Cloud Security, Identity, Vulnerability Management

Threat actors find way to abuse the AWS Elastic IP Transfer feature

Attendees walk through an expo hall during AWS re:Invent 2022.
Attendees walk through an expo hall during AWS re:Invent 2022 on Nov. 29, 2022, in Las Vegas. (Photo by Noah Berger/Getty Images for Amazon Web Services)

Researchers on Tuesday identified a new potential attack vector in which by exploiting the AWS Elastic IP Transfer (EIP) feature, threat actors with existing controls over an AWS account can compromise an IP address then launch credential theft and phishing attacks.

In a blog post, Mitiga Threat Researchers explained that this was a new vector for post-initial-compromise attack that does not yet appear in the MITRE ATT&CK framework.

The Mitiga researchers said they had notified the AWS security team about its findings before posting the Dec. 20 blog and incorporated feedback from AWS into the piece, which included a full explanation of how to use the new EIP feature and how to report abuse.

This is a classic example of abusing a feature for unintended purposes, said Mike Parkin, senior technical engineer at Vulcan Cyber. Parkin said AWS was trying to make it easier for organizations to move IP addresses around for legitimate reasons, so naturally threat actors found a way to abuse it.

“The technique requires the threat actor to already have access to the victim’s space, which mitigates the risk somewhat,” Parkin explained. “However, if they can get addresses under their control, they can use them to bypass various IP based defenses and that’s the deeper issue. Using just an IP address is not really a reliable way to provide security. Fortunately, there are ways to mitigate the risk using tools built into AWS.”

John Bambenek, principal threat hunter at Netenrich, added that the most immediate risk is for resources that are currently running and have existing DNS records associated with them. As those are two different systems, Bambenek said changing ownership on an IP won’t automatically make a change in DNS.

“Therefore, a similar attack to domain hijacking is possible,” Bambenek said. “People simply trust when they go to www.domain.com that they are going where they intend. But if attackers takeover the IP, they can do any number of brand management attacks, such as credential theft or phishing, with ease and most existing security tools would not flag it as a problem.” 

Related

LockBit-leaked DC city agency data from third party

Washington, D.C.'s Department of Insurance, Securities and Banking has disclosed that 800GB of data claimed to have been stolen by the LockBit ransomware operation was obtained from an attack against third-party software provider Tyler Technologies following the ransomware gang's threats to expose 1GB of the exfiltrated data to coerce the agency into providing the demanded ransom, reports The Record, a news site by cybersecurity firm Recorded Future.

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.