Lateral movement inside AWS environments

In the hands of knowledgeable hackers, leaked secrets can be very powerful and dangerous. For example, the attackers behind this operation exhibited advanced knowledge of AWS APIs.After obtaining an AWS access key the attackers used it to run a GetCallerIdentity API call to verify the identity or role assigned to the exposed credential. They also performed other reconnaissance actions by calling ListUsers to gather a list of IAM users in the AWS account and ListBuckets to identify all the existing S3 buckets.

In the compromised AWS environment investigated, the attackers realized the exposed AWS IAM role they obtained did not have administrative privileges over all resources. However, it had the permission to create new IAM roles and attach IAM policies to existing ones. They then proceed to create a new role called lambda-ex and attach the AdministratorAccess policy to it, achieving privilege escalation.

“Following the successful creation of the privileged IAM role, the threat actor attempted to create two different infrastructure stacks, one using Amazon Elastic Cloud Compute (EC2) resources and the other with AWS Lambda,” the researchers said. “By performing these execution tactics, the actors failed to create a security group, key pair and EC2 instance, but they successfully created multiple lambda functions with the newly created IAM role attached.”