Presented at
CircleCityCon 10.0 (2023) Virtual,
June 24, 2023, 11 a.m.
(60 minutes).
Mandiant (Now Part of Google Cloud) has identified exploitation of public-facing web applications by threat actors (UNC2903) to harvest and abuse credentials using Amazon’s Instance Metadata Service (IMDS). Although the threat actor specifically targeted Amazon Web Services (AWS) environments, many other cloud platforms offer similar metadata services that could be at risk of similar attacks. Related threat actor motives and operations are gaining prominence as enterprises continue their migration to cloud hosting services. Mandiant has tracked access attempts by the threat actors to access S3 buckets and additional cloud resources using the stolen credentials. This presentation covers how threat actors performed the exploitation and IMDS abuse, as well as related security hardening guidance on how to detect, remediate, and prevent this type of instance metadata abuse in an organization’s environment. As part of this presentation, we will walk through a demo of the web application that was abused and show how easy it is to obtain credentials if the organization is using the legacy version of IMDS. Then, we will show how by performing the remediation techniques mentioned in the presentation, the organization will be able to block such credential harvesting methods via the instance metadata service.
Presenters:
Similar Presentations: