AWS Customer Response Team, put out an interesting blog back in May that somehow missed my radar! It is an excellent break-down of an attack they are seeing being actively used within the environment. So, if you utilize AWS, then this is something that you should be aware of to properly protect and respond to ongoing threats.
“This approach starts with the threat actor using credentials that have the organizations:LeaveOrganizationpermission grant. This permission provides access to the LeaveOrganizations API call, which, when called from a member account, attempts to remove that account from the organization.
It’s important to remember that while this approach might use a compromised root credential, threat actors can also use other methods to elevate their access until they have the required permission or the ability to assume a role that has this permission, or they have the ability to grant their current credential this permission. This is why a least privilege approach to authorization is critical to protect your environment. To learn more, see AWS Identity and Access Management (IAM) documentation and the AWS Organizations guidance on organizational unit (OU) design and service control policy (SCP) implementation.”
The above is a direct quote from the AWS blog, which you will find referenced below. So, first we have attackers using credentials, which is necessary for the attack to begin. As they mention above, the least privileged approach is absolutely essential to protecting your environment! Each and every account should be reviewed and only provided with necessary access to necessary systems/data. Sadly, even this basic element of cyber-security hygiene is often overlooked or forgotten!
Once the attackers managed to successfully remove the account, they are after, it opens the door! The account’s restrictions are removed. Even the billing information for the compromised account is removed, thus it is no longer even found in billing alerts and anomaly cost detection programs! Exciting bit of information isn’t it!
The AWS CloudTrail organization trails also stop capturing events for the compromised account and Amazon GuardDuty findings will stop flowing to the central security account. Basically, the compromised account becomes invisible and left open to perform whatever actions the attackers’ desires. Not a good thing for security.
AWS included some excellent detections for this attack technique in their blog as well. You would do well to review them and conduct a thorough check of your AWS environment since this attack is being utilized currently.
Take the time to review their blog, and then take action on the tips they provide for hunting this threat in your AWS environment!
Carpe Diem!
Leave a Reply