on AWS for data storage and backup is potentially at risk. If the attack succeeds, the organization's ability to recover from data loss events like ransomware or accidental deletion is severely compromised, potentially leading to irreversible data loss.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eAWS EBS Snapshot Access Removal\u003c/code\u003e to detect unauthorized modification of snapshot access permissions in your AWS environment. Enable AWS CloudTrail logging and ensure logs are ingested to your SIEM (Security Information and Event Management) to enable the rule.\u003c/li\u003e\n\u003cli\u003eReview IAM policies and restrict \u003ccode\u003eec2:ModifySnapshotAttribute\u003c/code\u003e permissions to only trusted administrative roles as mentioned in the rule's investigation steps.\u003c/li\u003e\n\u003cli\u003eEnable AWS Config rules and Security Hub controls such as \u003ccode\u003eebs-snapshot-public-restorable-check\u003c/code\u003e to provide continuous monitoring and compliance checks, as recommended in the rule's response section.\u003c/li\u003e\n\u003cli\u003eImplement backup immutability using AWS Backup Vault Lock or S3 Object Lock to protect against unauthorized modifications, as mentioned in the response section.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, examining \u003ccode\u003eaws.cloudtrail.user_identity.arn\u003c/code\u003e and \u003ccode\u003esource.ip\u003c/code\u003e to identify the actor and source of the access removal, as indicated in the rule's triage section.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T15:00:00Z","date_published":"2024-01-09T15:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-aws-ebs-snapshot-access-removed/","summary":"Detection of AWS EC2 EBS snapshot access permissions removal can indicate malicious attempts to disrupt data recovery, evade detection, or maintain exclusive backup access, leading to increased attack impact and incident response complexity.","title":"AWS EC2 EBS Snapshot Access Permissions Removed","url":"https://feed.craftedsignal.io/briefs/2024-01-aws-ebs-snapshot-access-removed/"}],"language":"en","title":"CraftedSignal Threat Feed - Ebs","version":"https://jsonfeed.org/version/1.1"}