Even multi-factor authentication doesn't help. Is it possible to secure your systems?
Red Canary cybersecurity researchers Thomas Gardner and Cody Betsworth found that attackers can use the Security Token Service (STS) in Amazon Web Services (AWS) to break into cloud accounts and conduct subsequent attacks.
AWS STS is a web service that allows users to request temporary credentials with limited permissions to access AWS resources without having to create an AWS identity. The validity period of these STS tokens can vary from 15 minutes to 36 hours.
Criminals can steal long-term IAM tokens using various methods, such as malware infection, publicly available credentials, and phishing emails, and then use them to determine the roles and privileges associated with these tokens through API calls.
Depending on the token's permission level, attackers can use it to create additional IAM users with long-term AKIA tokens to ensure persistence in the event of detection and revocation of their original AKIA token with all the short-term ASIA tokens it generates.
The next step uses an MFA-authenticated STS token to create several new short-term tokens, followed by performing post-exploitation actions such as data exfiltration.
To prevent AWS token abuse, Red Canary experts recommend logging CloudTrail event data, detecting role binding events and MFA abuse, and regularly updating long-term IAM user access keys.
The researchers emphasize: "AWS STS is a critical security element for limiting the use of static credentials and the duration of user access to the cloud infrastructure. However, in certain IAM configurations that are common in many organizations, attackers can also create and abuse these STS tokens to access cloud resources and perform malicious actions."
This case demonstrates how important it is to carefully control access and privileges in cloud environments. Even such seemingly reliable security tools as AWS STS temporary tokens can be used by attackers if the company does not take proper precautions.
To avoid this, organizations should monitor their cloud account activity more closely, update their credentials regularly, and limit privileges based on the principle of least access rights. Vigilance and a well-thought — out approach to security are the key to protecting against such attacks.
Red Canary cybersecurity researchers Thomas Gardner and Cody Betsworth found that attackers can use the Security Token Service (STS) in Amazon Web Services (AWS) to break into cloud accounts and conduct subsequent attacks.
AWS STS is a web service that allows users to request temporary credentials with limited permissions to access AWS resources without having to create an AWS identity. The validity period of these STS tokens can vary from 15 minutes to 36 hours.
Criminals can steal long-term IAM tokens using various methods, such as malware infection, publicly available credentials, and phishing emails, and then use them to determine the roles and privileges associated with these tokens through API calls.
Depending on the token's permission level, attackers can use it to create additional IAM users with long-term AKIA tokens to ensure persistence in the event of detection and revocation of their original AKIA token with all the short-term ASIA tokens it generates.
The next step uses an MFA-authenticated STS token to create several new short-term tokens, followed by performing post-exploitation actions such as data exfiltration.
To prevent AWS token abuse, Red Canary experts recommend logging CloudTrail event data, detecting role binding events and MFA abuse, and regularly updating long-term IAM user access keys.
The researchers emphasize: "AWS STS is a critical security element for limiting the use of static credentials and the duration of user access to the cloud infrastructure. However, in certain IAM configurations that are common in many organizations, attackers can also create and abuse these STS tokens to access cloud resources and perform malicious actions."
This case demonstrates how important it is to carefully control access and privileges in cloud environments. Even such seemingly reliable security tools as AWS STS temporary tokens can be used by attackers if the company does not take proper precautions.
To avoid this, organizations should monitor their cloud account activity more closely, update their credentials regularly, and limit privileges based on the principle of least access rights. Vigilance and a well-thought — out approach to security are the key to protecting against such attacks.
