us-16-amiga-knafo-account jumping post infection ......dan amiga co-founder and cto account jumping,...

31
Dan Amiga Co-Founder and CTO Account Jumping, Post Infection Persistency & Lateral Movement in AWS Dor Knafo Security Research Leader

Upload: others

Post on 03-Jun-2020

3 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: us-16-Amiga-Knafo-Account Jumping Post Infection ......Dan Amiga Co-Founder and CTO Account Jumping, Post Infection Persistency & Lateral Movement in AWS Dor Knafo Security Research

Dan AmigaCo-Founder and CTO

Account Jumping, Post Infection Persistency & Lateral Movement in AWS

Dor KnafoSecurity Research Leader

Page 2: us-16-Amiga-Knafo-Account Jumping Post Infection ......Dan Amiga Co-Founder and CTO Account Jumping, Post Infection Persistency & Lateral Movement in AWS Dor Knafo Security Research
Page 3: us-16-Amiga-Knafo-Account Jumping Post Infection ......Dan Amiga Co-Founder and CTO Account Jumping, Post Infection Persistency & Lateral Movement in AWS Dor Knafo Security Research

Agenda§ Two minutes about AWS security§ Infection§ Survival + Persistency§ Remaining Undetected§ Lateral Movement§ Solutions

Page 4: us-16-Amiga-Knafo-Account Jumping Post Infection ......Dan Amiga Co-Founder and CTO Account Jumping, Post Infection Persistency & Lateral Movement in AWS Dor Knafo Security Research

QUICKINTRO

Page 5: us-16-Amiga-Knafo-Account Jumping Post Infection ......Dan Amiga Co-Founder and CTO Account Jumping, Post Infection Persistency & Lateral Movement in AWS Dor Knafo Security Research

AWS Infection Potential

Page 6: us-16-Amiga-Knafo-Account Jumping Post Infection ......Dan Amiga Co-Founder and CTO Account Jumping, Post Infection Persistency & Lateral Movement in AWS Dor Knafo Security Research

Identity and Access Management (IAM)

EC2

Lambda

S3

Page 7: us-16-Amiga-Knafo-Account Jumping Post Infection ......Dan Amiga Co-Founder and CTO Account Jumping, Post Infection Persistency & Lateral Movement in AWS Dor Knafo Security Research

AWS Primary Auditing Capability - CloudTrail

S3Virtual Private CloudLambdaEC2

CloudTrailBucket

5 min

Page 8: us-16-Amiga-Knafo-Account Jumping Post Infection ......Dan Amiga Co-Founder and CTO Account Jumping, Post Infection Persistency & Lateral Movement in AWS Dor Knafo Security Research

INFECTION

Page 9: us-16-Amiga-Knafo-Account Jumping Post Infection ......Dan Amiga Co-Founder and CTO Account Jumping, Post Infection Persistency & Lateral Movement in AWS Dor Knafo Security Research

User Fault Infection

Infected Machines Phishing

AWS S3

Source Repo

Page 10: us-16-Amiga-Knafo-Account Jumping Post Infection ......Dan Amiga Co-Founder and CTO Account Jumping, Post Infection Persistency & Lateral Movement in AWS Dor Knafo Security Research

Infection through AWS

Cloud Metadata Poisoned AMI Account Jumping

Page 11: us-16-Amiga-Knafo-Account Jumping Post Infection ......Dan Amiga Co-Founder and CTO Account Jumping, Post Infection Persistency & Lateral Movement in AWS Dor Knafo Security Research

Infection through 3rd party services§ AWS ECS task definition

§ API call to task definition is recorded via CloudTrail§ Contains sensitive information (e.g. environment variables - keys)

Page 12: us-16-Amiga-Knafo-Account Jumping Post Infection ......Dan Amiga Co-Founder and CTO Account Jumping, Post Infection Persistency & Lateral Movement in AWS Dor Knafo Security Research

SURVIVAL

Page 13: us-16-Amiga-Knafo-Account Jumping Post Infection ......Dan Amiga Co-Founder and CTO Account Jumping, Post Infection Persistency & Lateral Movement in AWS Dor Knafo Security Research

Surviving key rotation or deletion

• AWS Security Token Service

Access KeyTemporary Access

Key

MFA info

IAM

Page 14: us-16-Amiga-Knafo-Account Jumping Post Infection ......Dan Amiga Co-Founder and CTO Account Jumping, Post Infection Persistency & Lateral Movement in AWS Dor Knafo Security Research

DEMO

Page 15: us-16-Amiga-Knafo-Account Jumping Post Infection ......Dan Amiga Co-Founder and CTO Account Jumping, Post Infection Persistency & Lateral Movement in AWS Dor Knafo Security Research

HIDE

Page 16: us-16-Amiga-Knafo-Account Jumping Post Infection ......Dan Amiga Co-Founder and CTO Account Jumping, Post Infection Persistency & Lateral Movement in AWS Dor Knafo Security Research

Staying Undetected – Altering CloudTrail§ Delete the trails

§ Stop the trails

§ Disable multi-region logging

$ aws cloudtrail delete-trail –name [trail-name]

$ aws cloudtrail stop-logging –name [trail-name]

$ aws cloudtrail update-trail –name [trail-name] --no-is-multi-region –no-include-global-services

