Threat actors can exploit the Amazon Web Services (AWS) Security Token Service (STS) to infiltrate cloud accounts and carry out subsequent attacks [1] [2] [3] [4] [5]. This poses a significant risk to the security of cloud environments.

Description

AWS STS allows threat actors to impersonate user identities and roles in cloud environments [1] [2] [3] [5]. They can obtain long-term IAM tokens through various methods [1] [2] [3] [4] [5], such as malware infections [5], publicly exposed credentials [5], and phishing emails [1] [2] [3] [4] [5]. These stolen tokens are then used to determine roles and associated privileges through API calls [5]. To further exploit the system, authenticated MFA tokens are used to create multiple new short-term tokens [1] [2] [3] [5], which are then utilized for post-exploitation actions like data exfiltration.

To address this abuse, it is recommended to implement the following measures:

  1. Log CloudTrail event data: By monitoring and analyzing CloudTrail event logs, organizations can detect any suspicious activity related to AWS STS and take appropriate action.

  2. Detect role chaining events and MFA abuse: Organizations should have mechanisms in place to identify instances of role chaining and abuse of MFA tokens. This can help prevent unauthorized access and potential malicious actions.

  3. Rotate long-term IAM user access keys: Regularly rotating long-term IAM user access keys can limit the impact of stolen tokens. This practice ensures that even if a token is compromised, its usefulness is limited in time.

Conclusion

AWS STS is a critical security control [4], but adversaries can exploit it to gain unauthorized access to cloud resources and carry out malicious actions. By implementing the recommended measures, organizations can mitigate the risk of such abuse and enhance the security of their cloud environments. It is crucial to stay vigilant and proactive in addressing these threats to protect sensitive data and maintain the integrity of cloud systems.

References

[1] https://www.linkedin.com/posts/starlightintel_warning-for-iphone-users-experts-warn-of-activity-7138218607603322880-CjB5
[2] https://vulners.com/thn/THN:63AF5BB67ACE050B0C3C7A28E10E9B4C
[3] https://thehackernews.com/2023/12/alert-threat-actors-can-leverage-aws.html
[4] https://owasp.or.id/2023/12/06/threat-actors-can-leverage-aws-sts-to-infiltrate-cloud-accounts/
[5] https://blog.ehcgroup.io/2023/12/06/10/23/41/16308/alerta-actores-de-amenazas-pueden-aprovechar-aws-sts-para-infiltrarse-en-cuentas-de-la-nube/noticias-de-seguridad/ehacking/