AWS environments compromised through exposed .env files
- by nlqip
Lateral movement inside AWS environments
In the hands of knowledgeable hackers, leaked secrets can be very powerful and dangerous. For example, the attackers behind this operation exhibited advanced knowledge of AWS APIs.After obtaining an AWS access key the attackers used it to run a GetCallerIdentity API call to verify the identity or role assigned to the exposed credential. They also performed other reconnaissance actions by calling ListUsers to gather a list of IAM users in the AWS account and ListBuckets to identify all the existing S3 buckets.
In the compromised AWS environment investigated, the attackers realized the exposed AWS IAM role they obtained did not have administrative privileges over all resources. However, it had the permission to create new IAM roles and attach IAM policies to existing ones. They then proceed to create a new role called lambda-ex and attach the AdministratorAccess policy to it, achieving privilege escalation.
“Following the successful creation of the privileged IAM role, the threat actor attempted to create two different infrastructure stacks, one using Amazon Elastic Cloud Compute (EC2) resources and the other with AWS Lambda,” the researchers said. “By performing these execution tactics, the actors failed to create a security group, key pair and EC2 instance, but they successfully created multiple lambda functions with the newly created IAM role attached.”
Source link
lol
Lateral movement inside AWS environments In the hands of knowledgeable hackers, leaked secrets can be very powerful and dangerous. For example, the attackers behind this operation exhibited advanced knowledge of AWS APIs.After obtaining an AWS access key the attackers used it to run a GetCallerIdentity API call to verify the identity or role assigned to…
Recent Posts
- Hackers abuse Avast anti-rootkit driver to disable defenses
- Microsoft testing Windows 11 support for third-party passkeys
- Windows 11 24H2 update blocked on PCs with Assassin’s Creed, Star Wars Outlaws
- Windows 10 KB5046714 update fixes bug preventing app uninstalls
- Eight Key Takeaways From Kyndryl’s First Investor Day