Short Summary:
AWS has expanded its AWSCompromisedKeyQuarantine policies to include new actions aimed at preventing the misuse of compromised access keys. This proactive measure is designed to restrict certain actions that have been abused by attackers, particularly in light of recent threat reports. The changes, which include the addition of approximately 29 new restricted actions, highlight AWS’s ongoing efforts to enhance security and protect user credentials.
Key Points:
- AWS expanded AWSCompromisedKeyQuarantine policies to include new restricted actions.
- The policy aims to lock down access keys suspected of being compromised.
- Changes were monitored by the MAMIP project, which identified 29 new restricted actions.
- Recent threats like LLMjacking and AMBERSQUID have influenced these policy updates.
- Attackers have abused lesser-known AWS services for cryptomining and other malicious activities.
- Restrictions apply only to access keys identified as compromised; monitoring is still essential.
MITRE ATT&CK TTPs – created by AI
- Credential Dumping (T1003)
- Attackers may use compromised credentials to access AWS services.
- Exploitation of Remote Services (T1210)
- Attackers exploit AWS services like ECS and SES for malicious purposes.
- Resource Hijacking (T1496)
- Cryptomining operations using compromised AWS services.
Recently, AWS expanded the scope of their AWSCompromisedKeyQuarantine policies (v2 and v3) to include new actions. This policy is used by AWS to lock down access keys that they suspect have been compromised. A common example of this process in action is when AWS automatically applies the quarantine policy to any keys found by scanning public GitHub repositories.
This proactive protection mechanism can stop compromises before they happen. However, only a limited set of actions are restricted by the policy. The MAMIP project continuously monitors AWS managed policies, such as AWSCompromisedKeyQuarantine, for changes. On October 2nd, 2024, it picked up changes to the policy that added ~29 new actions that would be restricted.
MAMPI repository
Looking at the list of actions that were added, it is clear AWS has been monitoring the actions that threats are abusing when they compromise credentials. Let’s take a look at some specific examples to understand why they were added to the list.
The advent of LLMjacking was reported by Sysdig earlier this year and involves the abuse of hosted LLMs for a number of purposes. This attack vector can get very expensive for the victim as models like Anthropic’s Claude are not cheap. In the policy changes we can see five AWS Bedrock calls have now been restricted. These actions were all shown to be used by the attackers in the threat reports above.
AMBERSQUID was an operation detected by the Sysdig TRT in September 2023, which leveraged lesser known AWS services to conduct cryptomining. Specifically, the attacker used the Amplify, CodeBuild, Sagemaker, and ECS services during the operation. The AMBERSQUID attackers used stolen credentials to very quickly launch miners using all of these services. Since they are lesser known and may not provide the same potential visibility of services like EC2, they are a tempting target due to lack of detections. With the changes to the policy, many of these actions will no longer be possible if an access key has the quarantine policy attached.
Earlier this year, Datadog reported on ECS-based attacks that showed compromised credentials were used to create Fargate clusters in order to run cryptominers. The attackers used randomized names and spread their activity across many different regions. This approach allowed them to scale their operations to make as much money as possible before being shut off.
Another attack reported by Datadog this year covers how attackers abuse the Simple Email Service (SES) to send spam and phishing messages. This is yet another way compromised credentials are used to make money or further an attacker’s goals. Both the ECS and SES actions have now been addressed in the policy changes.
It is important to remember that, while these are important steps taken by AWS, these protections are only applied to access keys that they suspect have been compromised. If the AWSCompromisedKeyQuarantine has not been applied to the key, none of the restrictions will apply. Protecting your organizations credentials and monitoring them for signs of abuse is still critical.
The post AWS Launches Improvements for Key Quarantine Policy appeared first on Sysdig.