Cloud accounts could be compromised to facilitate further malicious activity through the exploitation of the Amazon Web Services Security Token Service, according to The Hacker News.
After using AWS STS to spoof cloud user identities, attackers could leverage API calls to identify roles and privileges associated with long-term IAM tokens, or AKIAs, exfiltrated through malware and phishing attacks, a Red Canary report showed.
"Depending on the token's permission level, adversaries may also be able to use it to create additional IAM users with long-term AKIA tokens to ensure persistence in the event that their initial AKIA token and all of the ASIA short term tokens it generated are discovered and revoked," said researchers Cody Betsworth and Thomas Gardner, who added that threat actors could then proceed to establish short-term tokens before stealing data and conducting other post-exploitation activities.
Organizations have been urged to prevent such AWS token exploitation by monitoring CloudTrail event data, multi-factor authentication exploitation, and role-chaining incidents, as well as changing long-term IAM user access keys.
TechCrunch reports that major U.S. healthcare revenue and payment cycle management provider Change Healthcare had its systems targeted by a cyberattack on Feb. 20, which resulted in the loss of access across most of the prescription processor's login pages.