Malicious actors exploring AWS environments and API interactions may operate without detection.
Amazon Web Services (AWS) has addressed a vulnerability that could potentially allow attackers to evade CloudTrail API monitoring.
In a January 17 blog entry, Datadog Security Labs senior researcher Nick Frichette noted that this vulnerability affects the CloudTrail event logging service, which serves as a critical data source for defenders analyzing API activities.
Logging solutions are essential for identifying suspicious actions and conducting forensic investigations following security breaches.
Stay informed on the latest updates regarding web security vulnerabilities
CloudTrail tracks and records events in AWS environments alongside API usage. However, the Datadog Security Research Team identified a method for circumventing logging systems, enabling threat actors to conduct reconnaissance activities without being detected in the IAM service.
The team evaluated two services that process requests in the AWS Console and discovered that the undocumented API “iamadmin” allowed access to endpoints without triggering event logs in CloudTrail.
They identified 13 IAM methods that could be invoked, albeit with some leading to unexpected behaviors.
“Experimenting with this technique made it clear that it was not intended behavior,” Frichette remarked.
“The ability to bypass CloudTrail logging and obtain the results of those calls poses significant risks for defenders, as it inhibits their capability to monitor an adversary’s actions within an environment.”
Additionally, Frichette indicated that this technique might also enable evasion of Amazon’s GuardDuty, since CloudTrail is utilized as its data source.
Implications
Exploiting this flaw allows attackers to engage in reconnaissance. Frichette elaborated that using the iamadmin service to invoke IAM API calls, an attacker could uncover group memberships of IAM users.
Moreover, calls such as “would unveil the IAM policies tied to an IAM group, which could expose particularly privileged groups. Additionally, another call would indicate whether an IAM user has a multi-factor authentication device linked to their account, aiding in identifying potential targets.”
An AWS representative confirmed the vulnerability’s existence but clarified that read-only APIs remained bound by customer authentication and authorization protocols.
“The compromised entity must possess adequate privileges to execute these actions, yet this vulnerability permits them to do so without detection,” Datadog highlighted.
Reporting and Resolution
The researchers notified AWS about the issue on March 10, 2022. Amazon’s security team responded on the same day; however, due to the necessity for extensive internal modifications to rectify the bug, a fix was not implemented until October.
On October 24, AWS issued a remedy that amended iamadmin API calls to generate events in CloudTrail consistent with the iam service.
An AWS spokesperson affirmed that the affected API methods have been updated and that no action is required from customers.
“Vulnerabilities of this nature are rare,” Frichette remarked. “To my knowledge, there are no other publicly documented vulnerabilities that enable an attacker to sidestep logging for AWS API actions that would typically be recorded.”
RECOMMENDED Popular password managers auto-filled credentials on untrusted websites
Based on an article from ports wigger.net: https://portswigger.net/daily-swig/aws-patches-bypass-bug-in-cloudtrail-api-monitoring-tool
