Attackers are increasingly leveraging sophisticated techniques to maintain long-term access in cloud environments, and a newly surfaced tool named AWSDoor is emerging as a major threat.
AWSDoor automates a range of IAM and resource-based persistence methods, allowing adversaries to hide in plain sight within AWS accounts without deploying traditional malware.
Key Takeaways
1. AWSDoor exploits IAM stealthily by injecting AccessKeys, backdooring TrustPolicies.
2. Leverages resource-based persistence via poisoned Lambda layers.
3. Disables CloudTrail logging, misuses S3 lifecycle rules, and detaches accounts.
IAM-Based Backdoors and Rogue Policies
RiskInsight reports that AWSDoor abuses AWS Identity and Access Management (IAM) to create stealthy backdoors. By injecting AccessKeys into compromised IAM users, attackers can secure CLI persistence. With a simple invocation:
AWSDoor creates a new AccessKey pair, granting attacker-controlled credentials that blend with legitimate traffic. To avoid detection, the tool can list existing keys, deactivate unused ones, and remove evidence.
Beyond AccessKeys, AWSDoor manipulates TrustPolicy documents to backdoor IAM roles.
By updating a role’s trust policy to include attacker-controlled principals, the adversary ensures a persistent cross-account AssumeRole capability.
The new policy injects a statement allowing sts:AssumeRole from an external account, granting durable, credential-less access that escapes CloudTrail’s simple credential logs, reads the report.
AWSDoor’s resource-based persistence modules take advantage of AWS services themselves. For example, the AdminLambda module provides a malicious Lambda function or layer with an over-privileged role attachment:
Here, the -l flag instructs AWSDoor to deploy a Lambda Layer containing poisoned libraries that override legitimate functions (e.g., a backdoored requests.get()), ensuring code execution each time the function executes.
Exposed via API Gateway or Function URL, this Lambda becomes a remote shell. This stealthy tactic hides malicious code outside the main function body, bypassing routine console inspections and evading inline code reviews.
Mitigations
Security teams must continuously monitor IAM policy changes, specifically CloudTrail events like CreateAccessKey, UpdateAssumeRolePolicy, and PutRolePolicy.
AWS Config custom rules can flag rogue NotAction statements that grant near-Administrator privileges:
Additionally, defenders should audit Lambda layer attachments (UpdateFunctionConfiguration) and validate any externally accessible function URLs.
Employing both Cloud Security Posture Management (CSPM) and Cloud EDR solutions will enable detection of anomalous IAM modifications and unusual runtime behaviors.
As AWSDoor demonstrates, attackers are shifting towards configuration-based persistence, making vigilant policy auditing and telemetry integrity essential to maintaining AWS environment security.
Free live webinar on new malware tactics from our analysts! Learn advanced detection techniques -> Register for Free
Source link
