<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Versioning - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/versioning/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 12 Jul 2024 00:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/versioning/feed.xml" rel="self" type="application/rss+xml"/><item><title>AWS S3 Object Versioning Suspended</title><link>https://feed.craftedsignal.io/briefs/2024-07-aws-s3-versioning-disabled/</link><pubDate>Fri, 12 Jul 2024 00:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-07-aws-s3-versioning-disabled/</guid><description>Detection of S3 bucket versioning suspension via PutBucketVersioning API call, potentially indicating an attempt to inhibit system recovery by making restoration of deleted or overwritten objects impossible.</description><content:encoded><![CDATA[<p>This detection identifies when object versioning is suspended for an Amazon S3 bucket. Object versioning allows for multiple versions of an object to exist in the same bucket, enabling easy recovery of deleted or overwritten objects. Adversaries may disable object versioning to inhibit system recovery following malicious activity, such as data deletion or ransomware deployment. Versioning suspension can also facilitate bucket deletion. The rule leverages AWS CloudTrail logs and specifically looks for <code>PutBucketVersioning</code> API calls with a &quot;Status=Suspended&quot; parameter. This activity matters for defenders as it can signify a malicious actor attempting to reduce the recoverability of data within an AWS environment.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An adversary gains unauthorized access to an AWS account through compromised credentials or a misconfigured IAM role.</li>
<li>The adversary identifies an S3 bucket containing valuable data or backups.</li>
<li>The adversary executes a <code>PutBucketVersioning</code> API call to suspend versioning on the target S3 bucket. This can be done using the AWS CLI, SDK, or Management Console.</li>
<li>The <code>PutBucketVersioning</code> request includes the parameter <code>Status=Suspended</code>, which disables object versioning for the bucket.</li>
<li>The successful <code>PutBucketVersioning</code> call is logged in AWS CloudTrail.</li>
<li>The adversary proceeds to delete or overwrite objects within the S3 bucket.</li>
<li>Because versioning is suspended, the previous versions of the deleted or overwritten objects are not preserved, preventing easy recovery.</li>
<li>The adversary achieves their objective of hindering system recovery and potentially causing data loss or disruption.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Suspending S3 object versioning can lead to significant data loss and hinder system recovery efforts. If an attacker suspends versioning and then deletes or overwrites objects, the organization may be unable to restore the data to its previous state. This can impact critical business operations, compliance requirements, and incident response capabilities. While specific numbers on victim counts are unavailable, the potential impact is high for organizations relying on S3 for data storage and backup.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the provided Sigma rule to your SIEM to detect <code>PutBucketVersioning</code> API calls with <code>Status=Suspended</code> in AWS CloudTrail logs.</li>
<li>Enable AWS Config rule <code>s3-bucket-versioning-enabled</code> to continuously monitor for versioning suspension and trigger automated alerts.</li>
<li>Restrict IAM permissions for <code>s3:PutBucketVersioning</code> to trusted administrators only to prevent unauthorized modifications.</li>
<li>Review CloudTrail logs for related actions such as <code>DeleteObject</code>, <code>PutBucketLifecycle</code>, or <code>PutBucketPolicy</code> by the same user or IP to determine whether versioning suspension preceded object deletion or policy manipulation.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>aws</category><category>s3</category><category>versioning</category><category>impact</category></item></channel></rss>