{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/aws/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2026-31431"}],"_cs_exploited":false,"_cs_products":["Amazon Linux 2023","Red Hat Enterprise Linux (RHEL 10.1)","SUSE 16","Ubuntu 24.04 LTS"],"_cs_severities":["critical"],"_cs_tags":["privilege-escalation","linux","kernel"],"_cs_type":"advisory","_cs_vendors":["Red Hat","SUSE","Ubuntu","AWS","Debian","Fedora"],"content_html":"\u003cp\u003eCVE-2026-31431, known as \u0026ldquo;Copy Fail,\u0026rdquo; is a high-severity local privilege escalation vulnerability affecting the Linux kernel\u0026rsquo;s cryptographic subsystem. The vulnerability resides within the algif_aead module of the AF_ALG (userspace crypto API) and results from improper memory handling during in-place operations. An unprivileged user can exploit this flaw to corrupt the cache of readable files, including setuid binaries, resulting in unauthorized root privilege escalation. This vulnerability impacts a wide range of Linux distributions, including Ubuntu 24.04 LTS, Amazon Linux 2023, Red Hat Enterprise Linux (RHEL 10.1), and SUSE 16, as well as other distributions like Debian, Fedora, and Arch Linux. The availability of a working proof-of-concept exploit has raised concerns about potential widespread exploitation, leading to its addition to the CISA KEV catalog.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eReconnaissance:\u003c/strong\u003e The attacker gains limited visibility into the environment (e.g., compromised CI runner, web container) and identifies the kernel version. Kernel version information is obtained without elevated privileges.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eScript Execution:\u003c/strong\u003e The attacker executes a compact Python script that interacts with standard kernel interfaces, without relying on networking, compilation, or third-party libraries.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAF_ALG Abuse:\u003c/strong\u003e The script abuses an interaction between the AF_ALG (asynchronous crypto) socket interface, the splice() system call and improper error handling during a failed copy operation.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eKernel Page Cache Corruption:\u003c/strong\u003e This interaction leads to a controlled 4-byte overwrite in the kernel page cache, corrupting sensitive kernel-managed data.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e By corrupting kernel structures associated with credentials or execution context, the attacker escalates their process to UID 0.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eBoundary Breach:\u003c/strong\u003e The system\u0026rsquo;s privilege boundary is broken, neutralizing SELinux/AppArmor protections, and bypassing local security controls.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement/Container Escape:\u003c/strong\u003e The attacker can now use the root privileges gained to perform lateral movement or escape the container.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-31431 leads to full root privilege escalation, resulting in high impact to confidentiality, integrity, and availability. This could facilitate container breakout, multi-tenant compromise, and lateral movement within shared environments. The vulnerability\u0026rsquo;s reliability, stealth (in-memory-only modification), and cross-platform applicability make it particularly dangerous in cloud, CI/CD, and Kubernetes environments.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eIdentify all instances of affected products and versions in your environment and prioritize patching (CVE-2026-31431).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule for suspicious process execution under /tmp, often used in exploit PoCs, and tune for your environment.\u003c/li\u003e\n\u003cli\u003eMonitor for suspicious AF_ALG socket creation events, as indicated in the Attack Chain, using the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003eIf patches are unavailable, consider implementing network isolation and access controls as interim mitigation measures.