The Elastic IP Transfer feature AWS could be tapped by someone with pre-existing control over an account to use IP addresses to access other systems, researchers at cybersecurity company Mitiga found. The cloud storage provider introduced this functionality recently to allow transferring IP Addresses to other organizations.
By exploiting the AWS Elastic IP (EIP) Transfer feature, a threat actor with existing control over an AWS account can compromise an IP address, and then use it for other things, such as allowing listing circumvention, according to the threat assessment report.
“I have to clarify it isn’t a vulnerability,” Or Aspir, Principal Security Researcher and Developer at Mitiga, told The Cyber Express. “It’s an abuse of a feature that malicious actors can do in order to steal the EIP.”
The company alerted AWS and incorporated their suggestions for the mitigation steps in the threat assessment report.
Why was the feature necessary?
An Elastic IP (EIP) address is a public and static IPv4 address that is reachable from the internet. You can allocate an EIP (which is yours from now own), attaching an EIP to an EC2 instance, then the instance will use the same public address to communicate with the internet, like hosting a website or communicating with network endpoints under a firewall.
In October 2022, AWS announced a new Amazon VPC (Virtual Private Cloud) feature, “Elastic IP transfer,” which allows you to transfer your Elastic IP addresses from one AWS Account to another. This feature makes it easier to move Elastic IP addresses during AWS Account restructuring.
This abuse was noted during the one of his routine assessments of AWS features, said Aspir.
“I always review new features in AWS. What caught my eye here is that the feature allows transfer of EIP to any AWS account, and not only accounts in your AWS organization. So I thought, as a hacker how can I use it for stealing the EIP?”
With the right permissions on the victim’s AWS account, a malicious actor using a single API call can transfer the victim’s used EIP to their own AWS account, thus practically gaining control over it. This is a later stage attack, assuming initial compromise was already achieved. However, in many cases, it allows greatly increasing the impact of the attack and gaining access to even more assets.
What’s the harm?
Malicious actors can attach the stolen EIP to its EC2 instances in their own AWS account. It could be used for reaching a victim’s network endpoints which are secured by firewall that possess an ingress rule which allows connections from the stolen IP. The stolen Ips could be used for malicious activities, from phishing campaigns to even running a command and control (C&C) server for malware campaigns.
What makes this attack possibility unique is that EIP was never considered a resource to be protected from exfiltration. Hijacking an EIP scenario isn’t even shown as a technique in MITRE ATT&CK knowledge base, which means this new technique can go under the radar of many XDR/CDR solutions, explained the threat assessment report.
“It can sometimes take days to recover the EIP or updating all the infrastructure in order to mitigate this issue. Also, EIP stealing is new, which means defensive tools can miss this malicious action. And there are so many ways an attacker can abuse a stolen IP!”
Use the principle of least privilege on your AWS accounts and even disable the ability to transfer EIP entirely if you don’t need it, suggested the threat assessment report. However, removing the feature altogether is not an option, said Aspir.
“We don’t think AWS should remove this feature; it can help organizations to restructure their network resources in their accounts. We are continuously working with AWS about this feature and gave suggestion about how to make it safer,” he added.