<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Sns - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/sns/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 22 Nov 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/sns/feed.xml" rel="self" type="application/rss+xml"/><item><title>AWS SNS Rare Protocol Subscription by User</title><link>https://feed.craftedsignal.io/briefs/2024-11-aws-sns-rare-protocol/</link><pubDate>Fri, 22 Nov 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-11-aws-sns-rare-protocol/</guid><description>A user subscribing to an SNS topic using a new protocol may indicate data exfiltration or unauthorized access by an adversary aiming to collect sensitive information or exfiltrate data.</description><content:encoded><![CDATA[<p>This detection identifies when a user subscribes to an Amazon Simple Notification Service (SNS) topic using a protocol type that is new for that user. SNS allows subscriptions via various protocols, including email, SMS, Lambda functions, and HTTP endpoints. An adversary might exploit this feature to collect sensitive information or exfiltrate data by subscribing with an external email address, a cross-account AWS service, or other means. This &quot;new terms&quot; rule specifically triggers when a previously unseen protocol is used for a subscription by a given user, helping to surface potentially malicious or anomalous activity within an AWS environment.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains unauthorized access to an AWS account, potentially through compromised credentials or a vulnerability.</li>
<li>The attacker identifies an SNS topic containing sensitive data or acting as a conduit for valuable information.</li>
<li>The attacker uses the AWS CLI or API to subscribe to the targeted SNS topic.</li>
<li>The attacker selects a rare or unusual protocol for the subscription, such as an external email address, an HTTP endpoint on a rogue server, or a Lambda function under their control.</li>
<li>The attacker configures the subscription to forward messages from the SNS topic to the chosen endpoint.</li>
<li>When messages are published to the SNS topic, they are automatically delivered to the attacker-controlled endpoint.</li>
<li>The attacker receives the exfiltrated data via the chosen protocol.</li>
<li>The attacker covers their tracks by deleting CloudTrail logs or creating new subscriptions and deleting the original.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful attack can lead to the exfiltration of sensitive data, unauthorized access to internal systems, or resource hijacking within the AWS environment. The severity depends on the sensitivity of the data transmitted through the SNS topic and the permissions associated with the compromised AWS account. This could result in financial loss, reputational damage, or legal repercussions.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the &quot;AWS SNS Rare Protocol Subscription by User&quot; rule to your SIEM and tune the <code>history_window_start</code> to reduce false positives based on your environment.</li>
<li>Investigate any alerts generated by the &quot;AWS SNS Rare Protocol Subscription by User&quot; rule, focusing on the <code>aws.cloudtrail.user_identity.arn</code> and <code>aws.cloudtrail.request_parameters</code> fields to determine the actor and the protocol used.</li>
<li>Review IAM policies associated with users who trigger this alert to ensure the principle of least privilege.</li>
<li>Monitor CloudTrail logs for subsequent <code>Publish</code> actions on the same SNS topic to detect potential data exfiltration attempts.</li>
<li>Configure alerts for any unauthorized modifications to SNS topic policies or subscriptions.</li>
</ul>
]]></content:encoded><category domain="severity">low</category><category domain="type">advisory</category><category>cloud</category><category>aws</category><category>sns</category><category>exfiltration</category></item><item><title>AWS SNS Topic Message Publish by Rare User</title><link>https://feed.craftedsignal.io/briefs/2024-01-aws-sns-rare-user/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-aws-sns-rare-user/</guid><description>This rule identifies when an SNS topic message is published by a rare user in AWS, which may indicate lateral movement, data exfiltration, or phishing campaigns, potentially leading to resource hijacking and impact on cloud services.</description><content:encoded><![CDATA[<p>This detection rule identifies when a user or role publishes a message to an Amazon Simple Notification Service (SNS) topic for the first time. Attackers may abuse SNS topics for various malicious purposes, including internal spearphishing, data exfiltration, or lateral movement within the AWS environment. SNS topics are used to send notifications and messages to subscribed endpoints such as applications, mobile devices, or email addresses. A successful attack could lead to sensitive data being exposed or malicious content being distributed to a wide range of recipients. This rule leverages a &quot;new terms&quot; approach, focusing on identifying previously unseen behavior to surface potentially suspicious activity. It helps security teams detect unusual SNS activity and investigate potential security breaches in AWS environments.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains initial access to an AWS environment, potentially through compromised credentials or exploiting a misconfigured IAM role.</li>
<li>The attacker discovers accessible SNS topics within the AWS environment using AWS CLI or SDKs.</li>
<li>The attacker identifies an SNS topic with a broad subscription base, such as one connected to an internal communications channel.</li>
<li>The attacker publishes a malicious message to the SNS topic using the AWS CLI, SDK, or AWS Management Console, utilizing a rare or new user account.</li>
<li>The SNS service delivers the message to all subscribed endpoints, including applications, mobile devices, or email addresses.</li>
<li>Recipients of the malicious message may be tricked into clicking on a phishing link or downloading malicious content, leading to further compromise of their systems.</li>
