Experts have found a whole new attack vector for AWS

Red padlock open on electric circuits network dark red background
(Image credit: Shutterstock/Chor muang)

Cloud incident response firm Mitiga claims to have discovered a brand new attack vector that could put Amazon Web Services (AWS) users at risk of cyberattacks.

In a report, the company said that a new Amazon Virtual Private Cloud (VPC) feature called “Elastic IP transfer” (EIP) could be abused by threat actors to compromise IP addresses and, consequently, reach the target’s endpoints.

Elastic IP transfer is a feature that allows users to transfer Elastic IP addresses from one AWS account to another, a feature that makes moving Elastic IP addresses during AWS account restructuring simpler and easier. But as it’s often the case with new offerings, this one came with an abusable flaw.

Threats under the radar

“This is a new vector for post-initial-compromise attack, which was not previously possible (and does not yet appear in the MITRE ATT&CK Framework), which organizations may not be aware of its possibility,” Mitiga said in its announcement. 

Furthermore, the company said the flaw “can expand the blast radius of an attack and allow further access to systems relying on IP allowlisting as their primary form of authentication or validation”.

The company argues the attack vector is brand new and unique as Elastic IP was “never considered a resource you should protect from exfiltration”, claiming that hijacking an EIP isn’t even shown in the MITRE ATT&CK knowledge base as a technique at all.” This means the victims could be completely unaware of the attack taking place, at all.

In an example of what the flaw could be used for, Mitiga explained how a threat actor could attach the stolen IP address to an EC2 instance in an AWS account in their possession, and use it to reach their endpoints. Even a firewall wouldn’t be of much help as it would have a rule allowing connections from the stolen IP address. Consequently, they could use it to launch phishing attacks, the company said.

To stay safe, AWS users are advised to think of their EIP resources just as any AWS resource at risk of exfiltration: “Use the principle of least privilege on your AWS accounts and even disable the ability to transfer EIP entirely if you don’t need it,” the blog concludes.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.