Lateral movement within AWS environments
In the hands of experienced hackers, leaked secrets can be very powerful and dangerous. For example, the attackers behind this project demonstrated advanced knowledge of AWS APIs. After obtaining the AWS access key the attackers use it to execute a GetCallerIdentity API call to verify the identity or role assigned to authenticate publicly. They also performed some test actions by calling ListUsers to collect a list of IAM users in an AWS account and ListBuckets to identify all existing S3 buckets.
In the investigated AWS vulnerability, attackers saw an exposed AWS IAM role they discovered did not have administrative rights to all services. However, it had permission to create new IAM roles and attach IAM policies to existing ones. They then proceed to create a new role called lambda-ex and attach the AdministratorAccess policy to it, gaining privilege escalation.
“After successfully creating a privileged IAM role, the threat actor attempted to create two different infrastructure stacks, one using Amazon Elastic Cloud Compute (EC2) services and the other using AWS Lambda,” the researchers said. “By executing these execution tactics, the actors failed to create the security group, key pairs and EC2 instance, but successfully created multiple lambda functions with the newly created IAM role attached.”
Source link