<li>The attacker may leverage the compromised systems for lateral movement, data exfiltration, or other malicious activities.</li>
<li>The attacker achieves impact by spreading malware, stealing sensitive information, or disrupting business operations through the compromised systems and data.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful attack exploiting SNS topics can lead to several negative consequences. Internal spearphishing attacks could compromise employees and sensitive data. Data exfiltration through SNS messages may lead to regulatory violations and reputational damage. Resource hijacking could allow attackers to leverage AWS resources for malicious purposes, increasing costs and potentially disrupting services. Organizations in any sector that rely on AWS for their infrastructure are vulnerable, and the number of potential victims depends on the scope and reach of the SNS topic subscriptions.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Enable AWS CloudTrail logging for SNS data events to ensure the necessary logs are captured (reference: setup section).</li>
<li>Deploy the provided Sigma rule to your SIEM to detect rare users publishing SNS messages (reference: rules section). Tune the <code>history_window_start</code> parameter in the rule to match your environment's baseline.</li>
<li>Investigate any alerts generated by the Sigma rule, focusing on the <code>aws.cloudtrail.user_identity.arn</code> and <code>aws.cloudtrail.resources.arn</code> to identify the actor and SNS topic involved (reference: rule.investigation_fields).</li>
<li>Review IAM policies associated with users and roles publishing to SNS topics to ensure appropriate permissions are enforced and minimize potential misuse (reference: T1534, T1496).</li>
<li>Monitor for unusual API calls related to SNS, such as <code>AssumeRole</code> or <code>CreateAccessKey</code>, associated with the rare user (reference: T1102).</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>aws</category><category>sns</category><category>lateral-movement</category><category>exfiltration</category><category>impact</category></item><item><title>AWS SNS Topic Created by Rare User</title><link>https://feed.craftedsignal.io/briefs/2024-01-02-aws-sns-topic-rare-user/</link><pubDate>Tue, 02 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-02-aws-sns-topic-rare-user/</guid><description>An AWS SNS topic was created by a user who does not typically perform this action, potentially indicating resource development for data exfiltration or other malicious activities.</description><content:encoded><![CDATA[<p>This detection identifies when an AWS Simple Notification Service (SNS) topic is created by a user or role that doesn't typically perform this action. Adversaries might create SNS topics to stage capabilities for data exfiltration, lateral movement, or other malicious activities within the AWS environment. This detection leverages a &quot;New Terms&quot; rule, specifically designed to flag the initial occurrence of this behavior for a given user or role within an AWS account. The rule focuses on identifying anomalous SNS topic creation events, providing an early warning signal for potentially malicious activity related to resource development within AWS. It is triggered by the <code>CreateTopic</code> event in AWS CloudTrail logs, ensuring comprehensive coverage of SNS topic creation attempts.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains initial access to an AWS account, potentially through compromised credentials or an exposed IAM role. (T1566)</li>
<li>The attacker attempts to create a new SNS topic using the AWS CLI, SDK, or Console. The <code>CreateTopic</code> API call is made.</li>
<li>The <code>CreateTopic</code> request includes parameters such as the topic name, display name, and other attributes related to the SNS topic configuration.</li>
<li>AWS CloudTrail logs the <code>CreateTopic</code> event, capturing details such as the user identity (ARN, type, access key ID), source IP, user agent, and request parameters.</li>
<li>The &quot;New Terms&quot; rule analyzes the CloudTrail logs and identifies that the user or role creating the SNS topic has not previously performed this action within the observed timeframe.</li>
<li>The newly created SNS topic can be used by the attacker to subscribe to events and receive notifications about activities within the AWS environment. (T1496)</li>
<li>The attacker can then configure the SNS topic to trigger Lambda functions or S3 events, which allows persistence in the environment.</li>
<li>Ultimately, the adversary may use the SNS topic for data exfiltration, lateral movement, or other malicious purposes, leveraging the messaging capabilities of SNS.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation allows attackers to stage capabilities within the AWS environment. While creating an SNS topic is not inherently malicious, it can be a precursor to more serious attacks. Depending on the subsequent actions taken by the attacker, this could lead to data exfiltration, resource hijacking, or other forms of impact within the AWS infrastructure. The severity depends on the scope of access available to the compromised user or role and the configurations of the newly created SNS topic.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule provided in this brief to your SIEM and tune for your environment to detect unusual SNS topic creation activities (see rule: &quot;AWS SNS Topic Created by Rare User&quot;).</li>
<li>Investigate any alerts generated by the Sigma rule, focusing on the user identity, source IP, and request parameters associated with the SNS topic creation event.</li>
<li>Monitor for further SNS modifications, such as Publish or Subscribe events, following the initial topic creation event (see Overview).</li>
<li>Enforce least privilege IAM policies and enable multi-factor authentication (MFA) to reduce the risk of unauthorized access to AWS resources (see Overview).</li>
</ul>
]]></content:encoded><category domain="severity">low</category><category domain="type">advisory</category><category>cloud</category><category>aws</category><category>sns</category><category>resource-development</category><category>impact</category></item></channel></rss>