Cloud incident response firm Mitiga claims to have discovered a brand new attack vector that could put Amazon Web Services (AWS) users at risk of cyberattacks.
In a report (opens in new tab), the company said that a new Amazon Virtual Private Cloud (opens in new tab) (VPC) feature called “Elastic IP transfer” (EIP) could be abused by threat actors to compromise IP addresses and, consequently, reach the target’s endpoints.
Elastic IP transfer is a feature that allows users to transfer Elastic IP addresses from one AWS account to another, a feature that makes moving Elastic IP addresses during AWS account restructuring simpler and easier. But as it’s often the case with new offerings, this one came with an abusable flaw.
Threats under the radar
“This is a new vector for post-initial-compromise attack, which was not previously possible (and does not yet appear in the MITRE ATT&CK Framework), which organizations may not be aware of its possibility,” Mitiga said in its announcement.
Furthermore, the company said the flaw “can expand the blast radius of an attack and allow further access to systems relying on IP allowlisting as their primary form of authentication or validation”.
The company argues the attack vector is brand new and unique as Elastic IP was “never considered a resource you should protect from exfiltration”, claiming that hijacking an EIP isn’t even shown in the MITRE ATT&CK knowledge base as a technique at all.” This means the victims could be completely unaware of the attack taking place, at all.
In an example of what the flaw could be used for, Mitiga explained how a threat actor could attach the stolen IP address to an EC2 instance in an AWS account in their possession, and use it to reach their endpoints. Even a firewall wouldn’t be of much help as it would have a rule allowing connections from the stolen IP address. Consequently, they could use it to launch phishing attacks, the company said.
To stay safe, AWS users are advised to think of their EIP resources just as any AWS resource at risk of exfiltration: “Use the principle of least privilege on your AWS accounts and even disable the ability to transfer EIP entirely if you don’t need it,” the blog concludes.
English
Arabic
Belarusian
Bengali
Bosnian
Bulgarian
Chinese (Simplified)
Croatian
Czech
Danish
Dutch
Estonian
Filipino
Finnish
French
Georgian
German
Greek
Gujarati
Hausa
Hebrew
Hindi
Hmong
Hungarian
Igbo
Indonesian
Italian
Japanese
Javanese
Kazakh
Korean
Kurdish (Kurmanji)
Kyrgyz
Lao
Latvian
Lithuanian
Macedonian
Malagasy
Norwegian
Persian
Polish
Portuguese
Punjabi
Romanian
Russian
Serbian
Slovak
Slovenian
Spanish
Swedish
Thai
Turkish
Ukrainian
Vietnamese
Yoruba