Case Study of AWS Security Breaches and Attack / Defense Techniques

Transcript

1. Case Study of AWS Security Breaches and Attack / Defense

   Techniques Steve Teo Director of Cloud Security Engineering Horangi Cyber Security www.linkedin.com/in/steveteo

2. Steve “Potay” Teo • Director of Cloud Security Engineering @

   Horangi • CloudDevSecOps Fanatic • 4 years+ working on AWS • AWS Areas of Interests: • AWS Multi-Account Architectures • Cloud Security • Totally uncertified and proud :P • Ate 24 buffalo wings at last year’s Reinvent Tatonka Challenge

3. Communities I serve https://www.meetup.com/AWS-SG/ https://www.meetup.com/ Atlassian-User-Group-Singapore/

4. AWS User Group Singapore - Monthly

5. AWS User Group Singapore - Monthly

6. Context

7. “Know thy self, know thy enemy. A thousand battles, a

   thousand victories.” – Sun Tzu, Art of War

8. By 2020 95% of cloud security failures will be the

   customer's fault - Gartner

9. Shared Responsibility Model

10. Horangi Warden – Cloud Security Configuration Checker

11. VS

12. Every AWS Account is a Blank Cheque – Steve Teo

13. S3 Bucket Breaches

14. “The reason why Google and Facebook are the most powerful

    companies in the world is because last year data surpassed oil in value” - Brittany Kaiser (The Great Hack)

15. Some of the Biggest S3 Breaches • Sept 2017 -

    Accenture Leak • Bucket(s): acp-deployment, acpcollector, acp-software, acp-ssl • Highly sensitive data about Accenture Cloud Platform, its inner workings, and Accenture clients using the platform • 40,000 passwords stored in plaintext, architectural information and code for the company's client-facing cloud platform, decryption keys, certificates, API data and administrator login credentials. • https://www.upguard.com/breaches/cloud-leak-accenture • Street Cred -- • May 2019 – Attunity Leak • Bucket(s): attunity-it, attunity-patch, attunity-support • 750 gigabytes of compressed email backup exposed, including Netflix, Ford, TD Bank • https://www.upguard.com/breaches/attunity-data-leak • Street Cred --

16. Some of the Biggest S3 Breaches • June 2017 -

    Partner • Bucket(s): verizon-sftp • Bucket was operated by 3rd Party Partner, NICE Systems • Names, addresses, account details, and account personal identification numbers (PINs) of as many as 14 million US customers of telecommunications carrier Verizon • https://www.upguard.com/breaches/verizon-cloud-leak • Street Cred -- • Jan 2019 – Third-Party Apps • Cultura Colectiva • Bucket(s): cc-datalake • 146 gigabytes and contains over 540 million records detailing comments, likes, reactions, account names, FB IDs and more • At the Pool • FB user data for 22K users, including plaintext passwords • https://www.upguard.com/breaches/facebook-user-data-leak • Street Cred --

17. Attack - S3 Enumeration • Lots of tools out there

    to discover S3 buckets • Powered by dictionaries + pattern techniques • Some specialized tools like https://github.com/jordanpotti/ AWSBucketDump can even dump a bucket’s content or search for contents within the bucket

18. Attack - Bucket-Stream • https://github.com/eth0izzle/bucket-stream • Listens to various certificate

    transparency logs (via certstream) and attempts to find public S3 buckets from permutations of the certificates domain name.

19. Attack - Bucket-Stream

20. Attack - Bucket-Stream

21. Attack - Bucket-Stream

22. Attack - Bucket-Stream • They were there before me

23. None

24. Attack - buckets.greyhatwarfare.com

25. Attack - buckets.greyhatwarfare.com

26. Defense – S3 Block Public Access

27. Defense – S3 Inspector • Checks all your buckets for

    public access • For every bucket gives you the report with: • Indicator if your bucket is public or not • Permissions for your bucket if it is public • List of URLs to access your bucket (non-public buckets will return Access Denied) if it is public • https://github.com/kromtech/s3-inspector

28. S3 Security Is Flawed By Design? • https://www.upguard.com/blog/s3-security-is-flawed-by-design • “Our

    opinion is that the security problem with S3 is one of product design." • Key Points • Can’t break legacy • #1: Any Authenticated Users • #2: Inconsistent ACLs and Bucket Policies (union of all the IAM policies, S3 bucket policies, and S3 ACLs that apply) • Recommendation • Split S3 up into Amazon Web Hosting and Amazon Private Storage

29. Other External Threats

30. None

31. Code Spaces "We finally managed to get our panel access

    back but not before he had removed all EBS snapshots, S3 buckets, all AMIs, some EBS instances, and several machine instances."

32. Hack • Between March 12, 2019 and July 17, 2019,

    an unauthorized user accessed data stored in AWS S3 buckets belonging to Capital One. • The unauthorized user exfiltrated the data and stored it on GitHub under their real name, Paige Thompson, as well as boasting about the data theft in a Slack channel and on twitter using the pseudonym “erratic”. • Loss of over 100 million credit card applications and 100 thousand social security numbers

33. Hack • Server-Side Request Forgery (SSRF) attack An SSRF attack

    tricks a server into executing commands on behalf of a remote user, enabling the user to treat the server as a proxy for his or her requests and get access to non-public endpoints.

