Full Report
Datadog observed an attacker leveraging a compromised IAM user access key to gain initial access to an AWS environment, at which point they checked SES quotes and enumerated cloud identities. The threat actor proceeded to create a new admin user. The above was quick and theref...
Analysis Summary
# Incident Report: Compromised AWS IAM Key Leading to Privilege Escalation and Data Exfiltration
## Executive Summary
An attacker gained initial access to an AWS environment using a compromised IAM user access key. The threat actor rapidly escalated privileges by creating a new administrative user, enumerated cloud resources, and ultimately executed data exfiltration from S3 buckets and attempted to establish further access via SSH propagation from EC2 instances. The incident suggests automated initial activity followed by manual post-exploitation.
## Incident Details
- Discovery Date: Not explicitly stated (Implied context of observation by Datadog)
- Incident Date: Prior to January 19, 2024 (Publication date)
- Affected Organization: Undisclosed (Observed by Datadog)
- Sector: General Cloud Infrastructure (Based on AWS context)
- Geography: Undisclosed
## Timeline of Events
### Initial Access
- Date/Time: Rapid sequence post-compromise (Likely automated)
- Vector: Compromised IAM user access key.
- Details: Attacker leveraged the exposed key to gain authenticated access.
### Lateral Movement
- Date/Time: Following initial access
- Vector: Enumeration, Privilege Escalation, and direct SSH attempts.
- Details: Attacker enumerated SES quotes and cloud identities. They manually enumerated VMs and attempted to use EC2 Instance Connect (EC2IC) for VM access, indicating a probable path towards SSH-based persistence/access.
### Data Exfiltration/Impact
- Date/Time: Post-enumeration
- Vector: Direct interaction with cloud storage.
- Details: Data was downloaded from S3 buckets. The actor also attempted to spin up new VMs (resource abuse).
### Detection & Response
- Date/Time: Not explicitly stated
- Vector: Observation by Datadog security monitoring.
- Details: Response actions are not fully detailed in the source but the sequence of events was observed. (Response Actions section below covers inferred/standard steps).
## Attack Methodology
- Initial Access: Compromised IAM User Access Key (Credential compromise).
- Persistence: Not explicitly detailed, but creation of a new admin user suggests establishing primary persistence and redundancy.
- Privilege Escalation: Creation of a new administrative user.
- Defense Evasion: Not specified, though speed suggests minimal interaction with standard security alerts initially.
- Credential Access: Exploiting existing, exposed credentials (the IAM access key).
- Discovery: Checking SES quotes, enumerating cloud identities, manual enumeration of VMs and resources.
- Lateral Movement: Attempted use of EC2 Instance Connect (SSH propagation vector).
- Collection: Downloading data from S3 buckets.
- Exfiltration: Data exfiltration from cloud storage (S3).
- Impact: Data loss (S3 data) and potential resource abuse (spinning up new VMs).
## Impact Assessment
- Financial: Potential costs related to compute cycle abuse (spinning up new VMs) and incident response overhead.
- Data Breach: Data exfiltrated from S3 buckets (Specific data type and volume unknown).
- Operational: Potential disruption due to new admin creation and resource modification/spin-up.
- Reputational: Dependent on the nature of the exfiltrated data.
## Indicators of Compromise
- Behavioral indicators: Rapid checking of SES configuration post-authentication, immediate creation of a new IAM admin user, enumeration of EC2 instances, attempts to use EC2 Instance Connect.
- Network indicators: Outbound connections from compromised credentials downloading S3 objects.
- File indicators: N/A (Cloud API focused)
## Response Actions
- Containment measures: (Inferred) Disabling or restricting the initially compromised IAM user access key(s).
- Eradication steps: (Inferred) Identification and immediate removal of the newly created admin user(s). Secure configuration audit on all S3 buckets.
- Recovery actions: (Inferred) Rotation of all credentials, especially IAM keys belonging to users that might have had similar exposure paths. Reviewing security logging configuration.
## Lessons Learned
- Over-reliance on static, long-lived access keys is a significant risk when they are exposed.
- Attackers automate initial privilege escalation (creating a new admin user) to secure their position quickly.
- Discovery activities (Enumerating identities and resources) are performed rapidly after gaining a foothold.
## Recommendations
- Implement strong Multi-Factor Authentication (MFA) enforcement for all IAM users, especially those with elevated privileges.
- Review and enforce the principle of least privilege for all IAM users and roles; scrutinize access keys for high-privilege users.
- Implement **AWS Detectors** or similar tooling to alert immediately on suspicious activities like creating new administrative users or mass enumeration actions.
- Strive to use short-lived access credentials (e.g., IAM Roles accessed via STS) instead of long-term access keys where possible.