About
An attacker can modify security group rules to allow for new traffic. This typically allows them to maintain access to your infrastructure.
Understanding Impact
Business Impact
Compute resources in AWS are protected by security groups. When an attacker allows traffic on a security group, it exposes the affected resource publicly and allows the attacker to remain in your environment.
Technical Impact
Note that removing a malicious ingress security group rule does not block connections that are already established (see Connection tracking).
Detection
You can identify when a security group ingress rule is created using the CloudTrail event AuthorizeSecurityGroupIngress. In particular:
requestParameters.cidrIpcontains the newly authorized source IP range (for instance,0.0.0.0/0).requestParameters.fromPortandrequestParameters.toPortcontain the newly opened port or port range.
Reproduce the attack
You can easily reproduce this attack in a self-contained manner with Stratus Red Team using the following command:
stratus detonate aws.exfiltration.ec2-security-group-open-port-22-ingressSee also the related documentation.
How Datadog can help
Cloud SIEM
Datadog Cloud SIEM detects this attack using the out-of-the-box rule "Security group open to the world".
References
Stratus Red Team - Open Ingress Port 22 on a Security Group
stratus-red-team.cloud
Finding evil in AWS
expel.com
Attacker tactics reported by Jon Hencinski (Expel)
twitter.com