Privilege Escalation via EC2 – Attack & Investigation Series

Channel:
United States Check Point Software
Subscribers:
79,900
Published on ● Video Link: https://www.youtube.com/watch?v=A0hZOwvGAgk


Duration: 4:49
2,141 views
46

This video is the first in our Cloud Threat Hunting: Attack & Investigation Series. It provides a step by step analysis of a privilege escalation attack via EC2. It then illustrates how to investigate this type of attack using the CloudGuard Intelligence & Threat Hunting solution.

For more information, visit: https://www.checkpoint.com/products/cloud-intelligence-threat-hunting/

Transcript:
This attack begins with a brute force attempt from the AWS console. The attacker tries different passwords for the EC2LowPriv IAM user name and in the end they were successful and logged in with a low privilege user with no programmatic access or IAM...only console access.

The attacker goes to EC2 and then goes to AMI, which stands for Amazon Machine Image - this is a master image for creation of EC2 instances. They will look at RDSConnect because based on the name, this AMI is related to a database so they will choose to launch this one.

Now the attacker wants to be quiet about this action so they won’t create a new key pair to launch this instance. Instead they will use User Data and will insert a payload into the User Data. When you launch an instance in AWS EC2, you have the option of passing user data to the instance that can be used to perform common automated configuration tasks and even run scripts after the instance starts.

So the attacker will upload the file “shell.txt” that contains the payload. So when this EC2 instance is running it will run that payload they just inserted into the UserData. This will create a reverse shell to the attacker’s machine where they will set up a listener. So you see they chose without a key pair and now launched the instance.

Now the attacker is setting up a listener on their own machine that will be listening on port 4444 and waiting until…the EC2 opens a connection to this listener machine. At this point the attacker has a reverse shell to the EC2 instance. The whoami command shows they have root privileges.

Now remember the AMI had “RDS-Connect” in the name - so the machine has access to a database.

AWS recommends database login info be put in a file called dbinfo.inc. This is what the attacker will look for first. When they find it and cat the file you can see all of the credentials needed to access the database. The command mysqldump will dump the entire database contents to the attackers local kali machine.

The attacker connects to the database and logs in with the credentials they stole from the dbinfo file.

The attacker will then do a grep for admin and you can see there are more credentials they stole from this database. There is admin, dev, and more. So the attacker was successful in their attack – they managed to get sensitive content from the database they can use in further attacks.

First of all we have an informational alert for Successful login without MFA

And then we will look at an alert for Console Login from a new geolocation. If we inspect this and go to the logs we can see that the login was from France

The next alert is Suspicious EC2 launch without keypair. This is a known technique for attackers to get a reverse shell on EC2 instances. And if an attacker does this, they are able to escalate privileges as shown in the attack segment where they started without access to the database and then gained the credentials to do so. And here we see that the run instance call was actually made.

The last alert we will go over here is Anomaly Detection of anomalous network traffic. This uses machine learning capabilities to build a baseline of normal behaviors and will alert on any deviations from this baseline. When I inspect I see the Database communicating with the instance the attacker spun up. If I isolate the node and go into the logs we can clearly see the outward communication that was the exfiltration. 10.0.0.49 was the IP of the reverse shell and under Bytes you see the amount of data that was actually exfiltrated.

To learn more about Check Point CloudGuard Intelligence and Threat Hunting, visit the link below.

https://www.checkpoint.com/products/cloud-intelligence-threat-hunting/



Other Videos By Check Point Software


2020-09-16Part #2 Trailer: 3 Key Principles for Securing the Remote Workforce
2020-09-16Part #3 Teaser: 5 Must-Have Endpoint Protections
2020-09-14Breach of Major Financial Institution – Attack & Investigation Series
2020-09-10How to Make It in Start-Up Nation with Jeremie Kletzkine
2020-09-07Is your Android device inherently vulnerable?
2020-09-01Part #1 Trailer: Cyber Threats to the Remote Workforce in 2020
2020-08-31How to Secure Your Remote Workforce - Video Guide
2020-08-25Tune in for a Fascinating Discussion Between Keerti Melkote from Aruba, and Kevin Purcell
2020-08-17SASE Securely Connects Remote and Branch Users to the Cloud | Join the Webinar Sep. 3rd
2020-08-17Top 3 Benefits of SD-WAN
2020-08-13Privilege Escalation via EC2 – Attack & Investigation Series
2020-08-13Keeping your gate locked on your IoT devices: Vulnerabilities found on Amazon Alexa
2020-08-12Engage Now, Grow Tomorrow. Introducing Check Point Engage 2.0 New Rewards!
2020-08-10DSP Chip Vulnerability Reveal – Are You At Risk?
2020-08-06Cyber Security in the Age of Coronavirus
2020-08-06SandBlast Agent Sales Training Trailer
2020-08-06Creating Essential Cyber Policies During the Pandemic - Security Executive Insights - CyberTalk.org
2020-08-06Meet The World’s Fastest 1U Security Gateway in the Industry
2020-08-05CloudGuard SaaS Product Tour
2020-08-04Welcome to Check Point at Black Hat USA 2020
2020-08-04How Do You Secure Your Everything When Employees Work From Everywhere?


Tags:
Threat hunting
cloud
attack
intelligence
EC2
privilege
escalation
MITRE
AWS
security
cyber security
cyber attack