Experts have found a whole new attack vector for AWS
>
Mitiga, a cloud incident management company, claims to have discovered an entirely new attack vector that could put Amazon Web Services (AWS) users at risk of cyber-attacks.
In a report (opens in new tab)said the company that a new Amazon Virtual Private Cloud (opens in new tab) (VPC) feature called “Elastic IP transfer” (EIP) can be exploited by threat actors to compromise IP addresses and thus reach target endpoints.
Elastic IP Transfer is a feature that allows users to transfer Elastic IP addresses from one AWS account to another, a feature that makes moving Elastic IP addresses while restructuring AWS accounts simpler and easier. But as is often the case with new offers, this one came with an exploitable flaw.
Threats under the radar
“This is a new vector for post-initial compromise attack, which was not possible before (and is not yet in the MITER ATT&CK Framework), which organizations may not be aware of its possibility,” Mitiga said in its announcement.
In addition, the company said the flaw “could increase the radius of an attack and allow further access to systems that rely on IP allow lists as their primary form of authentication or validation.”
The company claims that the attack vector is brand new and unique, as Elastic IP was “never considered a resource you should be protecting from exfiltration,” claiming that the hijacking of an EIP doesn’t even show up at all in the MITER ATT&CK knowledge base as a technique. This means that the victims may not be aware of the attack at all.
In an example of what the flaw could be used for, Mitiga explains how a threat actor could link the stolen IP address to an EC2 instance in an AWS account they own and use it to reach their endpoints. Even a firewall wouldn’t help much because it would have a rule that allows connections from the stolen IP address. Consequently, they could use it to carry out phishing attacks, the company said.
To stay safe, AWS users are advised to view their EIP resources as you would any AWS resource at risk of being intercepted: “Use the principle of least privilege on your AWS accounts and even enable the to completely hand over EIP if you don’t need it,” the blog concludes.