A global logistics company sought cybersecurity assistance to identify their AWS account ID via a public S3 bucket. Using tools and techniques, the process of enumeration commenced, highlighting the potential risks of exposing AWS account IDs. This engagement emphasizes the importance of monitoring AWS resources for security vulnerabilities. Affected: AWS, cybersecurity sector, global logistics companies
Keypoints :
- A logistics company requested cybersecurity help to find their AWS account ID.
- Tools and techniques assist in identifying AWS account IDs through public S3 buckets.
- Threat actors can exploit AWS error messages to gather information on IAM roles and users.
- Open ports were detected during network scanning, indicating potential vulnerabilities.
- Service information revealed Apache HTTP server and ISC BIND running on the target system.
- A specific methodology was outlined for brute-forcing an AWS account ID effectively.
- Tools such as s3-account-search facilitated identifying the account ID linked to an S3 bucket.
- Publicly exposed AWS resources pose risks to the account owner if not monitored.
- Enabling S3 data events can provide better monitoring for access attempts and activities.
MITRE Techniques :
- Enumeration (T1069): Identifying AWS Account IDs through public S3 bucket listings.
- Credential Dumping (T1003): Finding IAM roles and users using error messages from AWS when incorrect usernames or roles are inputted.
- Network Service Scanning (T1046): Using Nmap to discover open ports and services running on the target.
Indicator of Compromise :
- [IP Address] 54.204.171.32
- [Domain] mega-big-tech.s3.amazonaws.com
- [SHA-1] 3ad5c014c01ffeb0743182379d2cd80d
- [SHA-256] f5435f26a11fac38006d8fe32ed75045