Troubles in the Cloud with AWS Elastic IP Transfer Feature
Category: Cloud Security | Industry: Global | Level: Tactical | Source: Mitiga
Mitiga Threat Researchers shared research of a new attack vector due to a new AWS feature allowing IP transfers to other organizations called "Elastic IP transfer." As explained by Amazon "a new VPC feature that allows you to transfer your Elastic IP addresses from one AWS Account to another, making it easier to move Elastic IP addresses during AWS Account restructuring." While convenient, Mitiga researcher identified potential attack vectors to exploit this feature if the attacker has compromised an AWS organization and obtained the necessary rights and roles in IAM (Identity and Access Management). A high-risk issue identified by Mitiga is the Elastic IP transfer service can be done to an "AWS account, even AWS accounts that are not owned by you or your organization" and adding to its simplicity "the transfer is entirely API-driven. It includes a two-step handshake between AWS accounts — the source account (either a standard AWS account or an AWS Organizations account) and the transfer account."
Further issues highlighted by Mitiga pertain specifically to elastic IPs (EIPs) associated with a single AWS instance or elastic network interface (ENI). Scenarios outlined for attacks include attackers using an EIP already disassociated, or attackers can disassociate and transferring EIPS from resources that are either running or inactive. During these attacks, permissions are needed to query the environment for all available IP addresses running the AWS API call 'ec2:DescribeAddresses,' from there they can disassociate an IP with 'ec2:DisassociateAddress' or directly proceed with a transfer using 'ec2:EnableAddressTransfer.'
Following a successful transfer, the threat actor can initiate a variety of actions to abuse the victim's cloud environment including communicating with other resources allowed by the EIP's security group, if they're capable of disassociating EIPs then the attacker can inhibit communication with cloud resources causing a denial of service (DOS) and tamper with DNS "A" records if the record was configured with EIP. Mitigation recommendations include implementing the principle of least privilege access and using AWS "service control policies" (SCPs) and monitoring for API calls associated with EIP transfer. Mitiga has already sent its research to AWS Security for review and has been actively updating its research blog with any new findings.
- AWS Recon & Elastic IP Transfer
- AWS Recon Followed by Elastic IP Disassociation & Transfer
Anvilogic Use Cases:
- EC2 Data Enumeration
- AWS EnableAddressTransfer
- AWS DisassociateAddress