AWS Lambda function credential theft

Attack technique

Technique name: AWS Lambda Function Credential Theft

MITRE ATT&CK

• Tactic: Defense Evasion, Persistence, Privilege Escalation, Initial Access
• Technique: Valid Accounts: Cloud Accounts

Technique description
In the context of AWS Lambda, the execution role is crucial as it provides essential permissions for a Lambda function to access AWS services and resources. The execution role temporary credentials, integral for these permissions, reside in the environment variables of the Lambda execution environment. This makes them susceptible to extraction by threat actors exploiting misconfigurations or vulnerabilities in the function code. Once compromised, these credentials enable unauthorized access to critical AWS resources within the Lambda execution role's scope. Leveraging Lambda credentials allows threat actors to potentially escalate privileges, establish persistence, and traverse an organization's AWS accounts.

Insights from threat intelligence
Compute token theft is on the rise and poses a growing threat, with the observed behavior being the compromise of a Lambda function’s execution role STS credentials leading to unauthorized access to the organization’s AWS resources by threat actors. A few reports indicate threat actors exploit vulnerabilities or misconfiguration to get hold of Lambda function temporary credentials, which are later used from an attacker-controlled machine to perform discovery calls, lateral movement, and achieve persistence in the environment. The main anomalous attributes in this behavior are the source IP, user agents, and the operations performed by the Lambda access key.

References

• Palo Alto Networks - Compromised Cloud Compute Credentials
• Detecting the Use of Stolen AWS Lambda Credentials
• SCARLETEEL: Operation leveraging Terraform, Kubernetes, and AWS for data theft – Sysdig

Threat hunting theses breakdown

Lambda function credential usage from outside of AWS

Relevant Data Sources: AWS Cloudtrail

Thesis explanation
Lambda functions run on EC2 machines managed by AWS. These typically have IPs from an AWS IP range. Lambda function credential usage for AWS operations originating from sources outside AWS, including IPs not associated with AWS ranges or VPCs, is considered suspicious and may signal a compromised Lambda function. A threat actor may leverage a vulnerability or misconfiguration to get hold of Lambda credentials, exfiltrate them to his own machine, and use them for malicious operations in the victim's AWS account.

Blind spots

• Cases where Lambda function credentials are used from an AWS IP range (for example, an attacker-controlled EC2 machine)
• Cases where Lambda function credentials are used from a customer-owned VPC IP range

Recommended investigation flow

• Is the activity originating from an IP range unusual for this Lambda function? Does it deviate from the countries and ASNs regularly seen in past activity?
  • Is it a proxy IP? EC2 or any hosting IP that is not owned by the organization?
• Is the activity originating from a user agent unusual for this Lambda function? Was it done using the browser, the CLI, or another tool? (browser usage in case of S3 operations may indicate access through a pre-signed URL generated by the Lambda function)
• Are the operations and AWS resources accessed unusual for this Lambda function?
• Is the Lambda code implemented following security best practices such as input validation? (Otherwise, a vulnerability may be abused by threat actors to obtain the Lambda function’s credentials)