Attackers usually gain access to an organization's cloud assets by leveraging compromised user access tokens obtained via phishing, by using malware, or by finding them in public code repositories.
These are long-term access tokens associated with an AWS IAM or federated users.
They grant users - whether legitimate or malicious ones - specific roles and privileges.
If the permission level is high enough, this compromised user account can create additional IAM users with long-term access tokens.
It can also create users that will have short-term access tokens - generated on demand via AWS's Secure Token Service and valid for a maximum of 36 hours - and time-limited access to cloud assets.
Attackers may abuse AWS STS to get many access tokens.
Attackers are thus be able to retain access to the cloud assets for a longer time and use that access to move laterally, escalate privileges, exfiltrate data, etc.
This Cyber News was published on www.helpnetsecurity.com. Publication date: Thu, 07 Dec 2023 14:43:05 +0000