{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/traffic-mirroring/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["EC2 Traffic Mirroring"],"_cs_severities":["medium"],"_cs_tags":["aws","ec2","traffic-mirroring","exfiltration"],"_cs_type":"advisory","_cs_vendors":["AWS"],"content_html":"\u003cp\u003eAmazon EC2 Traffic Mirroring is a legitimate AWS feature used for network diagnostics and intrusion detection, but it can be abused by malicious actors to capture sensitive data. This technique involves creating a traffic mirroring session that copies network packets from a source Elastic Network Interface (ENI) to a mirror target (another ENI or Network Load Balancer).  An attacker with sufficient privileges can configure these sessions to capture network traffic, potentially unencrypted, from targeted EC2 instances.  This data can then be exfiltrated or analyzed for sensitive information, such as credentials or proprietary data. This activity is detected via AWS CloudTrail logs related to the \u003ccode\u003eCreateTrafficMirrorSession\u003c/code\u003e event.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains unauthorized access to an AWS account with sufficient IAM privileges to create and manage EC2 Traffic Mirroring resources.\u003c/li\u003e\n\u003cli\u003eThe attacker uses AWS CLI or the AWS Management Console to discover available EC2 instances and their associated ENIs using \u003ccode\u003eDescribeNetworkInterfaces\u003c/code\u003e and \u003ccode\u003eDescribeInstances\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker creates a \u003ccode\u003eTrafficMirrorTarget\u003c/code\u003e, specifying either another ENI (owned by the attacker) or a Network Load Balancer (NLB) as the destination for the mirrored traffic.\u003c/li\u003e\n\u003cli\u003eThe attacker creates a \u003ccode\u003eTrafficMirrorFilter\u003c/code\u003e with ingress and egress rules to capture the desired network traffic, potentially targeting specific ports or protocols.\u003c/li\u003e\n\u003cli\u003eThe attacker creates a \u003ccode\u003eTrafficMirrorSession\u003c/code\u003e, linking the source ENI, the mirror target, and the traffic mirror filter.\u003c/li\u003e\n\u003cli\u003eThe traffic mirroring session immediately begins copying network packets from the source ENI to the target.\u003c/li\u003e\n\u003cli\u003eIf the target is an ENI owned by the attacker, they can capture the mirrored traffic using tools like \u003ccode\u003etcpdump\u003c/code\u003e or \u003ccode\u003eWireshark\u003c/code\u003e. If the target is an NLB, the attacker controls the backend instances receiving traffic from the NLB.\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes the captured traffic for sensitive information and exfiltrates the data to an external location.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to the compromise of sensitive data, including credentials, proprietary information, and customer data.  The scope of the impact depends on the configuration of the Traffic Mirroring session and the sensitivity of the traffic being mirrored. This can affect an organization's regulatory compliance, financial standing, and reputation. The lack of encryption of mirrored traffic exacerbates the risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;AWS EC2 Traffic Mirroring Session Creation\u0026quot; to detect the creation of traffic mirroring sessions in your environment.\u003c/li\u003e\n\u003cli\u003eMonitor AWS CloudTrail logs for \u003ccode\u003eCreateTrafficMirrorTarget\u003c/code\u003e, \u003ccode\u003eCreateTrafficMirrorFilter\u003c/code\u003e, and \u003ccode\u003eCreateTrafficMirrorFilterRule\u003c/code\u003e events to detect suspicious creation or modification of traffic mirroring resources.\u003c/li\u003e\n\u003cli\u003eEnforce least privilege IAM policies to restrict who can create and manage EC2 Traffic Mirroring resources. Specifically, limit permissions for \u003ccode\u003eec2:CreateTrafficMirrorSession\u003c/code\u003e, \u003ccode\u003eec2:CreateTrafficMirrorTarget\u003c/code\u003e, and \u003ccode\u003eec2:CreateTrafficMirrorFilter\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement AWS Service Control Policies (SCPs) or IAM conditions to limit where traffic mirroring sessions can be created (e.g., only into designated monitoring VPCs).\u003c/li\u003e\n\u003cli\u003eReview existing traffic mirroring configurations to ensure they are authorized and properly secured, referencing the AWS documentation on Traffic Mirroring.\u003c/li\u003e\n\u003cli\u003eInvestigate any \u003ccode\u003eCreateTrafficMirrorSession\u003c/code\u003e events where the \u003ccode\u003euser_agent.original\u003c/code\u003e or \u003ccode\u003esource.ip\u003c/code\u003e is unfamiliar or unexpected.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-08T15:00:00Z","date_published":"2024-01-08T15:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-08-aws-ec2-traffic-mirroring/","summary":"An attacker creates an Amazon EC2 Traffic Mirroring session to capture and exfiltrate sensitive network traffic from EC2 instances, potentially including unencrypted data.","title":"AWS EC2 Traffic Mirroring Abuse for Data Exfiltration","url":"https://feed.craftedsignal.io/briefs/2024-01-08-aws-ec2-traffic-mirroring/"}],"language":"en","title":"CraftedSignal Threat Feed - Traffic-Mirroring","version":"https://jsonfeed.org/version/1.1"}