<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Password-Recovery - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/password-recovery/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 30 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/password-recovery/feed.xml" rel="self" type="application/rss+xml"/><item><title>AWS Root Account Password Recovery Request Detection</title><link>https://feed.craftedsignal.io/briefs/2024-01-aws-root-password-recovery/</link><pubDate>Tue, 30 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-aws-root-password-recovery/</guid><description>Detection of AWS root account password recovery requests, potentially indicating unauthorized access attempts or legitimate administrative actions requiring verification.</description><content:encoded><![CDATA[<p>This threat brief focuses on detecting password recovery requests initiated for the AWS root account. The AWS root account is a highly privileged account, and any unauthorized access or modification attempts should be treated with utmost urgency. The detection mechanism relies on analyzing AWS CloudTrail logs for <code>PasswordRecoveryRequested</code> events originating from <code>signin.amazonaws.com</code>. These events are exclusive to the root user's &quot;Forgot your password?&quot; workflow, differentiating them from password resets for IAM users or federated identities. Successful detection of a password recovery request necessitates immediate investigation to confirm its legitimacy and prevent potential account compromise. This alert matters because unauthorized root account access can lead to complete control over an organization's AWS infrastructure.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Access:</strong> An attacker attempts to gain access to the AWS account, potentially through phishing, credential stuffing, or other initial access vectors.</li>
<li><strong>Password Recovery Request:</strong> The attacker initiates the &quot;Forgot your password?&quot; flow for the root account at <code>signin.amazonaws.com</code>.</li>
<li><strong>CloudTrail Logging:</strong> AWS logs the <code>PasswordRecoveryRequested</code> event with <code>event.provider:signin.amazonaws.com</code> and <code>event.action:PasswordRecoveryRequested</code> in CloudTrail.</li>
<li><strong>Email Notification:</strong> AWS sends a password reset email to the email address associated with the root account.</li>
<li><strong>Credential Reset:</strong> If the attacker gains access to the email, they can click the password reset link and set a new password for the root account.</li>
<li><strong>Successful Login:</strong> The attacker uses the newly reset password to log in to the AWS console as the root user. This generates a <code>ConsoleLogin</code> event.</li>
<li><strong>Privilege Escalation:</strong> Once logged in, the attacker can perform administrative actions, such as creating new IAM users with elevated privileges, modifying security policies, or accessing sensitive data.</li>
<li><strong>Data Exfiltration / Damage:</strong> The attacker exfiltrates sensitive data, deploys malicious infrastructure, or otherwise compromises the environment.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful attack leveraging a compromised AWS root account can have catastrophic consequences. The root user has unrestricted access to all AWS resources within the account, enabling attackers to exfiltrate sensitive data, disrupt critical services, deploy ransomware, or completely take over the environment. Depending on the organization's size and reliance on AWS, the impact can range from financial losses and reputational damage to complete business disruption. The number of potential victims is vast, as many organizations rely on AWS for their cloud infrastructure.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>Detect AWS Root Password Recovery</code> to your SIEM and tune for your environment to detect password recovery requests.</li>
<li>Investigate any triggered alerts from the <code>Detect AWS Root Password Recovery</code> rule by validating the source IP address and user agent.</li>
<li>Enable multi-factor authentication (MFA) on the root account to prevent unauthorized access, as documented in the AWS documentation link provided in the references.</li>
<li>Monitor for subsequent <code>ConsoleLogin</code> events after a <code>PasswordRecoveryRequested</code> event to detect potential unauthorized logins using the Sigma rule <code>Detect AWS Root Login After Password Reset</code>.</li>
<li>Review AWS CloudTrail logs for related events such as <code>CreateAccessKey</code>, <code>CreateUser</code>, or <code>AttachUserPolicy</code> shortly after a password recovery request.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>aws</category><category>cloudtrail</category><category>initial-access</category><category>password-recovery</category></item></channel></rss>