https://feed.craftedsignal.io/vendors/aws/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioSat, 02 May 2026 03:06:08 +0000https://feed.craftedsignal.io/briefs/2026-05-copy-fail/Sat, 02 May 2026 03:06:08 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-copy-fail/The 'Copy Fail' vulnerability (CVE-2026-31431) in the Linux kernel allows a local attacker to escalate privileges to root, potentially leading to container breakout and lateral movement in cloud environments.CVE-2026-31431, known as “Copy Fail,” is a high-severity local privilege escalation vulnerability affecting the Linux kernel’s cryptographic subsystem. The vulnerability resides within the algif_aead module of the AF_ALG (userspace crypto API) and results from improper memory handling during in-place operations. An unprivileged user can exploit this flaw to corrupt the cache of readable files, including setuid binaries, resulting in unauthorized root privilege escalation. This vulnerability impacts a wide range of Linux distributions, including Ubuntu 24.04 LTS, Amazon Linux 2023, Red Hat Enterprise Linux (RHEL 10.1), and SUSE 16, as well as other distributions like Debian, Fedora, and Arch Linux. The availability of a working proof-of-concept exploit has raised concerns about potential widespread exploitation, leading to its addition to the CISA KEV catalog.

Attack Chain

1. Reconnaissance: The attacker gains limited visibility into the environment (e.g., compromised CI runner, web container) and identifies the kernel version. Kernel version information is obtained without elevated privileges.
2. Script Execution: The attacker executes a compact Python script that interacts with standard kernel interfaces, without relying on networking, compilation, or third-party libraries.
3. AF_ALG Abuse: The script abuses an interaction between the AF_ALG (asynchronous crypto) socket interface, the splice() system call and improper error handling during a failed copy operation.
4. Kernel Page Cache Corruption: This interaction leads to a controlled 4-byte overwrite in the kernel page cache, corrupting sensitive kernel-managed data.
5. Privilege Escalation: By corrupting kernel structures associated with credentials or execution context, the attacker escalates their process to UID 0.
6. Boundary Breach: The system’s privilege boundary is broken, neutralizing SELinux/AppArmor protections, and bypassing local security controls.
7. Lateral Movement/Container Escape: The attacker can now use the root privileges gained to perform lateral movement or escape the container.

Impact

Successful exploitation of CVE-2026-31431 leads to full root privilege escalation, resulting in high impact to confidentiality, integrity, and availability. This could facilitate container breakout, multi-tenant compromise, and lateral movement within shared environments. The vulnerability’s reliability, stealth (in-memory-only modification), and cross-platform applicability make it particularly dangerous in cloud, CI/CD, and Kubernetes environments.

Recommendation

• Identify all instances of affected products and versions in your environment and prioritize patching (CVE-2026-31431).
• Deploy the Sigma rule for suspicious process execution under /tmp, often used in exploit PoCs, and tune for your environment.
• Monitor for suspicious AF_ALG socket creation events, as indicated in the Attack Chain, using the provided Sigma rule.
• If patches are unavailable, consider implementing network isolation and access controls as interim mitigation measures.

]]>criticaladvisoryprivilege-escalationlinuxkernelhttps://feed.craftedsignal.io/briefs/2024-01-aws-s3-bucket-discovery/Fri, 01 May 2026 19:43:38 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-aws-s3-bucket-discovery/An AWS principal rapidly enumerates S3 bucket posture using read-only APIs, indicative of reconnaissance, scanning, or post-compromise activity.This threat brief covers suspicious activity related to the rapid enumeration of AWS S3 buckets. The activity is characterized by an AWS principal invoking read-only S3 control-plane APIs from the same source IP address within a short timeframe. This pattern is often associated with reconnaissance efforts, security scanning tools, or post-compromise enumeration activities. The behavior is similar to that observed with CSPM tools and by threat actors like Team PCP. The detection specifically excludes AWS service principals and requires programmatic-style sessions (i.e., not Management Console credentials). It focuses on scenarios where resource and identity fields are populated to avoid skewed results from null values. The detection threshold is set to greater than 15 distinct aws.cloudtrail.resources.arn values within a 10-second window.

