Hackers are increasingly targeting Amazon Web Services (AWS) Secure Token Service (STS) as a way to gain access to cloud accounts, security researchers with Red Canary warn.
AWS STS is a web service that facilitates the provision of short-term access tokens to AWS users, including those authenticated through third-party identity platforms. This feature enables users to access AWS resources securely without the need to create an AWS identity.
Hackers can steal long-term IAM (Identity and Access Management) tokens using a variety of methods like malware infections, accidental exposure in public repositories, or phishing emails
Once adversaries gain access to long-term IAM tokens, they need to validate that it remains active, which they can do by leveraging APIs such as GetCallerIdentity, GetUserListUserPolicies, ListAttachedUserPolicies, and GetPolicy.
Depending on the token's permissions, adversaries might exploit it to create additional IAM users with long-term AKIA tokens, ensuring persistence even if the initial token is discovered and revoked.
With a valid compromised IAM token, adversaries can execute API calls like sts:GetSessionToken to request the creation of short-term ASIA tokens.
This process allows them to leverage legitimate IAM users with AKIA tokens, enabling the creation of multiple new short-term tokens through APIs like sts:AssumeRole or sts:GetSessionToken.
After gaining access to IAM user accounts via AKIA tokens and backup ASIA short-term tokens, the attackers can pursue their objectives, for instance, they might exfiltrate data from an S3 bucket. The surplus of STS tokens acts as insurance, ready to be deployed if the initial IAM user token and subsequent ASIA tokens are revoked.
“One added benefit of abusing short-term tokens is that it helps conceal the long-term AKIA token used to create them, particularly from organizations that aren’t collecting or monitoring the right logs from their AWS infrastructure. As such, organizations may end up playing whack-a-mole with the short-term tokens, deleting them ad hoc, and never identifying the long-term token used to create them,” the researchers noted. “By contrast, if the adversary abused the long-term token, it would be much easier to revoke their long-term IAM access, thereby preventing them from creating new short-term tokens and evicting their access.”
