Product reviews, deals and the latest tech news

AWS experts have discovered a completely new attack vector

Mitiga, a cloud incident response company, says it has found a new attack vector that might affect customers of Amazon Web Services (AWS).

The business reported that the new Amazon Virtual Private Cloud (VPC) functionality known as “Elastic IP transfer” (EIP) might be used by threat actors to compromise IP addresses and, in turn, access the target’s endpoints.

Moving Elastic IP addresses during an AWS account restructure is simplified by the Elastic IP transfer capability, which allows customers to move Elastic IP addresses from one AWS account to another. However, as is common with new products, this one had a security hole that might be exploited.

Invisible dangers

Organizations “may be unaware of the possibility” of this “new channel for the post-initial-compromise attack,” as Mitiga put it, because it “does not yet exist in the MITRE ATT&CK Framework.”

The company added that the vulnerability “may widen the blast radius of an attack and allow additional access to systems depending on IP allowlisting as the primary form of authentication or validation.”

Since Elastic IP was “never considered a resource you should defend against exfiltration,” the business claims, “hijacking an EIP isn’t even represented in the MITRE ATT&CK knowledge base as a tactic at all.” This means it’s possible the victims won’t even realise they’re being attacked.

Mitiga gave an example of how a threat actor may exploit the vulnerability by describing how they could use the stolen IP address to access endpoints by configuring an EC2 instance in an AWS account under their control. Because of a rule permitting connections from the stolen IP address, not even a firewall could assist. The business warned that this might allow cybercriminals to conduct phishing attacks.

Users of Amazon Web Services (AWS) are urged to treat their EIP resources with the same care they would any other AWS asset: “Use the principle of least privilege on your AWS accounts and even block the ability to transfer EIP completely if you don’t need it,” the blog states.