34. Hack http://169.254.169.254/iam/security-credentials http://169.254.169.254/iam/security-credentials/*****-WAF-Role

35. Hack 700 Buckets ModSecurity WAF { "Effect": "Allow", "Actions": [

    "s3:ListBuckets", "s3:Sync" ], "Resource": "*" }

36. Hack • https://blog.cloudsploit.com/a-technical-analysis-of-the-capital- one-hack-a9b43d7c8aea • https://rhinosecuritylabs.com/aws/capital-one-cloud_breach_s3- cloudgoat/ • https://ejj.io/blog/capital-one •

    https://www.justice.gov/usao-wdwa/press- release/file/1188626/download • https://www.newsweek.com/amazon-capital-one-hack-data-leak- breach-paige-thompson-cybercrime-1451665 • https://awsinsider.net/articles/2019/08/21/aws-scanning.aspx

37. Attack - Phished AWS Persistent Cookies • https://rhinosecuritylabs.com/aws/mfa-phishing-on-aws/ • https://rhinosecuritylabs.com/aws/aws-phished-persistent-cookies/

    • It all starts with social engineering

38. Attack - Phished AWS Persistent Cookies • Uses tools such

    as Evilginx2, Modlishka, Muraena, and CredSniper

39. Attack - Phished AWS Persistent Cookies

40. Attack - IAM Role Enumeration • https://rhinosecuritylabs.com/aws/ assume-worst-aws-assume-role- enumeration/ •

    Keep your AWS Account ID close!

41. Attack - IAM Role Enumeration • https://rhinosecuritylabs.com/aws/ assume-worst-aws-assume-role- enumeration/ •

    Keep your AWS Account ID close!

42. Internal Threats

43. May 2016 - Disgruntled Employee @ Voova • “An irate

    sacked techie who rampaged through his former employer's AWS accounts with a purloined login, nuking 23 servers and triggering a wave of redundancies, has been jailed.” • Got hold of a former colleague's AWS login and destroyed what police and prosecutors claimed was £500,000 worth of business- critical data. • Did not implement multi-factor authentication. • IP Traced - "One of their customers is Valtech, and the defendant was employed by Valtech in Manchester and was dismissed... at the time of the attack”. • https://www.theregister.co.uk/2019/03/20/st effan_needham_aws_rampage_prison_sente nce_voova/

44. My Own Experience • I can’t document the story here,

    but … • If I had to call it one thing, it would be a “Security Game Day” • Key Learnings • Assume everything is compromised • There is probably a lot more going than you think is happening. Think Motive • Avoid putting all your eggs into one basket • Hard to conduct forensics without proper tools or audit services setup properly • Avoid having long-lived keys, IAM users • Set effective guardrails
45. None
46. None

47. Sometimes, if it is not your’s or AWS’s fault

48. Amazon Route 53 BGP Hijack • April 24, 2018 -

    $150,000 USD in Ethereum Stolen in MyEtherWallet Hack

49. Amazon Route 53 BGP Hijack • BGP leak would be

    IP space that is announced by somebody not allowed by the owner of the space • In order for a leak to be accepted • A smaller prefix (10.0.0.1/32 = 1 IP vs 10.0.0.0/24 = 256 IPs) • Have better metrics than a prefix with the same length (shorter path) • This IP space is allocated to Amazon (AS16509). But the ASN that announced it was eNet Inc (AS10297) to their peers and forwarded to Hurricane Electric (AS6939), Level 3. Level 3 (AS3356) and NTT (AS2914) did not accept the announcement • Announcements • 205.251.199.0/24 over 205.251.192.0/23 • 205.251.197.0/24 over 205.251.194.0/23 • 205.251.195.0/24 over 205.251.196.0/23 • 205.251.193.0/24 Over 205.251.198.0/23

50. Amazon Route 53 BGP Hijack

51. Amazon Route 53 BGP Hijack Normal GG – Good Game

52. Amazon Route 53 BGP Hijack

53. Amazon Route 53 BGP Hijack

54. Amazon Route 53 BGP Hijack • https://www.internetsociety.org/blog/2018/04/amazons-route-53- bgp-hijack/ • https://blog.cloudflare.com/bgp-leaks-and-crypto-currencies/

    • https://www.manrs.org/2018/04/another-bgp-hijacking-event- highlights-the-importance-of-manrs-and-routing-security/ • https://www.darkreading.com/attacks-breaches/myetherwallet- dns-attack-offers-opt-in-lessons/d/d-id/1331656

55. Other Interesting Stuff

56. Honey Tokens

57. Honey Tokens - Project Spacecrab • https://bitbucket.org/asecurityteam/spacecrab

58. Key Takeaways • Knowing how to attack means you know

    how to defend • Security is everyone’s responsibility • If you are scrambling during an incident, you are already too late • Adopt a zero trust, sceptic mindset • Don’t let people shoot themselves in their foot easily

59. https://speakerdeck.com/stevepotayteo/effective-aws-account-strategy-using-aws-organizations

60. None
61. None

62. Every AWS Account is a Blank Cheque – Steve Teo

63. Q & A?

64. Thank you

65. None