Threat actors poking around AWS environments and API calls could stay under the radar
Amazon Web Services (AWS) has patched a bypass bug that attackers could exploit to circumvent CloudTrail API monitoring.
In a blog post dated January 17, Datadog Security Labs senior researcher Nick Frichette said the vulnerability impacts the CloudTrail event logging service, a data source for defenders examining API activities.
Event logging solutions can be crucial for defenders in detecting suspicious activities and performing forensic work following a security incident.
CloudTrail monitors and logs AWS environment events alongside API usage. However, according to the Datadog Security Research Team, a technique existed for bypassing logging systems, allowing threat actors to perform reconnaissance activities undetected in the IAM service.
The team tested two services, iam and iamadmi, which receive requests in the AWS Console. Datadog found that iamadmin was an undocumented API, and when calling endpoints such as ListMFADevicesForMultipleUsers – a wrapped for iam:ListMFADevices – there would be no event log in CloudTrail.
The team found 13 AIM methods that could be called, although some generated unexpected behavior.
“After playing with this technique for a while, it became clear that this was not intended functionality,” Frichette commented.
“Being able to bypass CloudTrail logging and getting the results of those calls has serious implications for defenders, because it limits their ability to track what an adversary has done in an environment and what actions they’ve taken.”
Furthermore, the researcher said that the same technique could make it possible to bypass Amazon’s GuardDuty, as CloudTrail is used as its data source.
By exploiting the flaw, attackers could perform reconnaissance activities. Speaking to The Daily Swig, Frichette explained that when the iamadmin service invokes IAM API calls, an attacker could, for example, trigger iam:ListGroupsForUser to “return what groups an IAM user was a part of.”
Furthermore, “iam:ListAttachedGroupPolicies would return what IAM policies are associated with an IAM group, which may reveal groups which are particularly privileged [and] iam:ListMFADevices would return if an IAM user has an MFA [multi-factor authentication] device attached to their account (useful for picking future targets)”.
An AWS spokesperson confirmed the existence of the vulnerability. However, it should be noted that the read-only APIs still applied customer-based authentication and authorization rules.
“The compromised entity must have sufficient privileges to invoke these actions, but with this vulnerability, they could perform these actions completely undetected,” Datadog noted.
The researchers reported the issue to AWS on March 10, 2022. Amazon’s security team acknowledged the report on the same day. Still, due to the complexity of internal changes required to remediate the bug, it wasn’t until October that a fix was pushed.
On October 24, AWS released a fix that updated iamadmin API calls to generate events in CloudTrail in the same manner as the iam service.
An AWS spokesperson confirmed that the impacted API methods have been updated and no customer action is required.
“These types of vulnerabilities are not common,” Frichette says. “To my knowledge, there are no other publicly known vulnerabilities that allowed an attacker to bypass logging for AWS API actions that normally would be logged.”