AWS Security Digest

Monday,
March 10, 2025

🥖 Palette Cleanser

Hello folks,

Guess who's back, back again? DG's back, tell a friend. It's issue 200! Thank you Cynthia for taking care of all of you while I was gallivanting around Europe. I apologize for the bad jokes and pop culture references you have to endure once again.

Crypto drama lovers may have heard of the recent $1.5 billion Bybit heist. That's about 60 million tins worth of Milo in crypto, gone. Safe{Wallet}’s investigation summary states, "The attack involved the compromise of a Safe{Wallet} developer’s laptop (Developer1) and the hijacking of AWS session tokens to bypass multi-factor authentication (MFA) controls." Almost no one has developer workstations in their AWS threat model, yet this is the path of least resistance for most red teams. Something to ponder over a cup of Milo—unless North Korea decides to buy up the entire global supply with its bounty.

This wasn't intended to be a call to arms, but... If you want to get into hacking AWS for Milo, crypto or just to be a better security professional, Nick Frichette will help you get started. He did a wonderful talk at Wild West Hackin' Fest titled, "I Want You to Hack AWS: Cloud Penetration Testing for Traditional Hackers", which is now available for everyone to watch. Nick has an engaging, polished style that makes the audience feel like becoming a cloud security tester is totally doable.

Have feedback about AWS Security Digest? Tell us here. This issue is also available to share online.

📋 Chef's selections

DIY — Evaluating AWS Native Approaches for Detecting Suspicious API Calls by Adan Álvarez Vilchez

Security alerting is much harder than it looks. I don't recommend building your own security alerting because you're almost guaranteed to screw it up. However, it's also a good thing to understand and explore so you understand the rough edges and traps. Adan compares three AWS native architectures that describe the trade-offs, including hard numbers on performance. If you want some free basic security alerting, try the AWS Security Survival Kit, which comes with pre-canned basic alerts.
JavaGhost’s Persistent Phishing Attacks From the Cloud by Margaret Kelley

We've covered SES phishing abuse many times in this prestigious newsletter; however, none of the articles have had the level of depth and detail found in this one. Margaret goes through all the API calls used by this threat actor, their IAM policies, and even includes screenshots from web console activity. The thing that struck me is just how bad the situation must be when a threat actor can continue to use security groups named 'Java_Ghost,' with the group description 'We Are There But Not Visible,' and still be wildly successful. Maybe there should be an alert for that?
AWS CloudFormation Phishing Attack: A Growing Threat by Victor Grenu

If you wanted to hack AWS environments, you could learn all the stuff Nick Frichette teaches or break into developer laptops like North Korea. OR, you could just send people emails, asking them nicely to execute CloudFormation stacks for you. Victor, who incidentally started AWS Security Digest, gives us a worked example of a recent Amazon-branded phishing campaign he's observed, along with advice for prevention and detection.

Bonus: Thoughts on cloud alerts from the top cloud MDR

🥗 AWS security blogs

🍛 Reddit threads on r/aws

💸 Sponsor shoutout

Have you got a long list of AWS security issues you could fix but no idea how bad any of it really is?

Get a Plerion demo. Focus on the 1% of risks that matter & achieve better security outcomes.

🥖 Palette Cleanser

📋 Chef's selections

🥗 AWS security blogs

🍛 Reddit threads on r/aws

💸 Sponsor shoutout

🤖 Dessert

🧁 IAM permission changes

🍪 API changes

🍹 IAM managed policy changes

☕ CloudFormation resource changes

🎮 Amazon Linux vulnerabilities

📺 AWS Security Bulletins