Cloud incident response firm Mitiga claims to have discovered a brand new attack vector that could put Amazon Web Services (AWS) users at risk of cyberattacks.
in a report (opens in new tab)the company said that a new Amazon Virtual Private Cloud (opens in new tab) (VPC) feature called “Elastic IP transfer” (EIP) could be abused by threat actors to compromise IP addresses and, consequently, reach the target’s endpoints.
Elastic IP transfer is a feature that allows users to transfer Elastic IP addresses from one AWS account to another, a feature that makes moving Elastic IP addresses during AWS account restructuring simpler and easier. But as it’s often the case with new offerings, this one came with an abusable flaw.
Threats under the radar
“This is a new vector for post-initial-compromise attack, which was not previously possible (and does not yet appear in the MITER ATT&CK Framework), which organizations may not be aware of its possibility,” Mitiga said in its announcement.
Furthermore, the company said the flaw “can expand the blast radius of an attack and allow further access to systems relying on IP allowlisting as their primary form of authentication or validation”.
The company argues the attack vector is brand new and unique as Elastic IP was “never considered a resource you should protect from exfiltration”, claiming that hijacking an EIP isn’t even shown in the MITER ATT&CK knowledge base as a technique at all.” This means the victims could be completely unaware of the attack taking place, at all.
In an example of what the flaw could be used for, Mitiga explained how a threat actor could attach the stolen IP address to an EC2 instance in an AWS account in their possession, and use it to reach their endpoints. Even a firewall wouldn’t be of much help as it would have a rule allowing connections from the stolen IP address. Consequently, they could use it to launch phishing attacks, the company said.
To stay safe, AWS users are advised to think of their EIP resources just as any AWS resource at risk of exfiltration: “Use the principle of least privilege on your AWS accounts and even disable the ability to transfer EIP entirely if you don’t need it,” the blog concludes.