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-02T03:06:08Z","date_published":"2026-05-02T03:06:08Z","id":"/briefs/2026-05-copy-fail/","summary":"The 'Copy Fail' vulnerability (CVE-2026-31431) in the Linux kernel allows a local attacker to escalate privileges to root, potentially leading to container breakout and lateral movement in cloud environments.","title":"CVE-2026-31431 'Copy Fail' Linux Kernel Privilege Escalation","url":"https://feed.craftedsignal.io/briefs/2026-05-copy-fail/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["AWS S3","AWS CloudTrail"],"_cs_severities":["low"],"_cs_tags":["aws","s3","cloudtrail","discovery","enumeration","reconnaissance"],"_cs_type":"advisory","_cs_vendors":["AWS"],"content_html":"\u003cp\u003eThis threat brief covers suspicious activity related to the rapid enumeration of AWS S3 buckets. The activity is characterized by an AWS principal invoking read-only S3 control-plane APIs from the same source IP address within a short timeframe. This pattern is often associated with reconnaissance efforts, security scanning tools, or post-compromise enumeration activities. The behavior is similar to that observed with CSPM tools and by threat actors like Team PCP. The detection specifically excludes AWS service principals and requires programmatic-style sessions (i.e., not Management Console credentials). It focuses on scenarios where resource and identity fields are populated to avoid skewed results from null values. The detection threshold is set to greater than 15 distinct \u003ccode\u003eaws.cloudtrail.resources.arn\u003c/code\u003e values within a 10-second window.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to an AWS environment using compromised credentials or through an exposed IAM role. (T1530)\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to AWS using the obtained credentials, creating a programmatic session.\u003c/li\u003e\n\u003cli\u003eThe attacker issues a series of \u003ccode\u003eGetBucketAcl\u003c/code\u003e, \u003ccode\u003eGetBucketPublicAccessBlock\u003c/code\u003e, \u003ccode\u003eGetBucketPolicy\u003c/code\u003e, \u003ccode\u003eGetBucketPolicyStatus\u003c/code\u003e, and \u003ccode\u003eGetBucketVersioning\u003c/code\u003e API calls to S3.\u003c/li\u003e\n\u003cli\u003eThese API calls are directed towards multiple distinct S3 buckets within a short timeframe (10 seconds).\u003c/li\u003e\n\u003cli\u003eThe attacker collects information about the bucket\u0026rsquo;s access control lists (ACLs), public access blocks, policies, versioning status, and other metadata. (T1526, T1580, T1619)\u003c/li\u003e\n\u003cli\u003eThe collected information is analyzed to identify publicly accessible buckets, misconfigurations, or sensitive data storage locations.\u003c/li\u003e\n\u003cli\u003eThe attacker uses identified vulnerabilities to exfiltrate data.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts lateral movement within the AWS environment, leveraging the discovered information to compromise other resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful enumeration of S3 buckets can lead to the discovery of sensitive data, misconfigurations, and publicly accessible resources. This can result in data breaches, unauthorized access, and further compromise of the AWS environment. The enumeration allows an attacker to map out the S3 storage landscape, identifying targets for data exfiltration or privilege escalation. The rapid nature of the enumeration suggests automated scanning or reconnaissance, potentially indicating a larger attack campaign.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the following Sigma rule to detect rapid S3 bucket enumeration activity based on AWS CloudTrail logs, adjusting the threshold of 15 distinct buckets to suit your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the source IP address (\u003ccode\u003esource.ip\u003c/code\u003e), AWS principal ARN (\u003ccode\u003eaws.cloudtrail.user_identity.arn\u003c/code\u003e), and the list of accessed buckets (\u003ccode\u003eaws.cloudtrail.resources.arn\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eReview IAM policies associated with the identified principal to ensure least privilege for S3 read APIs.\u003c/li\u003e\n\u003cli\u003eMonitor CloudTrail logs for related events, such as \u003ccode\u003eListBuckets\u003c/code\u003e, \u003ccode\u003eGetObject\u003c/code\u003e, \u003ccode\u003ePutBucketPolicy\u003c/code\u003e, \u003ccode\u003eAssumeRole\u003c/code\u003e, or IAM changes, occurring within ±30 minutes of the detected enumeration activity.\u003c/li\u003e\n\u003cli\u003eImplement network-level restrictions on the source IP address if it is not authorized to perform S3 enumeration.