Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Case Study of AWS Security Breaches and Attack ...

Steve Teo
August 31, 2019

Case Study of AWS Security Breaches and Attack / Defense Techniques

Presented during the AWS APAC Community Day Leader's Meetup 2019 in Melbourne

Steve Teo

August 31, 2019
Tweet

More Decks by Steve Teo

Other Decks in Technology

Transcript

  1. Case Study of AWS Security Breaches and Attack / Defense

    Techniques Steve Teo Director of Cloud Security Engineering Horangi Cyber Security www.linkedin.com/in/steveteo
  2. Steve “Potay” Teo • Director of Cloud Security Engineering @

    Horangi • CloudDevSecOps Fanatic • 4 years+ working on AWS • AWS Areas of Interests: • AWS Multi-Account Architectures • Cloud Security • Totally uncertified and proud :P • Ate 24 buffalo wings at last year’s Reinvent Tatonka Challenge
  3. “Know thy self, know thy enemy. A thousand battles, a

    thousand victories.” – Sun Tzu, Art of War
  4. VS

  5. “The reason why Google and Facebook are the most powerful

    companies in the world is because last year data surpassed oil in value” - Brittany Kaiser (The Great Hack)
  6. Some of the Biggest S3 Breaches • Sept 2017 -

    Accenture Leak • Bucket(s): acp-deployment, acpcollector, acp-software, acp-ssl • Highly sensitive data about Accenture Cloud Platform, its inner workings, and Accenture clients using the platform • 40,000 passwords stored in plaintext, architectural information and code for the company's client-facing cloud platform, decryption keys, certificates, API data and administrator login credentials. • https://www.upguard.com/breaches/cloud-leak-accenture • Street Cred -- • May 2019 – Attunity Leak • Bucket(s): attunity-it, attunity-patch, attunity-support • 750 gigabytes of compressed email backup exposed, including Netflix, Ford, TD Bank • https://www.upguard.com/breaches/attunity-data-leak • Street Cred --
  7. Some of the Biggest S3 Breaches • June 2017 -

    Partner • Bucket(s): verizon-sftp • Bucket was operated by 3rd Party Partner, NICE Systems • Names, addresses, account details, and account personal identification numbers (PINs) of as many as 14 million US customers of telecommunications carrier Verizon • https://www.upguard.com/breaches/verizon-cloud-leak • Street Cred -- • Jan 2019 – Third-Party Apps • Cultura Colectiva • Bucket(s): cc-datalake • 146 gigabytes and contains over 540 million records detailing comments, likes, reactions, account names, FB IDs and more • At the Pool • FB user data for 22K users, including plaintext passwords • https://www.upguard.com/breaches/facebook-user-data-leak • Street Cred --
  8. Attack - S3 Enumeration • Lots of tools out there

    to discover S3 buckets • Powered by dictionaries + pattern techniques • Some specialized tools like https://github.com/jordanpotti/ AWSBucketDump can even dump a bucket’s content or search for contents within the bucket
  9. Attack - Bucket-Stream • https://github.com/eth0izzle/bucket-stream • Listens to various certificate

    transparency logs (via certstream) and attempts to find public S3 buckets from permutations of the certificates domain name.
  10. Defense – S3 Inspector • Checks all your buckets for

    public access • For every bucket gives you the report with: • Indicator if your bucket is public or not • Permissions for your bucket if it is public • List of URLs to access your bucket (non-public buckets will return Access Denied) if it is public • https://github.com/kromtech/s3-inspector
  11. S3 Security Is Flawed By Design? • https://www.upguard.com/blog/s3-security-is-flawed-by-design • “Our

    opinion is that the security problem with S3 is one of product design." • Key Points • Can’t break legacy • #1: Any Authenticated Users • #2: Inconsistent ACLs and Bucket Policies (union of all the IAM policies, S3 bucket policies, and S3 ACLs that apply) • Recommendation • Split S3 up into Amazon Web Hosting and Amazon Private Storage
  12. Code Spaces "We finally managed to get our panel access

    back but not before he had removed all EBS snapshots, S3 buckets, all AMIs, some EBS instances, and several machine instances."
  13. Hack • Between March 12, 2019 and July 17, 2019,

    an unauthorized user accessed data stored in AWS S3 buckets belonging to Capital One. • The unauthorized user exfiltrated the data and stored it on GitHub under their real name, Paige Thompson, as well as boasting about the data theft in a Slack channel and on twitter using the pseudonym “erratic”. • Loss of over 100 million credit card applications and 100 thousand social security numbers
  14. Hack • Server-Side Request Forgery (SSRF) attack An SSRF attack

    tricks a server into executing commands on behalf of a remote user, enabling the user to treat the server as a proxy for his or her requests and get access to non-public endpoints.
  15. Hack 700 Buckets ModSecurity WAF { "Effect": "Allow", "Actions": [

    "s3:ListBuckets", "s3:Sync" ], "Resource": "*" }
  16. Hack • https://blog.cloudsploit.com/a-technical-analysis-of-the-capital- one-hack-a9b43d7c8aea • https://rhinosecuritylabs.com/aws/capital-one-cloud_breach_s3- cloudgoat/ • https://ejj.io/blog/capital-one •

    https://www.justice.gov/usao-wdwa/press- release/file/1188626/download • https://www.newsweek.com/amazon-capital-one-hack-data-leak- breach-paige-thompson-cybercrime-1451665 • https://awsinsider.net/articles/2019/08/21/aws-scanning.aspx
  17. Attack - Phished AWS Persistent Cookies • Uses tools such

    as Evilginx2, Modlishka, Muraena, and CredSniper
  18. May 2016 - Disgruntled Employee @ Voova • “An irate

    sacked techie who rampaged through his former employer's AWS accounts with a purloined login, nuking 23 servers and triggering a wave of redundancies, has been jailed.” • Got hold of a former colleague's AWS login and destroyed what police and prosecutors claimed was £500,000 worth of business- critical data. • Did not implement multi-factor authentication. • IP Traced - "One of their customers is Valtech, and the defendant was employed by Valtech in Manchester and was dismissed... at the time of the attack”. • https://www.theregister.co.uk/2019/03/20/st effan_needham_aws_rampage_prison_sente nce_voova/
  19. My Own Experience • I can’t document the story here,

    but … • If I had to call it one thing, it would be a “Security Game Day” • Key Learnings • Assume everything is compromised • There is probably a lot more going than you think is happening. Think Motive • Avoid putting all your eggs into one basket • Hard to conduct forensics without proper tools or audit services setup properly • Avoid having long-lived keys, IAM users • Set effective guardrails
  20. Amazon Route 53 BGP Hijack • April 24, 2018 -

    $150,000 USD in Ethereum Stolen in MyEtherWallet Hack
  21. Amazon Route 53 BGP Hijack • BGP leak would be

    IP space that is announced by somebody not allowed by the owner of the space • In order for a leak to be accepted • A smaller prefix (10.0.0.1/32 = 1 IP vs 10.0.0.0/24 = 256 IPs) • Have better metrics than a prefix with the same length (shorter path) • This IP space is allocated to Amazon (AS16509). But the ASN that announced it was eNet Inc (AS10297) to their peers and forwarded to Hurricane Electric (AS6939), Level 3. Level 3 (AS3356) and NTT (AS2914) did not accept the announcement • Announcements • 205.251.199.0/24 over 205.251.192.0/23 • 205.251.197.0/24 over 205.251.194.0/23 • 205.251.195.0/24 over 205.251.196.0/23 • 205.251.193.0/24 Over 205.251.198.0/23
  22. Amazon Route 53 BGP Hijack • https://www.internetsociety.org/blog/2018/04/amazons-route-53- bgp-hijack/ • https://blog.cloudflare.com/bgp-leaks-and-crypto-currencies/

    • https://www.manrs.org/2018/04/another-bgp-hijacking-event- highlights-the-importance-of-manrs-and-routing-security/ • https://www.darkreading.com/attacks-breaches/myetherwallet- dns-attack-offers-opt-in-lessons/d/d-id/1331656
  23. Key Takeaways • Knowing how to attack means you know

    how to defend • Security is everyone’s responsibility • If you are scrambling during an incident, you are already too late • Adopt a zero trust, sceptic mindset • Don’t let people shoot themselves in their foot easily