In this blog. we will take a look at the "PwnedLabs - Breach into the cloud" where AWS S3 bucket breach takes place and analyze the logs into AWS Cloud Trail. Then replicate the attacker's footsteps to get the flag.
Topics Covered
Here are the topics which will be covered-
What is AWS S3 Bucket?
What is AWS CloudTrail?
Lay of the attack chain.
Analyzing CloudTrail Logs.
Re-creating attacker's footstep.
AWS S3 Buckets(Short Introduction)
Amazon Simple Storage Service (Amazon S3) is a scalable object storage service provided by Amazon Web Services (AWS). S3 is designed to store and retrieve any amount of data from anywhere on the web. One of the key feature it has is called "Buckets"
Amazon S3 buckets are similar to file folders and can be used to store, retrieve, back up and access objects. Each object has three main components -- the object's content or data, a unique identifier for the object and the descriptive metadata, including the object's name, URL and size.
AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. It provides a comprehensive event history of your AWS infrastructure, including changes to resources and API activity.
Here are some of the key features -
Event Logging
Log Files
Encryption
Event History
and many more. Here is a example of AWS Cloud Trail in an environment.
Attack Scenario
Official scenario description.
In this lab, we are alerted of a security incident that has occurred in an AWS account. We have been provided with Cloudtrail logs of the AWS account together with its Access Keys and Secret Keys. The logs contain all the activities that happened during the incident. Also, we are to confirm the breach happened by analyzing the Cloudtrail log files and identifying the compromised AWS service and any data that was exfiltrated.
Before we move forward in the lab. I would like to visualize the whole attack chain.
The attacker has compromised an IAM User called "temp-user".
After enumerating the policies it assumes the role called "AdminRole".
After assuming the role it interacts with a S3 bucket called "Emergency-data-recovery" and fetches the emergency.txt file.
The whole environments is monitored by AWS CloudTrail
Setup
Now grab the AWS Access and Secret keys provided, then set it up using AWS CLI
The attacker then tries to list the objects using the "list-objects" on a AWS S3 Bucket named as "emergency-data-recovery" but got "AccessDenied" error because of inadequete permissions.
The attacker also tried to list the instance profiles using the "list-instance-profiles" but got an error. There are lot of enumeration events in the logs which indicates that the attackers were noisy and indicates the possible usage of the AWS exploitation framework called "PACU".
One thing to notice is that origin of the IP address is 84.32.71.18
root@kali~/p/breach-in-the-cloud#catemergency.txt=========== HugeLogisticsEmergencyRecoveryPlan===========flag:3eb222cf55522f0f321f1ed5ed9a3663Purpose: This document provides a reference to essential credentials and steps to be taken during a disaster recovery scenario
---------------------DateofLastUpdate:8/26UpdatedBy:Jose------------------------On-PremiseSystems---1.SystemName:ERPSystem-AccessURL/Endpoint:http://erpsystem.hugelogistics.local-Username:admin_erp-Password:dem0Passw0rd!ERP-RecoverySteps:1.AccesstheERPSystemadministrativeconsolethroughtheprovidedURL.2.Checksystemstatusandlogsforanyanomalies.3.Restorefromthemostrecentbackupifdatacorruptionisdetected.2.SystemName:WarehouseManagementSystem-AccessURL/Endpoint:http://warehouse.hugelogistics.local-Username:admin_warehouse-Password:dem0Passw0rd!WMS-RecoverySteps:1.Verifyphysicalserverintegrityintheon-premiseserverroom.2.Restartservicesrelatedtothewarehousesystem.3.Confirmsynchronizationwithotherintegratedsystems.---CloudSystems---1.SystemName:Cloud-basedCustomerPortal-CloudProvider:AWS-AccessURL/Endpoint:http://customerportal.hugelogistics.com-IAMRoleARN:arn:aws:iam::accountID:role/DR_Role-AccessKey:AKIAD3M0EX4MPL3DEMO-SecretKey:wJalrXUtnFEMI/K7MDENG/dem0accessKEY-RecoverySteps:1.LogintoAWSManagementConsolewiththeprovidedIAMrole.2.NavigatetoEC2Dashboardandverifythehealthofcustomerportalinstances.3.InspectCloudWatchLogsforanysuspiciousactivitiesorsystemerrors.2.SystemName:Cloud-basedTrackingSystem-CloudProvider:Azure-AccessURL/Endpoint:http://tracking.hugelogistics.com-ServicePrincipalID:c2569dc2-eg1f-11ea-adc1-DEMOPRINCIPAL-ClientSecret:12345678-abcd-1234-efgh-56789abcdef01-RecoverySteps:1.AccessAzurePortalandnavigatetotheTrackingSystem's Resource Group. 2. Review the Application Insights associated with the tracking system. 3. Perform a failover if primary region is experiencing issues.
Conclusion
As we saw in this lab, we used a purple team approach to first analyze the AWS Cloud Trail logs and then re-create the attacker's path to confirm a successful breach.