\u003c/li\u003e\n\u003cli\u003eDocument approved scanning accounts and add user agent filters to the provided Sigma rule to reduce noise from those identities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-01T19:43:38Z","date_published":"2026-05-01T19:43:38Z","id":"/briefs/2024-01-aws-s3-bucket-discovery/","summary":"An AWS principal rapidly enumerates S3 bucket posture using read-only APIs, indicative of reconnaissance, scanning, or post-compromise activity.","title":"Rapid Enumeration of AWS S3 Buckets","url":"https://feed.craftedsignal.io/briefs/2024-01-aws-s3-bucket-discovery/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["cloud","aws","cloudtrail","discovery"],"_cs_type":"advisory","_cs_vendors":["AWS"],"content_html":"\u003cp\u003eThis detection rule identifies suspicious AWS reconnaissance activity originating from the AWS CLI. It triggers when a single AWS identity (IAM user, role, or service principal) makes more than five unique discovery-related API calls (such as \u003ccode\u003eDescribe*\u003c/code\u003e, \u003ccode\u003eList*\u003c/code\u003e, \u003ccode\u003eGet*\u003c/code\u003e, or \u003ccode\u003eGenerate*\u003c/code\u003e) within a 10-second window. The rule is designed to detect adversaries attempting to map out an AWS environment after gaining unauthorized access through compromised credentials or a compromised EC2 instance. The tool focuses on API calls related to key AWS services like EC2, IAM, S3, and KMS. This rule helps defenders identify and respond to early-stage reconnaissance activity, preventing further exploitation or data exfiltration. The rule excludes activity from AWS service accounts and the AWS Management Console, and it requires a minimum stack version of 9.2.0 with AWS integration version 4.6.0.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e An attacker gains access to an AWS environment, potentially through compromised credentials or by compromising an EC2 instance.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Usage:\u003c/strong\u003e The attacker leverages the AWS CLI to interact with the AWS environment using the compromised credentials.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eReconnaissance:\u003c/strong\u003e The attacker initiates a series of discovery API calls to gather information about the AWS infrastructure. This includes using \u003ccode\u003eDescribe*\u003c/code\u003e, \u003ccode\u003eList*\u003c/code\u003e, \u003ccode\u003eGet*\u003c/code\u003e, and \u003ccode\u003eGenerate*\u003c/code\u003e commands.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eResource Enumeration:\u003c/strong\u003e The attacker enumerates various AWS resources, including EC2 instances, IAM roles, S3 buckets, and KMS keys, by querying their respective APIs.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eTarget Identification:\u003c/strong\u003e The attacker analyzes the gathered information to identify potential targets for further exploitation, such as vulnerable EC2 instances or misconfigured S3 buckets.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation (Optional):\u003c/strong\u003e If the compromised credentials have limited permissions, the attacker might attempt to escalate privileges to gain broader access to the AWS environment.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement (Optional):\u003c/strong\u003e The attacker might attempt to move laterally to other AWS accounts or services to expand their reach and impact.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration/Impact:\u003c/strong\u003e Based on the attacker\u0026rsquo;s goals, they may attempt to exfiltrate sensitive data or cause disruption by modifying or deleting resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation could lead to unauthorized access to sensitive data, such as customer information, intellectual property, or financial records. The attacker could also disrupt business operations by modifying or deleting critical resources. Identifying and responding to such activity in a timely manner can help prevent significant damage and maintain the security and integrity of the AWS environment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the following Sigma rule to your SIEM and tune for your environment to detect the described reconnaissance activity.\u003c/li\u003e\n\u003cli\u003eEnable AWS CloudTrail logging for all AWS regions and accounts in your organization to ensure the required logs are available for detection.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on identifying the affected AWS identity, the source IP address, and the specific API calls made (as captured by the Sigma rule).\u003c/li\u003e\n\u003cli\u003eIf suspicious activity is confirmed, follow AWS\u0026rsquo;s incident-handling guidance, including disabling or rotating the access key used and restricting outbound connectivity from the source (reference the AWS Security Incident Response Guide).