Mitiga threat researchers have identified what they describe as a new potential attack vector leveraging recently introduced functionality in Amazon Web Services (AWS) technology that has made changing Elastic IP ownership in AWS Elastic Compute Cloud (EC2) environments easier.
Mitiga is an AWS partner, and provides software and services for security incident response and preparedness in cloud environments.
In October 2022, said the researchers, AWS announced a new Amazon Virtual Private Cloud feature, “Elastic IP transfer”, which allows the transfer of Elastic IP addresses from one AWS account to another. This feature makes it easier to move Elastic IP addresses during AWS account restructuring.
By exploiting this AWS Elastic IP Transfer feature, a threat actor with existing control over an AWS account could compromise an IP address.
This is, said Mitiga, is a “new vector for post-initial-compromise attack, which was not previously possible (and does not yet appear in the MITRE ATT&CK Framework)”. “Organisations may not be aware of its possibility,” it added.
Mitiga said the method “can expand the blast radius of an attack and allow further access to systems relying on IP allowlisting as their primary form of authentication or validation”.
It maintains that the potential attack is unique as “EIP was never considered a resource you should protect from exfiltration”. “The ‘hijacking an EIP’ scenario isn’t even shown as a technique in the MITRE ATT&CK knowledge base, which means this new technique can go ‘under the radar’.”
Malicious actors could attach a stolen EIP to an EC2 instance in their own AWS account for purposes that include reaching a victim’s network endpoints, secured by a firewall that possesses an ingress rule which allows connections from the stolen IP. They could also use the stolen IP for malicious activities, such as phishing campaigns. An EC2 instance is a virtual server in Amazon’s Elastic Compute Cloud for running applications on the AWS infrastructure.
The researchers’ advice to AWS users is to treat their EIP resources like other resources in AWS which are in danger of exfiltration. “Use the principle of least privilege on your AWS accounts and even disable the ability to transfer EIP entirely if you don’t need it,” it said.
Mitiga has published a detailed blog post about what they describe as Elastic IP Hijacking on its website. It notified the AWS security team about its findings before publishing, and incorporated the feedback it got as part of its post.