<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Traffic-Mirroring - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/traffic-mirroring/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Mon, 08 Jan 2024 15:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/traffic-mirroring/feed.xml" rel="self" type="application/rss+xml"/><item><title>AWS EC2 Traffic Mirroring Abuse for Data Exfiltration</title><link>https://feed.craftedsignal.io/briefs/2024-01-08-aws-ec2-traffic-mirroring/</link><pubDate>Mon, 08 Jan 2024 15:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-08-aws-ec2-traffic-mirroring/</guid><description>An attacker creates an Amazon EC2 Traffic Mirroring session to capture and exfiltrate sensitive network traffic from EC2 instances, potentially including unencrypted data.</description><content:encoded><![CDATA[<p>Amazon EC2 Traffic Mirroring is a legitimate AWS feature used for network diagnostics and intrusion detection, but it can be abused by malicious actors to capture sensitive data. This technique involves creating a traffic mirroring session that copies network packets from a source Elastic Network Interface (ENI) to a mirror target (another ENI or Network Load Balancer).  An attacker with sufficient privileges can configure these sessions to capture network traffic, potentially unencrypted, from targeted EC2 instances.  This data can then be exfiltrated or analyzed for sensitive information, such as credentials or proprietary data. This activity is detected via AWS CloudTrail logs related to the <code>CreateTrafficMirrorSession</code> event.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker gains unauthorized access to an AWS account with sufficient IAM privileges to create and manage EC2 Traffic Mirroring resources.</li>
<li>The attacker uses AWS CLI or the AWS Management Console to discover available EC2 instances and their associated ENIs using <code>DescribeNetworkInterfaces</code> and <code>DescribeInstances</code>.</li>
<li>The attacker creates a <code>TrafficMirrorTarget</code>, specifying either another ENI (owned by the attacker) or a Network Load Balancer (NLB) as the destination for the mirrored traffic.</li>
<li>The attacker creates a <code>TrafficMirrorFilter</code> with ingress and egress rules to capture the desired network traffic, potentially targeting specific ports or protocols.</li>
<li>The attacker creates a <code>TrafficMirrorSession</code>, linking the source ENI, the mirror target, and the traffic mirror filter.</li>
<li>The traffic mirroring session immediately begins copying network packets from the source ENI to the target.</li>
<li>If the target is an ENI owned by the attacker, they can capture the mirrored traffic using tools like <code>tcpdump</code> or <code>Wireshark</code>. If the target is an NLB, the attacker controls the backend instances receiving traffic from the NLB.</li>
<li>The attacker analyzes the captured traffic for sensitive information and exfiltrates the data to an external location.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation can lead to the compromise of sensitive data, including credentials, proprietary information, and customer data.  The scope of the impact depends on the configuration of the Traffic Mirroring session and the sensitivity of the traffic being mirrored. This can affect an organization's regulatory compliance, financial standing, and reputation. The lack of encryption of mirrored traffic exacerbates the risk.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule &quot;AWS EC2 Traffic Mirroring Session Creation&quot; to detect the creation of traffic mirroring sessions in your environment.</li>
<li>Monitor AWS CloudTrail logs for <code>CreateTrafficMirrorTarget</code>, <code>CreateTrafficMirrorFilter</code>, and <code>CreateTrafficMirrorFilterRule</code> events to detect suspicious creation or modification of traffic mirroring resources.</li>
<li>Enforce least privilege IAM policies to restrict who can create and manage EC2 Traffic Mirroring resources. Specifically, limit permissions for <code>ec2:CreateTrafficMirrorSession</code>, <code>ec2:CreateTrafficMirrorTarget</code>, and <code>ec2:CreateTrafficMirrorFilter</code>.</li>
<li>Implement AWS Service Control Policies (SCPs) or IAM conditions to limit where traffic mirroring sessions can be created (e.g., only into designated monitoring VPCs).</li>
<li>Review existing traffic mirroring configurations to ensure they are authorized and properly secured, referencing the AWS documentation on Traffic Mirroring.</li>
<li>Investigate any <code>CreateTrafficMirrorSession</code> events where the <code>user_agent.original</code> or <code>source.ip</code> is unfamiliar or unexpected.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>aws</category><category>ec2</category><category>traffic-mirroring</category><category>exfiltration</category></item></channel></rss>