Compromises of cloud accounts have been a hot topic in the security industry lately, but the common themes we are seeing, such as compute-resource cryptomining and storage bucket data theft, are not the only threats out there. There are underground markets where access to previously compromised accounts of cloud customers (such as through AWS, GCP, Azure, etc.) is being sold and the buyer could use them for spamming and phishing, among other attacks.
CrowdStrike has a lot of data, and some of that data includes information from many underground hacking and fraud communities. Threat intelligence indicates that customer credentials to cloud providers are being sold, and occasionally come with some sort of guaranteed access. These credentials may provide access to a large storage bucket for data theft, a larger-than-default compute limit for launching cryptomining or other attacks, or, as we will discuss in this post, a high daily quota for outbound SMTP mail.
The information and techniques described here apply to any cloud provider that offers an email service, but we will focus on AWS for this post. It’s important to note the Shared Responsibility Model provided by AWS before diving into this topic, in that everything discussed in this post falls under the user’s responsibility, not AWS’s. AWS is largely doing everything it can to prevent these types of attacks, but you need to be sure to take care of your own responsibilities in order to prevent this type of malicious activity, which we will discuss below.
SMTP in AWS
AWS offers a few different services for communicating with end users of your applications, such as Simple Email Service (SES) for emails, Pinpoint for SMS/push notifications and other options.The Sandbox
When a new AWS account begins using any of these services, they are placed in what’s known as a sandbox environment, where additional restrictions are applied to prevent fraud and abuse. According to AWS documentation, the following restrictions apply:- Mail can only be sent to verified identities
- Maximum of 200 sent messages per 24 hours
- Maximum of 1 sent message per second
Outside the Sandbox
Knowing that the blast radius of compromised credentials that belong to an account that is still in the SES sandbox is a little smaller, now imagine that you have a valid business need for SES and you request to be removed from the sandbox. As an example, you may be granted something like 50,000 daily messages and up to 150 messages per second. This is typical for a newly approved account with a valid use case. Now that your limit has increased, so has the underground value of access to your account if it were compromised and sold, due to the greatly increased blast radius of an attacker gaining access to your environment.The Underground Trade
AWS accounts that are outside of the SES sandbox are valuable to criminals that are looking to perform mass spam campaigns or large-scale phishing attacks — this is why there is demand for them. When purchased, they will attempt to launch their campaign as soon as possible and get as much out there as they can, before Amazon catches on and bans the AWS account for malicious activity with SES. Going back to our account with 50,000 daily messages and 150 messages per second, a compromise might mean our account gets put up for trade.Impact
The impact of credentials belonging to your account being sold can be catastrophic. There is a wide range of damage that can result from mass spamming/phishing by an attacker, including but not limited to:- Email-related services paused by AWS (such as SES, SNS, Pinpoint, etc.)
- Full account shutdown by AWS
- Damage to your company domain’s reputation
- Large-scale blocking of your domain by email spam services
- Large costs charged to your AWS account
Defenses
Let’s say you’re out of the SES sandbox and have high limits for your email sending. How can you best protect yourself against these criminals? The answer is both through preventing compromise and limiting blast radius in the event of compromise. “Preventing compromise” of an AWS account is a massive topic, so we’ll refer you to existing documentation by AWS on IAM best practices, while we focus on limiting what happens after the credentials have been breached.Limiting Blast Radius
No one is immune to breaches, so the best thing we can do is ensure we have proper detections in place and limit the blast radius of any compromise to our environment. Here are a few things to consider when architecting your AWS environment in a secure manner.- Understand the responsibilities you have on your side of the Shared Responsibility Model.
- Isolate workloads/projects/environments into separate AWS accounts through the use of AWS Organizations.
- Follow the principle of least privilege when delegating access to your environment.
- Utilize SES Sending Authorization Policies to ensure layered security on your email-sending identities.
- Consider verifying specific email addresses instead of entire domains through SES.
- Configure bounce, complaint and delivery notifications through SNS to be notified of potentially suspicious activity.
- Monitor for API calls to ses:GetSendQuota across multiple regions through CloudTrail, which may indicate an attacker is trying to identify a region that has been lifted from the SES sandbox. This has been seen in the wild, with one such case documented here.
- Monitor your SES sender reputation to ensure it is not damaged.
- Set up infrastructure to automatically pause email sending under certain conditions.
- Monitor the criminal underground for your AWS credentials for sale. CrowdStrike Falcon® Intelligence Recon™ was specifically designed to expose digital risk within underground markets and restricted websites.
Additional Resources
- Need help with your cloud security? CrowdStrike offers a variety of services and products to do just that, such as Falcon Horizon™, our cloud security posture management tool.
- Learn more about the powerful, cloud-native CrowdStrike Falcon® platform by visiting the product webpage.
- Get a full-featured free trial of CrowdStrike Falcon® Prevent™ and learn how true next-gen AV performs against today’s most sophisticated threats.