All Articles

Account jumping post infection persistency and lateral movement in AWS

The widespread adoption of AWS as an enterprise platform for storage, computing and services makes it a lucrative opportunity for the development of AWS focused APTs. We will cover pre-infection, post-infection and advanced persistency techniques on AWS that allows an attacker to access staging and production environments, as well as read and write data and even reverse its way from the cloud to the the corporate datacenter. This session will cover several methods of infection including a new concept - "account jumping" for taking over both PaaS (e.g. ElasticBeans) and IaaS (EC2, EC2 Containers) resources, discussing poisoned AMIs, dirty account transfer, as well as leveraging S3 and CloudFront for performing AWS specific credentials thefts that can easily lead to full account access. We will then discuss the post-infection phase and how attackers can manipulate AWS resources (public endpoints like EC2 IPS, Elastic IPS, load balancers and more) for complete MITM attacks on services. We will demonstrate how attackers code can be well hidden via Lambda functions, some cross zone replication configuration and the problem with storage affinity to a specific account. We'll examine hybrid deployments from the cloud and compromising the on premise datacenter by leveraging and modifying connectivity methods (HW/SW VPN, Direct connect or cloud hub). Finally, we'll end with a discussion on best practices that can be used to protect from such attacks such as bastion SSH/RDP gateways, understanding the value of CASB based solutions and where they fit, leverage audit and HSM capabilities in AWS as well as looking at different Isolation approaches to create isolation between administrators and the cloud while still providing access to critical services.

Speakers

Dor Knafo

Dor Knafo leads the security research at FireGlass and is responsible for all malware, web attacks and reverse engineering research. Prior to FireGlass, Knafo spent five years in the IDF Intelligence as a security and research engineer.

Dan Amiga

Dan Amiga is the Co-Founder and CTO of FireGlass, a cybersecurity startup which commercializes military grade network security concepts into paradigm shifting enterprise security products. Amiga has spent years doing IT security in the IDF intelligence where he was focused on inventing and developing new security solutions that go far beyond firewalls, proxies or heuristic based anti-malware solutions. After moving to the private sector, Amiga has worked for the Microsoft Technology Center as a senior consultant for highly secure organizations, governments and critical infrastructure companies. He then moved to the energy giant Schneider Electric where he held the position of Chief Software Architect. Amiga has given talks in major international security and software conferences and is also an adjunct professor in the Interdisciplinary Center, Israel, teaching advanced cloud computing topics.

Detailed Presentation: