{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/network-routing/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["AWS EC2","AWS CloudTrail"],"_cs_severities":["medium"],"_cs_tags":["cloud","aws","network-routing"],"_cs_type":"advisory","_cs_vendors":["Amazon"],"content_html":"\u003cp\u003eThe addition of a new route to an AWS route table can be a sign of malicious activity, especially if the route redirects traffic to an unexpected or unauthorized destination. This activity is typically logged in AWS CloudTrail. Attackers might add routes to intercept network traffic, conduct man-in-the-middle attacks, or impair defenses by routing traffic away from security appliances. Understanding who is performing this action and the destination of the new route is critical for identifying potential threats within an AWS environment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to an AWS account, potentially through compromised credentials or an exploited vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the AWS CLI or the AWS Management Console to interact with the EC2 service.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the target route table to modify.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the \u003ccode\u003eCreateRoute\u003c/code\u003e API call, specifying the destination CIDR block and target (e.g., an internet gateway, virtual private gateway, or network interface).\u003c/li\u003e\n\u003cli\u003eCloudTrail logs the \u003ccode\u003eCreateRoute\u003c/code\u003e event, capturing details of the action, including the user identity, source IP address, and the route table modification.\u003c/li\u003e\n\u003cli\u003eNetwork traffic matching the new route\u0026rsquo;s destination CIDR block is now redirected to the attacker-controlled target.\u003c/li\u003e\n\u003cli\u003eThe attacker monitors and potentially modifies the redirected traffic for reconnaissance or data exfiltration purposes.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful modification of AWS route tables can lead to significant security breaches. An attacker could redirect critical network traffic to a malicious endpoint, enabling them to intercept sensitive data or disrupt services. This could lead to data breaches, financial loss, and reputational damage. The scope of the impact depends on the criticality of the redirected traffic and the attacker\u0026rsquo;s objectives.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Detect AWS Route Table Modification via CloudTrail\u0026rdquo; Sigma rule to your SIEM and tune for your environment to detect suspicious route creation events in AWS CloudTrail logs.\u003c/li\u003e\n\u003cli\u003eInvestigate any \u003ccode\u003eCreateRoute\u003c/code\u003e events where the user identity is unexpected or the destination CIDR block and target are suspicious.\u003c/li\u003e\n\u003cli\u003eMonitor AWS CloudTrail logs for \u003ccode\u003eCreateRoute\u003c/code\u003e events and correlate them with other suspicious activities.\u003c/li\u003e\n\u003cli\u003eImplement strict IAM policies to limit who can modify route tables (reference the \u003ccode\u003eeventSource\u003c/code\u003e and \u003ccode\u003eeventName\u003c/code\u003e fields in the rule below).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-11-01T12:00:00Z","date_published":"2024-11-01T12:00:00Z","id":"/briefs/2024-11-aws-route-added/","summary":"An attacker may add a new route to an AWS route table, potentially redirecting network traffic for malicious purposes such as defense impairment or data exfiltration.","title":"Detect AWS Route Table Modification via CloudTrail","url":"https://feed.craftedsignal.io/briefs/2024-11-aws-route-added/"}],"language":"en","title":"CraftedSignal Threat Feed — Network-Routing","version":"https://jsonfeed.org/version/1.1"}