A threat actor exploited a leaked long-term AWS access key to perform a series of malicious activities including creating persistence mechanisms, modifying AWS Identity Center users and groups, and disabling organization-level services. These novel tactics showcase advanced cloud intrusion methods impacting AWS Organizations and AWS Identity Center. #AWSOrganizations #AWSIdentityCenter
Keypoints
- A long-term AWS access key tied to an IAM user in an AWS Organizations management account was compromised and used by attackers to conduct multiple malicious actions within a 150-minute window.
- Attackers implemented a novel “persistence-as-a-service” by creating a Lambda function triggered via HTTP API Gateway that dynamically creates IAM users even after credential revocation.
- ConsoleLogin events originated from an IP associated with Telegram, suggesting automated sign-in link generation through a Telegram bot to facilitate AWS console access.
- The attacker disabled integration of six AWS organization-level services using the DisableAWSServiceAccess API, potentially to evade security controls when adding new accounts.
- Through AWS Identity Center, attackers enumerated SSO configurations then created a group and user with elevated permissions, disabling MFA and extending session duration to maintain long-term access.
- Several common cloud intrusion tactics and innovative techniques including dynamic IAM user creation, modification of MFA settings, and disabling trusted AWS services were observed.
- Detection strategies for this attack include monitoring unusual console logins, Lambda-triggered IAM user creation, Identity Center configuration changes, and DisableAWSServiceAccess API calls.
MITRE Techniques
- [T1078.004] Valid Accounts – The attacker used leaked long-term AWS credentials to gain initial access and perform multiple actions (‘observed attacker activity originating from a leaked long-term AWS access key’).
- [T1526] Cloud Service Discovery – The attacker enumerated AWS Identity Center SSO configurations, users, groups, and applications (‘enumerating the SSO instance to look at SSO configurations, users, groups, and applications’).
- [T1098.001] Additional Cloud Credentials – Created new IAM users dynamically via Lambda function triggered by HTTP API Gateway to maintain persistence (‘Lambda function ran code with the capability to create IAM users dynamically, on demand’).
- [T1098.003] Additional Cloud Roles – Created permanent roles and policies such as AWSLambdaBasicExecutionRole-b69e3024-5a7f-4fff-a576-cf54fc986b93 to enable malicious Lambda executions (‘attached its execution role to a new policy AWSLambdaBasicExecutionRole-b69e3024-…’).
- [T1036.003] Cloud Account – Created new IAM groups and users in AWS Identity Center to control access (‘created a group called secure and a user called Secret’).
- [T1556.006] Multi-Factor Authentication Interception – Modified SSO MFA settings to allow password-only sign-in and extended session duration (‘modified the MFA configuration of the SSO instance to allow themselves to sign in without MFA’).
- [T1485] Data Destruction – Disabled AWS service integrations at the organization level via API calls (‘DisableAWSServiceAccess…disabled trusted access for several AWS services’).
Indicators of Compromise
- [IP Addresses] Used to perform ConsoleLogin and other malicious API activities – 149.154.161[.]235 (Telegram ASN), 129.146.24[.]173, 134.199.148[.]132, and others.
- [IAM Users] Created by the attacker for persistence and access – adminslabs, buckets488, s3s684, git-lab965, git-lab555.
- [IAM Roles] Malicious roles created to support Lambda execution and operations – LambdaExecutionRole, buckets555-role-c6s4hhdi, curdfunctionsme-role-zw1zxamc.
- [Lambda Functions] Deployed to maintain persistence and invoke malicious activity – buckets555 (SHA256: 1c03eaf4445e255102e602dabed73f832779bd9b5df5e894185f77dadd230716), curdfunctionsme (SHA256: 1d7187a66f6e19b7d346c061d98c07292945e71c70ac08209621ecba80f73866).
- [IAM Identity Center Entities] Newly created user and group for unauthorized access – User: Secret, Group: secure.
Views: 30