Attack Chain

1. An attacker gains initial access to an AWS environment using compromised credentials or through an exposed IAM role. (T1530)
2. The attacker authenticates to AWS using the obtained credentials, creating a programmatic session.
3. The attacker issues a series of GetBucketAcl, GetBucketPublicAccessBlock, GetBucketPolicy, GetBucketPolicyStatus, and GetBucketVersioning API calls to S3.
4. These API calls are directed towards multiple distinct S3 buckets within a short timeframe (10 seconds).
5. The attacker collects information about the bucket’s access control lists (ACLs), public access blocks, policies, versioning status, and other metadata. (T1526, T1580, T1619)
6. The collected information is analyzed to identify publicly accessible buckets, misconfigurations, or sensitive data storage locations.
7. The attacker uses identified vulnerabilities to exfiltrate data.
8. The attacker attempts lateral movement within the AWS environment, leveraging the discovered information to compromise other resources.

Impact

Successful enumeration of S3 buckets can lead to the discovery of sensitive data, misconfigurations, and publicly accessible resources. This can result in data breaches, unauthorized access, and further compromise of the AWS environment. The enumeration allows an attacker to map out the S3 storage landscape, identifying targets for data exfiltration or privilege escalation. The rapid nature of the enumeration suggests automated scanning or reconnaissance, potentially indicating a larger attack campaign.

Recommendation

• Deploy the following Sigma rule to detect rapid S3 bucket enumeration activity based on AWS CloudTrail logs, adjusting the threshold of 15 distinct buckets to suit your environment.
• Investigate any alerts generated by the Sigma rule, focusing on the source IP address (source.ip), AWS principal ARN (aws.cloudtrail.user_identity.arn), and the list of accessed buckets (aws.cloudtrail.resources.arn).
• Review IAM policies associated with the identified principal to ensure least privilege for S3 read APIs.
• Monitor CloudTrail logs for related events, such as ListBuckets, GetObject, PutBucketPolicy, AssumeRole, or IAM changes, occurring within ±30 minutes of the detected enumeration activity.
• Implement network-level restrictions on the source IP address if it is not authorized to perform S3 enumeration.
• Document approved scanning accounts and add user agent filters to the provided Sigma rule to reduce noise from those identities.

]]>lowadvisoryawss3cloudtraildiscoveryenumerationreconnaissancehttps://feed.craftedsignal.io/briefs/2024-11-aws-discovery-api-calls/Fri, 01 May 2026 19:43:38 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-11-aws-discovery-api-calls/This rule detects when a single AWS identity executes more than five unique discovery-related API calls (Describe*, List*, Get*, or Generate*) within a 10-second window using the AWS CLI, potentially indicating reconnaissance activity following credential compromise or compromised EC2 instance access.This detection rule identifies suspicious AWS reconnaissance activity originating from the AWS CLI. It triggers when a single AWS identity (IAM user, role, or service principal) makes more than five unique discovery-related API calls (such as Describe*, List*, Get*, or Generate*) within a 10-second window. The rule is designed to detect adversaries attempting to map out an AWS environment after gaining unauthorized access through compromised credentials or a compromised EC2 instance. The tool focuses on API calls related to key AWS services like EC2, IAM, S3, and KMS. This rule helps defenders identify and respond to early-stage reconnaissance activity, preventing further exploitation or data exfiltration. The rule excludes activity from AWS service accounts and the AWS Management Console, and it requires a minimum stack version of 9.2.0 with AWS integration version 4.6.0.

