Skip to content

Breach in the Cloud‼️- [Pwned Labs]

Scenario:

You’ve been alerted to a potential security breach at Huge Logistics. Unusual activity was detected in an AWS account, prompting a deep dive into AWS CloudTrail logs and related data to confirm the incident.

Confirming the Breach by Analyzing CloudTrail Logs:

  • Identifying Suspicious Activity:
    • Discovered an account anomaly with the username “temp-user,” deviating from internal naming conventions.
  • Tracing the Timeline:
    • Utilized CloudTrail logs timestamped from T2035 onwards to pinpoint initial suspicious activity.
    grep -h -A 10 temp-user 107513503799_CloudTrail_us-east-1_20230826T2035Z_PjmwM7E4hZ6897Aq.json
    • Detected CLI commands executed by “temp-user,” including aws sts get-caller-identity at 2023-08-26T20:29:37Z.
  • Understanding AWS Actions:
    • AWS STS revealed “temp-user” accessed AWS services, attempting to list “emergency-data-recovery” bucket contents unsuccessfully.
  • Indicator of Compromise (IoC):
    • Identified originating IP 84.32.71.19 from Turkey, indicating a potential external threat unrelated to Huge Logistics’ usual operational regions.
  • Investigating Further Actions:
    • Noted brute force attempts and error messages from “temp-user,” suggesting aggressive probing for permissions.
    grep errorMessage 107513503799_CloudTrail_us-east-1_20230826T2050Z_iUtQqYPskB20yZqT.json | wc -l grep errorMessage 107513503799_CloudTrail_us-east-1_20230826T2055Z_W0F5uypAbGttUgSn.json | wc -l
  • Escalation of Privileges:
    • Discovered “temp-user” successfully assumed the role “AdminRole,” leveraging AWS STS for expanded privileges.
    grep -A 20 temp-user 107513503799_CloudTrail_us-east-1_20230826T2100Z_APB7fBUnHmiWjHtg.json
  • Data Compromise:
    • Observed file downloads from “emergency-data-recovery” bucket, including sensitive file “emergency.txt.”

Retracing Steps as an Attacker:

  • Validating Exploitation Path:
    • Simulated attacker tactics by configuring AWS CLI with compromised credentials.
    aws sts get-caller-identity aws iam list-user-policies --user-name temp-user aws iam get-user-policy --user-name temp-user --policy-name test-temp-user
  • Confirming Role Assumption:
    • Identified “AdminRole” accessibility and assumed its privileges using AWS CLI commands.
    aws sts assume-role --role-arn arn:aws:iam::107513503799:role/AdminRole --role-session-name MySession
  • Accessing Compromised Data:
    • Successfully retrieved files from “emergency-data-recovery” bucket, confirming the breach.
    aws s3 cp s3://emergency-data-recovery/emergency.txt .

Conclusion:

  • Highlighted the critical need for robust AWS security measures and proactive monitoring to thwart unauthorized access attempts.
  • Emphasized the role of thorough log analysis and swift incident response in mitigating cloud security risks.