AWS - S3 Post Exploitation

Reading time: 5 minutes

S3

Kwa habari zaidi angalia:

AWS - S3, Athena & Glacier Enum

Taarifa Nyeti

Wakati mwingine utaweza kupata taarifa nyeti zinazoweza kusomwa katika buckets. Kwa mfano, terraform state secrets.

Pivoting

Platformu tofauti zinaweza kutumia S3 kuhifadhi mali nyeti.
Kwa mfano, airflow inaweza kuhifadhi DAGs code hapo, au web pages zinaweza kutumika moja kwa moja kutoka S3. An attacker mwenye idhini za kuandika anaweza modify the code kutoka kwenye bucket ili pivot kwenye platformu nyingine, au takeover accounts kwa kuhariri JS files.

S3 Ransomware

In this scenario, the attacker creates a KMS (Key Management Service) key in their own AWS account or another compromised account. They then make this key accessible to anyone in the world, allowing any AWS user, role, or account to encrypt objects using this key. However, the objects cannot be decrypted.

The attacker identifies a target S3 bucket and gains write-level access to it using various methods. This could be due to poor bucket configuration that exposes it publicly or the attacker gaining access to the AWS environment itself. The attacker typically targets buckets that contain sensitive information such as personally identifiable information (PII), protected health information (PHI), logs, backups, and more.

To determine if the bucket can be targeted for ransomware, the attacker checks its configuration. This includes verifying if S3 Object Versioning is enabled and if multi-factor authentication delete (MFA delete) is enabled. If Object Versioning is not enabled, the attacker can proceed. If Object Versioning is enabled but MFA delete is disabled, the attacker can disable Object Versioning. If both Object Versioning and MFA delete are enabled, it becomes more difficult for the attacker to ransomware that specific bucket.

Using the AWS API, the attacker replaces each object in the bucket with an encrypted copy using their KMS key. This effectively encrypts the data in the bucket, making it inaccessible without the key.

To add further pressure, the attacker schedules the deletion of the KMS key used in the attack. This gives the target a 7-day window to recover their data before the key is deleted and the data becomes permanently lost.

Finally, the attacker could upload a final file, usually named "ransom-note.txt," which contains instructions for the target on how to retrieve their files. This file is uploaded without encryption, likely to catch the target's attention and make them aware of the ransomware attack.

s3:RestoreObject

An attacker with the s3:RestoreObject permission can reactivate objects archived in Glacier or Deep Archive, making them temporarily accessible. This enables recovery and exfiltration of historically archived data (backups, snapshots, logs, certifications, old secrets) that would normally be out of reach. If the attacker combines this permission with read permissions (e.g., s3:GetObject), they can obtain full copies of sensitive data.

aws s3api restore-object \
--bucket <BUCKET_NAME> \
--key <OBJECT_KEY> \
--restore-request '{
"Days": <NUMBER_OF_DAYS>,
"GlacierJobParameters": { "Tier": "Standard" }
}'

s3:Delete*

Mshambuliaji mwenye ruhusa ya s3:Delete* anaweza kufuta vitu, matoleo, na vikapu vyote, kuvuruga nakala za chelezo, na kusababisha upotevu wa data wa papo kwa hapo na usioweza kurekebishwa, uharibifu wa ushahidi, na kuhujumu vitu vya chelezo au urejesho.

# Delete an object from a bucket
aws s3api delete-object \
--bucket <BUCKET_NAME> \
--key <OBJECT_KEY>

# Delete a specific version
aws s3api delete-object \
--bucket <BUCKET_NAME> \
--key <OBJECT_KEY> \
--version-id <VERSION_ID>

# Delete a bucket
aws s3api delete-bucket \
--bucket <BUCKET_NAME>

Kwa maelezo zaidi check the original research.