[ad_1]
Late last year, two cybercriminal groups at opposite ends of the globe used a French transportation company’s AWS accounts to blast thousands of phishing emails that were impervious to spam filters.
The plot took advantage of Amazon Web Services’ Simple Email Service (SES), a selective corporate email tool for generating and managing high-volume email campaigns. By piggybacking on verified, production-level SES-enabled accounts belonging to Île-de-France Mobilités — the body that manages transportation companies in the greater Paris region — the attackers were able to reach 2,700 recipients in just five minutes, before being snuffed out.
It’s a strategy that builds on a growing trend for threat actors to use cloud services for their malicious ends.
“A lot of them are realizing that they don’t have to go out and develop these resources for themselves,” says Michael Clark, director of threat research at Sysdig. “It’s the exact reason why regular companies buy into the cloud — they don’t have to build all these services, they can just get an account and start using them. It’s very quick to do, all the APIs are defined, so they probably don’t even have to adjust their scripts; they just have to plug in a new API key and they’re ready to go.”
SES: The Perfect Phishing Machine
It seems to have been an Indonesian threat actor that first breached Île-de-France Mobilités, via a Linux system running a long-outdated version of the open source PHP framework, Laravel. The specific bug — the 9.8 critical CVE-2021-3129, enabling arbitrary code execution — was initially published three years ago.
In a sign of the times, the attacker used its access to aim directly for the company’s AWS accounts, specifically for SES’ special utility to cyberattack groups.
SES allows for mass email distribution, but not just for anyone. To prevent wanton abuse, accounts start off in a sandbox mode, where users can only reach verified addresses and they have a strict cap on volume. Account holders must apply for production access, which lifts the former restriction and raises one’s daily sending limit to 50,000 emails (or more, with further approvals). Not all accounts are granted this status.
For prospective phishers, the ability to send 50,000 emails a day from a corporate account is already pretty great. But SES offers yet more benefits, like the ability to monitor and increase sender reputation. And, most important of all, it uses authentication with DomainKeys Identified Mail (DKIM) to guarantee that emails will pass by spam filters and into inboxes.
It’s no wonder, then, that a black market has developed around production-level SES accounts, typically changing hands at around $600-$700 apiece.
Source: Sysdig
This is exactly what Île’s attacker had in mind, trading the company’s SES accounts’ credentials to a French actor that capitalized on it by sending 550 emails per minute before being stopped.
Is Preventing Cloud Abuse Unrealistic?
In theory, there are three levels at which a cloud email attack can be stunted.
First, there’s the vendor. Besides the production access checks, “they provide some simple controls — you know, standard analysis, security — but it’s all invisible to users, so it’s hard to tell what they do on that end,” Clark says of AWS.
If the world’s fifth largest company can’t prevent the attack, its corporate clients are the next line of defense. “If you’re using email services, you need to keep an eye out for suspicious behavior, because it’s more than just phishing — they can use up your daily quota and shut down your business processes,” Clark warns. Corporate email takeover can also cause reputational damage, both within the platform’s ranking system and also among recipients.
Alessandro Brucato, senior threat research engineer at Sysdig, suggests that account holders make good use of SES’ monitoring features. “If an attacker sends too many phishing emails, it may be that these dashboards will start reflecting that abnormal activity,” he says, but warns that “it’s hard to say what amount of emails sent would trigger an alert — the attacker could reach many thousands of victims before the metrics start to give a hint that something is wrong.”
If the emails do make it to inboxes, skepticism and an eye for detail are an addressee’s best bet. In this case, for example, “the attackers chose aliases like ‘Contact Navigo’ or ‘Support Navigo,’ stuff like that. But the actual domain name of the sender addresses is not related to Navigo,” Brucato points out.
That any average person on any average day will look upon any average corporate email with an eagle eye is unlikely, though, as is any company’s prospects of comfortably preventing any potential abuse of their cloud services.
“This is a problem everyone’s been trying to solve for a while,” Clark bewails, “and people are still getting phishing emails and still falling victim to them.”
[ad_2]
Source link