February 4, 2023

Researchers have uncovered a new type of threat that evolves in the newly introduces AWS functionality

The attack vector relates to AWS VPC  feature ‘Elastic IP transfer,’ which was announced in October 2022. This feature enables a far easier transfer of Elastic IP addresses from one AWS account to another account.

It is possible for a threat actor to exploit Elastic IP transfer and compromise an IP address. It  can be used to launch a wide range of attacks, depending on what type of trust and reliance others have in relation to the hijacked IP.

  • Communicating with network endpoints found behind other external firewalls used by the victims if there is an allow rule on the specific elastic IP address that has been transferred.
  • Conducting malicious activities using the Elastic IP address, such as command and control server for malware campaigns, that may go under the radar of defensive tools.
Advertisements

This is a new vector for post-initial-compromise attack, which was not previously possible and not even a part of MITRE ATT&CK Framework, which is alarming

Threat actors would require IAM  permissions that allows them to see the existing elastic IP addresses and their statuses. They will also require permission to enable Elastic IP address transfer.

The researchers then set out a range of actions organizations using Elastic IP transfer can use to mitigate this threat. These included:

  • Applying the principle of least privilege by utilizing AWS’ ‘service control policies’
  • Automated detection and response using the EnableAddressTransfer API
  • Using AWS bring your own IP (BYOIP) feature
  • Reverse DNS protections

Researchers notified the AWS about the findings and incorporated the feedback we got as part of this blogpost.

Though the elastic IP transfer is a new and useful feature, but it creates a new attack dimension that was not previously seen on AWS. Stealing static public IP addresses can affect organizations greatly, risking not only company assets but the company customers.

Advertisements

This research was documented by researchers from Mitiga

Leave a Reply

%d bloggers like this: