Threat actors exploring AWS environments and API calls may operate undetected
Amazon Web Services (AWS) has addressed a critical bypass vulnerability that could have been exploited by attackers to evade monitoring through the CloudTrail API.
In a blog post published on January 17 by Datadog Security Labs, senior researcher Nick Frichette discussed how the vulnerability affects the CloudTrail event logging service, which serves as a vital resource for security teams investigating API activities.
Effective event logging is essential for detecting suspicious actions and conducting forensic analysis following a security breach.
Stay informed with the latest updates on web security vulnerabilities
CloudTrail is responsible for monitoring and recording events within AWS environments and API interactions. However, the Datadog Security Research Team discovered that a means for bypassing these logging systems had existed, allowing threat actors to conduct reconnaissance without detection in the Identity and Access Management (IAM) service.
During their investigation, the team examined two services that handle requests in the AWS Console. Datadog identified ‘iamadmin’ as an undocumented API; when calling certain endpoints, there would be no corresponding log entry in CloudTrail.
The researchers identified 13 IAM methods that could be utilized, although some produced unusual results.
“After experimenting with this method, it became evident that this was not intended functionality,” Frichette remarked.
“By bypassing CloudTrail logging and accessing the results of these calls, the implications for security teams are serious because it hinders their ability to monitor adversarial actions within an environment.”
Moreover, Frichette indicated that the same evasion technique could also allow bypassing Amazon’s GuardDuty, since CloudTrail functions as its primary data source.
Consequences
Exploiting the vulnerability could enable attackers to carry out reconnaissance activities. In discussions with The Daily Swig, Frichette explained that when the iamadmin service executes IAM API calls, an attacker could prompt a response revealing the groups associated with a specific IAM user.
Additionally, “if queried, it would reveal the IAM policies associated with an IAM group, potentially disclosing especially privileged groups, and could indicate whether an IAM user has an MFA [multi-factor authentication] device linked to their account, which is valuable for future targeting.”
An AWS representative confirmed the vulnerability’s existence but noted that the read-only APIs continued to enforce customer-based authentication and authorization protocols.
“The compromised entity must possess sufficient privileges to initiate these actions, but this vulnerability allows such actions to occur completely unnoticed,” noted Datadog.
Reporting and Resolution
The researchers notified AWS about the vulnerability on March 10, 2022. AWS’s security team acknowledged the report on the same day. However, due to the intricate changes required for remediation, a fix was not implemented until October.
On October 24, AWS issued a patch that updated iamadmin API calls to generate log entries in CloudTrail, similar to the IAM service.
An AWS spokesperson confirmed that the affected API methods have been modified, and no further action on the customer’s part is necessary.
“These types of vulnerabilities are not the norm,” Frichette stated. “To my knowledge, there are no other publicly recognized vulnerabilities that have previously allowed an attacker to bypass logging for AWS API actions normally recorded.”
RECOMMENDED Notable password managers auto-filled credentials on untrusted sites
Based on an article from ports wigger: https://portswigger.net/daily-swig/aws-patches-bypass-bug-in-cloudtrail-api-monitoring-tool