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-01T19:43:38Z","date_published":"2026-05-01T19:43:38Z","id":"/briefs/2024-11-aws-discovery-api-calls/","summary":"This rule detects when a single AWS identity executes more than five unique discovery-related API calls (Describe*, List*, Get*, or Generate*) within a 10-second window using the AWS CLI, potentially indicating reconnaissance activity following credential compromise or compromised EC2 instance access.","title":"AWS Discovery API Calls via CLI from a Single Resource","url":"https://feed.craftedsignal.io/briefs/2024-11-aws-discovery-api-calls/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["AWS IMDS","GCP Compute Metadata","Azure IMDS"],"_cs_severities":["high"],"_cs_tags":["kubernetes","cloud","credential_access","execution"],"_cs_type":"advisory","_cs_vendors":["AWS","Google","Azure"],"content_html":"\u003cp\u003eThis alert focuses on detecting Kubernetes pod exec sessions that attempt to access cloud instance metadata endpoints. The activity is flagged when the decoded command line of a pod exec session contains references to cloud instance metadata services across AWS, GCP, and Azure. Attackers may exploit this to harvest role credentials, tokens, or instance attributes from the underlying node or hypervisor. This is a high-risk behavior because it can expose short-lived cloud credentials to code running inside a container, particularly concerning in multi-tenant and regulated environments. This detection classifies the cloud target and whether the command indicates credential theft or reconnaissance.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to a Kubernetes cluster.\u003c/li\u003e\n\u003cli\u003eAttacker identifies a vulnerable pod within the cluster.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003ekubectl exec\u003c/code\u003e to gain shell access to the pod.\u003c/li\u003e\n\u003cli\u003eInside the pod, the attacker crafts a command-line request targeting the cloud instance metadata service (IMDS) endpoint.\u003c/li\u003e\n\u003cli\u003eThe command, often using \u003ccode\u003ecurl\u003c/code\u003e or \u003ccode\u003ewget\u003c/code\u003e, attempts to retrieve sensitive information such as IAM roles, tokens, or instance attributes.\u003c/li\u003e\n\u003cli\u003eThe IMDS responds with the requested data, which may include credentials or configuration details.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates the stolen credentials or uses them to escalate privileges within the cloud environment.\u003c/li\u003e\n\u003cli\u003eAttacker uses the harvested credentials to move laterally, compromise other cloud resources, or exfiltrate sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromised credentials can lead to unauthorized access to sensitive data, lateral movement within the cloud environment, and potential data exfiltration. A successful attack could impact multiple organizations sharing the same Kubernetes cluster. The impact could include financial losses, reputational damage, and regulatory fines, depending on the type of data compromised and the extent of the breach.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eKubernetes Pod Exec IMDS Access\u003c/code\u003e to detect suspicious command-line activity within Kubernetes pods.\u003c/li\u003e\n\u003cli\u003eBlock access to the cloud instance metadata endpoints (169.254.169.254) from within Kubernetes pods using network policies.\u003c/li\u003e\n\u003cli\u003eRegularly review and tighten RBAC permissions related to \u003ccode\u003epods/exec\u003c/code\u003e to limit the ability of attackers to gain shell access.\u003c/li\u003e\n\u003cli\u003eMonitor cloud audit logs for suspicious STS or token issuance events correlated with Kubernetes pod exec events.\u003c/li\u003e\n\u003cli\u003eImplement workload identity solutions to avoid the need to expose instance metadata to pods.\u003c/li\u003e\n\u003cli\u003eBaseline approved images and tune exclusions narrowly to avoid false positives.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-kubernetes-metadata-access/","summary":"Detection of Kubernetes pod exec sessions accessing cloud instance metadata endpoints, indicating potential credential theft from AWS, GCP, or Azure.","title":"Kubernetes Pod Exec Cloud Instance Metadata Access","url":"https://feed.craftedsignal.io/briefs/2024-01-kubernetes-metadata-access/"}],"language":"en","title":"CraftedSignal Threat Feed — AWS","version":"https://jsonfeed.org/version/1.1"}