Detecting attackers obfuscating their IP address inside AWS

2021-05-18 11:52

Security researchers have documented an attack technique that may allow attackers to leverage a legitimate Amazon VPC feature to mask their use of stolen API credentials inside AWS. The feature and its exploitation potential.

The feature that allows customers to control their IP addresses also allows attackers to control the IP address written to AWS CloudTrail logs when accessing a compromised account via a newly created VPC endpoint.

Attackers can obfuscate their IP address by making it look like an "Organizational" public IP address, an employee "Home" external IP address, a third party service provider public IP address, or a special private, reserved, testing or documentation-only IPv4 subnet block.

What attackers can't do with this technique is to change the IAM permissions the attacker has when using victims' compromised AWS API credentials, nor bypass IP-based IAM policies.

This technique may allow attackers to bypass security measures that rely solely on AWS CloudTrail, an AWS web service that allows customers to log, continuously monitor, and retain account activity related to actions across their AWS infrastructure.

Defenders should not rely on the contents of the "SourceIPAddress" field in the logs to detect attackers inside AWS, making API requests/calls, the researchers noted.

News URL

http://feedproxy.google.com/~r/HelpNetSecurity/~3/GmeJhztTDOg/

#AWS