Cloud incident response company Mitiga says it has uncovered a brand new attack vector that could put Amazon Web Services (AWS) users at risk of cyberattacks.
In report (opens in a new tab)the company announced that Amazon’s new virtual private cloud (opens in a new tab) (VPC) called “Elastic IP transfer” (EIP) can be used by cybercriminals to take over IP addresses and consequently reach the endpoints of the target.
Flexible IP Transfer is a feature that allows users to move Elastic IP addresses from one AWS account to another, which makes it simpler and easier to move Elastic IP addresses when restructuring your AWS account. But as is often the case with new offerings, this one has a flaw that can be abused.
Threats under the radar
“This is a new attack vector after the initial compromise that was previously not possible (and does not yet appear in the MITER ATT&CK Framework) and organizations may not be aware of its capabilities,” Mitiga said in its announcement.
Additionally, the company stated that the vulnerability “could increase the reach of the attack and allow further access to systems that rely on an IP whitelist as a primary form of authentication or validation.”
The company says the attack vector is completely new and unique, as Elastic IP “was never considered an asset that needs to be protected from exfiltration”, claiming that EIP hijacking isn’t even shown in the MITER ATT&CK knowledge base as a technique at all. This means that victims may not even be aware that an attack is taking place.
As an example of what the vulnerability could be used for, Mitiga explained how a cybercriminal could attach a stolen IP address to an EC2 instance in an AWS account they own and use it to reach their endpoints. Even a firewall wouldn’t be of much help as it would have a rule to allow connections from a stolen IP address. As such, they can use it to launch phishing attacks, the company said.
To stay safe, AWS users are advised to think of their EIP assets as they would any AWS asset at risk of exfiltration: “Use the Least Privilege Principle on your AWS accounts, or even completely disable EIP portability if you don’t need it,” he concludes. blog.