Breaching AWS Accounts Through Shadow Resources

Presented at DEF CON 32 (2024), Aug. 9, 2024, 2:30 p.m. (45 minutes).

The cloud seems complex, but it's what happens behind the scenes that really complicates things. Some services utilize others as resources as part of their logic/operation. Interestingly enough, it turns out that this could lead to catastrophic results if done unsafely. This talk will present six critical vulnerabilities that we found in AWS, along with the stories and methodologies behind them. These vulnerabilities, which were all promptly acknowledged and fixed by AWS, could allow external attackers to breach almost any AWS account. The vulnerabilities range from remote code execution, which could lead to full account takeover, to information disclosure, potentially exposing sensitive data, or causing denial of service. The session will share our story of discovery, how we were able to identify commonalities among them, and how we developed a method to uncover more vulnerabilities and enhance the impact by using common techniques leading to privilege escalation. We will then detail our approach for mapping service external resources and release our Open-Source tool to research service internal API calls. We will also present a method to check if accounts have been vulnerable to this vector in the past. We will conclude our talk with the lessons learned during this research and our future line of research. We will highlight new areas that cloud researchers need to explore when hunting for cloud vulnerabilities and highlight best practices for developers to use in complex environments. - [link](https://rhinosecuritylabs.com/aws/cloud-malware-cloudformation-injection/) - [link](https://github.com/RhinoSecurityLabs/pacu/wiki/Module-Details#cfn__resource_injection) - [link](https://docs.aws.amazon.com/)

Presenters:

• Yakir Kadkoda - Lead Security Researcher, Team Nautilus at Aqua
  Yakir Kadkoda is a Lead Security Researcher at Aqua's research team, Team Nautilus. He combines his expertise in vulnerability research with a focus on discovering and analyzing new security threats and attack vectors in cloud native environments, supply chain security, and CI/CD processes. Prior to joining Aqua, Yakir worked as a red teamer. Yakir has shared his cybersecurity insights at major industry events like Black Hat and RSA.
• Ofek Itach - Senior Security Researcher at Aqua
  Ofek Itach is a Senior Security Researcher at Aqua, specializing in cloud research. His work centers on identifying and analyzing attack vectors in cloud environments, enhancing security measures for cloud platforms and cloud environments.
• Michael Katchinskiy
  Michael Katchinskiy is a Security Researcher and a Computer Science student at the Technion. His work focuses on researching and analyzing new attack vectors in cloud-native environments, specializing in Kubernetes and integrating CNAPP data to detect and prevent attacks.

Similar Presentations:

• Black Hat USA 2016 / Hardening AWS Environments and Automating Incident Response for AWS Compromises
• AppSec USA 2014 / Bringing a Machete to the Amazon
• DEF CON 32 (2024) / Kicking in the Door to the Cloud: Exploiting Cloud Provider Vulnerabilities for Initial Access