New research has discovered that 22 APIs across 16 AWS services can be abused to leak information about AWS users. Unit 42, the threat intelligence team at Palo Alto Networks that discovered the vulnerability, found that the bug affects a number of major AWS services, could potentially lead to cloud misconfigurations and is difficult to track.
The problem stems from the fact that the AWS backend infrastructure proactively validates resource-based policies, which usually contain a field detailing the identities of individuals allowed to access them. If a policy contains a non-existent identity, the API will respond with an error message.
This particular feature is open to abuse, however, by a rogue agent. By repeatedly invoking these APIs, they can check whether an identity exists within an AWS account. Plus, targeted accounts won’t realize that this malicious activity is taking place, as only the attacker sees the API logs and the subsequent error messages.
By misusing AWS services in this way, an attacker could potentially discover the names and roles of individuals within a particular AWS account. Once an attacker has acquired the information that he or she needs, targeted attacks could then follow.
“Detecting and preventing identity reconnaissance using this technique is difficult as there are no observable logs in the targeted accounts,” Jay Chen, a Senior Cloud Vulnerability and Exploit Researcher at Palo Alto Networks, explained.
“However, good IAM security hygiene can still effectively mitigate the threats from this type of attack. Although it’s not possible to prevent an attacker from enumerating identities in AWS accounts, the enumeration can be made more difficult and you can monitor for suspicious activities taken after the reconnaissance.”
Some of the techniques that users of vulnerable AWS services can employ include removing inactive users, adding random strings to usernames and role titles to make them more difficult to guess, and logging all identity authentication activities.
social experiment by Livio Acerbo #greengroundit #techradar https://www.techradar.com/news/aws-apis-can-be-abused-to-leak-information/