Page 17: us-16-Amiga-Knafo-Account Jumping Post Infection ......Dan Amiga Co-Founder and CTO Account Jumping, Post Infection Persistency & Lateral Movement in AWS Dor Knafo Security Research

Staying Undetected – Altering S3 Trail§ S3 lifecycle retention policy§ AWS Lambda

§ Triggers on every new file in the bucket§ The Lambda free tier includes 1M free requests per month

S3Virtual Private CloudLambdaEC2

CloudTrailBucket

5 min 1 day

Page 18: us-16-Amiga-Knafo-Account Jumping Post Infection ......Dan Amiga Co-Founder and CTO Account Jumping, Post Infection Persistency & Lateral Movement in AWS Dor Knafo Security Research

Staying Undetected§ AWS Key Management Service

§ Integrated with CloudTrail§ S3’s Server Side Encryption (SSE)

Policy

AWS S3 AWS KMS

Page 19: us-16-Amiga-Knafo-Account Jumping Post Infection ......Dan Amiga Co-Founder and CTO Account Jumping, Post Infection Persistency & Lateral Movement in AWS Dor Knafo Security Research

DEMO

Page 20: us-16-Amiga-Knafo-Account Jumping Post Infection ......Dan Amiga Co-Founder and CTO Account Jumping, Post Infection Persistency & Lateral Movement in AWS Dor Knafo Security Research

PERSISTENCY

Page 21: us-16-Amiga-Knafo-Account Jumping Post Infection ......Dan Amiga Co-Founder and CTO Account Jumping, Post Infection Persistency & Lateral Movement in AWS Dor Knafo Security Research

Persistency§ Create new users (typosquatting for extra stealth)

§ Or – Iterate existings users and create a second access token

$ aws iam create-user --user-name [username]$ aws iam create-access-key --user-name [username]

Page 22: us-16-Amiga-Knafo-Account Jumping Post Infection ......Dan Amiga Co-Founder and CTO Account Jumping, Post Infection Persistency & Lateral Movement in AWS Dor Knafo Security Research

Persistency§ Creating a second access key to exisiting users is not enough§ AWS Lambda saves tha day, again!§ Create an access key on newly created users, and post it back to you

Page 23: us-16-Amiga-Knafo-Account Jumping Post Infection ......Dan Amiga Co-Founder and CTO Account Jumping, Post Infection Persistency & Lateral Movement in AWS Dor Knafo Security Research

Persistency§ Backdoor existing roles§ Use your newly retained tokens to assume the modified roles.§ Create a lambda that responds to role creation and adds a backdoor§ Register to UpdateAssumeRolePolicy to reintroduce backdoors that

are removed.

Lambda IAM

Page 24: us-16-Amiga-Knafo-Account Jumping Post Infection ......Dan Amiga Co-Founder and CTO Account Jumping, Post Infection Persistency & Lateral Movement in AWS Dor Knafo Security Research

AWS Lambda Persistency

Page 25: us-16-Amiga-Knafo-Account Jumping Post Infection ......Dan Amiga Co-Founder and CTO Account Jumping, Post Infection Persistency & Lateral Movement in AWS Dor Knafo Security Research

VPC Access Persistency§ Virtual Private Cloud (+ Security Group)§ Use a public endpoint and Lambda to bypass the security group§ SQS, AWS Gateway API, AWS S3 (with VPC endpoint)

On premiseData Center

Page 26: us-16-Amiga-Knafo-Account Jumping Post Infection ......Dan Amiga Co-Founder and CTO Account Jumping, Post Infection Persistency & Lateral Movement in AWS Dor Knafo Security Research

LATERALMOVEMENT

Page 27: us-16-Amiga-Knafo-Account Jumping Post Infection ......Dan Amiga Co-Founder and CTO Account Jumping, Post Infection Persistency & Lateral Movement in AWS Dor Knafo Security Research

SUMMARY

Page 28: us-16-Amiga-Knafo-Account Jumping Post Infection ......Dan Amiga Co-Founder and CTO Account Jumping, Post Infection Persistency & Lateral Movement in AWS Dor Knafo Security Research

Lateral Movement§ Direct Connect§ IAM§ Amazon support tickets§ S3 Direct ConnectIAMDynamoDB

S3Virtual Private CloudLambdaEC2

AMIBeanstalkRoute53Elastic cacheSQS

Page 29: us-16-Amiga-Knafo-Account Jumping Post Infection ......Dan Amiga Co-Founder and CTO Account Jumping, Post Infection Persistency & Lateral Movement in AWS Dor Knafo Security Research

Solutions

§ Details…§ Stateless architecture with focus on data protection§ Automation via code, CloudFormation, Dockers, etc. for

environment recreated from scratch§ Leverage strong account separation (dev, production1, production2)

Page 30: us-16-Amiga-Knafo-Account Jumping Post Infection ......Dan Amiga Co-Founder and CTO Account Jumping, Post Infection Persistency & Lateral Movement in AWS Dor Knafo Security Research

Q&A

Page 31: us-16-Amiga-Knafo-Account Jumping Post Infection ......Dan Amiga Co-Founder and CTO Account Jumping, Post Infection Persistency & Lateral Movement in AWS Dor Knafo Security Research

Dan AmigaCo-Founder and CTO - [email protected]

Account Jumping, Post infection persistency & Lateral Movement in AWS

Dor KnafoSecurity Research Leader – [email protected]