If your users are phished or their credentials are somehow compromised, GuardDuty is an effective solution for detecting unexpected logins and activities. As a break glass account recovery plan, you could always remove the SCP that denies your root login, but that can be managed through a two person rule which can mitigate phishing risks by having two sets of eyes involved.
Then in your AWS accounts, you can use SCPs to protect your Identity Provider integration. You can setup employee access to your accounts from an Identity Provider (such as Okta), where you can ensure your users use U2F authentication. To avoid the root account being phished, I recommend denying root login access entirely via an SCP. General phishing mitigations and training have been written about by others many times before, so I’ll focus only on the AWS specific mitigations. Using a U2F device (which is not phishable) as an MFA is in many cases preferred, but because AWS only allows a single mutli-factor device associated with the root user, most companies do not setup a U2F device for their root users, for fear of the single U2F being lost or broken. The attacker could have easily requested a TOTP code though and quickly logged into my legitimate account with that. I did try logging into the phishing page with some fake credentials and found the page was setup to only allow logins with AWS root credentials, and did not ask for a 2FA code. I would have liked to have created a honeypot account with SCP restrictions to mitigate the costs to myself and monitor what the attacker attempted to do, but the campaign was shutdown before I was able to. Maybe they were going to spin up EC2s to mine bitcoin, or maybe they would spin up AWS Marketplace resources which would more directly profit as explained by Daniel Hood in his recent article How to Embezzle Money Using Amazon AMIs. I also don’t know what the goal of the attacker was. Unfortunately, I don’t know how this email address was targetted. I don’t normally get spam to the email address that received these, and this was the first phishing email I’d ever received to that email or that was made to look like an AWS email, so this was an interesting event. Both sites were quickly taken down somehow, although from the VirusTotal history of those IPs, they continue to be used for other phishing campaigns. I also submitted both of those links to VirusTotal here and here, which at the time were not detected as phishing pages by any engines. I reported both emails to AWS, which can be done by forwarding them to as described here.
0 kommentar(er)
