Short-term AWS access tokens allow attackers to linger for a longer while

2023-12-07 14:18

Attackers usually gain access to an organization's cloud assets by leveraging compromised user access tokens obtained via phishing, by using malware, or by finding them in public code repositories.

These are long-term access tokens associated with an AWS IAM or federated users.

"The extra STS tokens effectively serve as insurance in the event that the IAM user token is revoked. Any additional tokens they might have generated sit idle and are only used to restart this process if the initial token and subsequent tokens are discovered and revoked," Red Canary detection engineers Thomas Gardner and Cody Betsworh explained.

Attackers may abuse AWS STS to get many access tokens.

"One added benefit of abusing short-term tokens is that it helps conceal the long-term [access] token used to create them, particularly from organizations that aren't collecting or monitoring the right logs from their AWS infrastructure. As such, organizations may end up playing whack-a-mole with the short-term tokens, deleting them ad hoc, and never identifying the long-term token used to create them."

If they discover unauthorized AWS logins or evidence data exfiltration, the clean-up must involve revoking permissions for all temporary credentials confirmed to be leveraged in the attack, rotating all the long-term access tokens, and setting up a "Deny-All" policy for users whose tokens were involved in suspicious activity.

News URL

https://www.helpnetsecurity.com/2023/12/07/aws-access-tokens-abuse/

#AWS #token