A new security threat to a recently introduced functionality in Amazon Web Services (AWS) has been uncovered by researchers from Mitiga.
The attack vector relates to AWS’ Amazon Virtual Private Cloud feature ‘Elastic IP transfer,’ which was announced in October 2022. This feature enables a far easier transfer of Elastic IP addresses from one AWS account to another.
However, the researchers revealed it is possible for a threat actor to exploit Elastic IP transfer and compromise an IP address. At this point, they can launch a wide range of attacks, “depending on what type of trust and reliance others have in relation to the hijacked IP.”
These include communicating with network endpoints found behind other external firewalls used by the victims if there is an allow rule on the specific elastic IP address that has been transferred. Another possible tactic is to conduct malicious activities using the Elastic IP address, such as command and control server for malware campaigns, that may go under the radar of defensive tools.
The team warned: “As often happens with a useful new feature, a malicious actor with the right credentials and permissions could potentially misuse the feature to cause harm.”
The blog also noted that “this is a new vector for post-initial-compromise attack, which was not previously possible (and does not yet appear in the MITRE ATT&CK Framework).” Therefore, organizations may not be aware of it.
Detailing how Elastic IP transfer can be exploited, the researchers emphasized that threat actors would require identity and access management (IAM) permissions that allows them to ‘see’ the existing elastic IP addresses and their statuses. They will also require permission to enable Elastic IP address transfer.
“In sum, the adversary will likely need at least two and possibly three API permissions to use this feature for bad purposes,” read the post.
Mitiga said it had already notified the AWS security team about its findings “and incorporated the feedback we got as part of this blogpost.”
The researchers then set out a range of actions organizations using Elastic IP transfer can use to mitigate this threat. These included:
- Applying the principle of least privilege by utilizing AWS’ ‘service control policies’
- Automated detection and response through the use of the EnableAddressTransfer API
- Using AWS’ bring your own IP (BYOIP) feature
- Reverse DNS protections
The researchers concluded: “The EIP transfer feature is very useful, but it creates a new attack dimension that was not previously seen on AWS. Stealing static public IP addresses can affect organizations greatly, risking not only company assets but the company customers, too.”
In November 2022, it was discovered that hundreds of Amazon relational database service (RDS) instances have been exposed monthly, with extensive leakage of personally identifiable information.