{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/securityhub/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["AWS Security Hub"],"_cs_severities":["high"],"_cs_tags":["aws","cloud","securityhub","defense-evasion"],"_cs_type":"advisory","_cs_vendors":["Amazon"],"content_html":"\u003cp\u003eAttackers with sufficient AWS privileges can manipulate SecurityHub findings to evade detection and maintain persistence within a compromised environment. This involves using SecurityHub\u0026rsquo;s API to either modify existing findings, delete insights altogether, or update insights to mask malicious activity. This activity is conducted via API calls to \u003ccode\u003esecurityhub.amazonaws.com\u003c/code\u003e, specifically targeting the \u003ccode\u003eBatchUpdateFindings\u003c/code\u003e, \u003ccode\u003eDeleteInsight\u003c/code\u003e, \u003ccode\u003eUpdateFindings\u003c/code\u003e, and \u003ccode\u003eUpdateInsight\u003c/code\u003e actions. Successful evasion allows malicious actors to operate without triggering alarms or attracting attention from security personnel, leading to prolonged compromise and potentially greater damage. This is especially critical in production environments where SecurityHub findings are actively monitored.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to an AWS account, potentially through compromised credentials or exploiting a misconfigured IAM role (T1078).\u003c/li\u003e\n\u003cli\u003eThe attacker enumerates existing SecurityHub findings and insights to identify potential targets for modification or deletion.\u003c/li\u003e\n\u003cli\u003eThe attacker calls the \u003ccode\u003eBatchUpdateFindings\u003c/code\u003e API to modify the severity, confidence, or resolution status of specific findings, effectively silencing alerts (T1562.003).\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker calls the \u003ccode\u003eUpdateFindings\u003c/code\u003e API to modify individual findings.\u003c/li\u003e\n\u003cli\u003eThe attacker calls the \u003ccode\u003eDeleteInsight\u003c/code\u003e API to remove custom insights that could reveal their activities (T1562).\u003c/li\u003e\n\u003cli\u003eAs another option, the attacker calls the \u003ccode\u003eUpdateInsight\u003c/code\u003e API to modify the criteria of existing insights, causing them to miss malicious activities.\u003c/li\u003e\n\u003cli\u003eThe attacker validates the changes by querying SecurityHub to confirm that the targeted findings and insights have been successfully altered or removed.\u003c/li\u003e\n\u003cli\u003eThe attacker continues malicious activities, such as data exfiltration or lateral movement, with a reduced risk of detection due to the modified SecurityHub state (TA0005).\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful evasion of SecurityHub findings can lead to delayed incident response, prolonged attacker presence within the AWS environment, and increased data exfiltration or system compromise. The impact is particularly severe in production environments where SecurityHub is relied upon for real-time threat detection and alerting. By modifying or deleting findings, attackers can effectively blind security teams, enabling them to operate undetected for extended periods. The number of potential victims is directly proportional to the scale of AWS deployments relying on SecurityHub.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;AWS SecurityHub Findings Evasion\u0026rdquo; to your SIEM and tune for your environment to detect suspicious API calls related to findings manipulation (logsource: aws, service: cloudtrail).\u003c/li\u003e\n\u003cli\u003eReview and harden IAM policies to restrict access to SecurityHub API actions such as \u003ccode\u003eBatchUpdateFindings\u003c/code\u003e, \u003ccode\u003eDeleteInsight\u003c/code\u003e, \u003ccode\u003eUpdateFindings\u003c/code\u003e, and \u003ccode\u003eUpdateInsight\u003c/code\u003e to only authorized users and roles.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all AWS accounts and roles, especially those with permissions to modify SecurityHub configurations.\u003c/li\u003e\n\u003cli\u003eRegularly audit CloudTrail logs for suspicious activity related to SecurityHub configuration changes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:30:00Z","date_published":"2024-01-03T14:30:00Z","id":"/briefs/2024-01-aws-securityhub-evasion/","summary":"Attackers can impair defenses by modifying or deleting findings and insights within AWS SecurityHub using API calls such as BatchUpdateFindings, DeleteInsight, UpdateFindings, and UpdateInsight.","title":"AWS SecurityHub Findings Evasion via API Calls","url":"https://feed.craftedsignal.io/briefs/2024-01-aws-securityhub-evasion/"}],"language":"en","title":"CraftedSignal Threat Feed — Securityhub","version":"https://jsonfeed.org/version/1.1"}