Attack Chain

1. Initial Access: An attacker gains access to an AWS environment, potentially through compromised credentials or by compromising an EC2 instance.
2. Credential Usage: The attacker leverages the AWS CLI to interact with the AWS environment using the compromised credentials.
3. Reconnaissance: The attacker initiates a series of discovery API calls to gather information about the AWS infrastructure. This includes using Describe*, List*, Get*, and Generate* commands.
4. Resource Enumeration: The attacker enumerates various AWS resources, including EC2 instances, IAM roles, S3 buckets, and KMS keys, by querying their respective APIs.
5. Target Identification: The attacker analyzes the gathered information to identify potential targets for further exploitation, such as vulnerable EC2 instances or misconfigured S3 buckets.
6. Privilege Escalation (Optional): If the compromised credentials have limited permissions, the attacker might attempt to escalate privileges to gain broader access to the AWS environment.
7. Lateral Movement (Optional): The attacker might attempt to move laterally to other AWS accounts or services to expand their reach and impact.
8. Data Exfiltration/Impact: Based on the attacker’s goals, they may attempt to exfiltrate sensitive data or cause disruption by modifying or deleting resources.

Impact

Successful exploitation could lead to unauthorized access to sensitive data, such as customer information, intellectual property, or financial records. The attacker could also disrupt business operations by modifying or deleting critical resources. Identifying and responding to such activity in a timely manner can help prevent significant damage and maintain the security and integrity of the AWS environment.

Recommendation

• Deploy the following Sigma rule to your SIEM and tune for your environment to detect the described reconnaissance activity.
• Enable AWS CloudTrail logging for all AWS regions and accounts in your organization to ensure the required logs are available for detection.
• Investigate any alerts generated by the Sigma rule, focusing on identifying the affected AWS identity, the source IP address, and the specific API calls made (as captured by the Sigma rule).
• If suspicious activity is confirmed, follow AWS’s incident-handling guidance, including disabling or rotating the access key used and restricting outbound connectivity from the source (reference the AWS Security Incident Response Guide).

]]>lowadvisorycloudawscloudtraildiscoveryhttps://feed.craftedsignal.io/briefs/2024-01-kubernetes-metadata-access/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-kubernetes-metadata-access/Detection of Kubernetes pod exec sessions accessing cloud instance metadata endpoints, indicating potential credential theft from AWS, GCP, or Azure.This alert focuses on detecting Kubernetes pod exec sessions that attempt to access cloud instance metadata endpoints. The activity is flagged when the decoded command line of a pod exec session contains references to cloud instance metadata services across AWS, GCP, and Azure. Attackers may exploit this to harvest role credentials, tokens, or instance attributes from the underlying node or hypervisor. This is a high-risk behavior because it can expose short-lived cloud credentials to code running inside a container, particularly concerning in multi-tenant and regulated environments. This detection classifies the cloud target and whether the command indicates credential theft or reconnaissance.

Attack Chain

1. Attacker gains initial access to a Kubernetes cluster.
2. Attacker identifies a vulnerable pod within the cluster.
3. The attacker uses kubectl exec to gain shell access to the pod.
4. Inside the pod, the attacker crafts a command-line request targeting the cloud instance metadata service (IMDS) endpoint.
5. The command, often using curl or wget, attempts to retrieve sensitive information such as IAM roles, tokens, or instance attributes.
6. The IMDS responds with the requested data, which may include credentials or configuration details.
7. The attacker exfiltrates the stolen credentials or uses them to escalate privileges within the cloud environment.
8. Attacker uses the harvested credentials to move laterally, compromise other cloud resources, or exfiltrate sensitive data.

Impact

Compromised credentials can lead to unauthorized access to sensitive data, lateral movement within the cloud environment, and potential data exfiltration. A successful attack could impact multiple organizations sharing the same Kubernetes cluster. The impact could include financial losses, reputational damage, and regulatory fines, depending on the type of data compromised and the extent of the breach.

Recommendation

• Deploy the Sigma rule Kubernetes Pod Exec IMDS Access to detect suspicious command-line activity within Kubernetes pods.
• Block access to the cloud instance metadata endpoints (169.254.169.254) from within Kubernetes pods using network policies.
• Regularly review and tighten RBAC permissions related to pods/exec to limit the ability of attackers to gain shell access.
• Monitor cloud audit logs for suspicious STS or token issuance events correlated with Kubernetes pod exec events.
• Implement workload identity solutions to avoid the need to expose instance metadata to pods.
• Baseline approved images and tune exclusions narrowly to avoid false positives.

]]>highadvisorykubernetescloudcredential_accessexecution