[ad_1]
Attackers can compromise a new feature in Amazon Web Services (AWS) to hijack cloud accounts’ static public IP addresses and abuse them for various malicious purposes, researchers have found.
Threat actors can use the Amazon Virtual Private Cloud (VPC) Elastic IP (EIP) transfer feature to steal someone else’s EIP and use it as their own command-and-control (C2), or to launch phishing campaigns that impersonate the victim, researchers from cloud incident response firm Mitiga revealed in a blog post on Dec. 20.
Attackers also can use the stolen EIP to attack a victim’s own firewall-protected endpoints, or to serve as the original victim’s network endpoint to extend opportunities for data theft, the researchers said.
“The potential damage to the victim by hijacking an EIP and using it for malicious purposes can mean using the victim’s name, jeopardizing the victim’s other resources in other cloud providers/on-premises, and [stealing the] victim’s customers’ information,” Or Aspir, software engineer at Mitiga, wrote in the post.
Threat actors must already have permissions on an organization’s AWS account to leverage the new attack vector, which the researchers call “a post-initial-compromise attack.”
However, because the attack was not possible before the feature was added and is not yet listed in the MITRE ATT&CK Framework, organizations may be unaware that they are vulnerable to it, as it’s not likely to be picked up by existing security protections, the researchers said.
“With the right permissions on the victim’s AWS account, a malicious actor using a single API call can transfer the victim’s used EIP to their own AWS account, thus practically gaining control over it,” Aspir wrote. “In many cases it allows greatly increasing the impact of the attack and gaining access to even more assets.”
How Elastic IP Transfer Works
AWS introduced EIP in October as a legitimate feature to allow transfer of Elastic IP addresses from one AWS account to another. An Elastic…
..
[ad_2]
