As more companies move their critical systems and data to Amazon Web Services (AWS), attackers are finding new ways to stay hidden inside cloud environments.
AWSDoor is a tool designed to simplify and automate persistence techniques in AWS. Persistence lets an attacker maintain access even after initial breach remedies
IAM-Based Persistence
AWS Identity and Access Management (IAM) controls who can access resources and what they can do. Attackers use AWSDoor to modify IAM settings without dropping malware.
One common method is adding an AccessKey to a user account. With this key, an attacker can connect through the AWS command line interface as if they were a legitimate user.
AWSDoor can create and attach these keys with a single command. Although only two keys are allowed per user, attackers can list existing keys, deactivate the unused one, and then add their own without raising suspicion.
Another stealthier IAM technique involves altering role trust policies. AWS roles use trust policies to define which entities can assume the role.
By injecting a malicious AWS account or role into the trust policy, an attacker can assume high-privilege roles from outside the organization.
AWSDoor automates the injection and confirmation steps, making it easier to backdoor trust policies. Such changes blend in with normal administrative actions, so defenders must monitor all policy updates closely.
Beyond IAM, cloud services like Lambda functions and EC2 instances offer other persistence options. AWSDoor can create or update Lambda functions with hidden backdoors.
Attackers may attach malicious code directly or hide it inside Lambda layers, which are separate packages not shown in the main function view.
Each time the function runs, the hidden code executes. This allows the attacker to avoid detection unless defenders manually inspect layer contents.
On EC2 instances, AWSDoor leverages AWS Systems Manager to install reverse SSH tunnels. This uses the SSM agent to upload an SSH key and create a proxy that lets attackers tunnel back into the network at will.
The tunnel can run as a background service, making it hard to spot. Persistence on instances is effective because it relies on built-in AWS management features rather than external tools.
Defending against AWSDoor requires strong monitoring of AWS logs and configurations. AWS CloudTrail records all API calls, including IAM policy changes, Lambda deployments, and Systems Manager sessions.
Security teams should set up alerts for unusual trust policy updates, the creation of new AccessKeys, and attachments of Lambda layers.
AWS Config can enforce rules to flag policies using wildcard or NotAction statements, which often indicate rogue privileges.
Regular audits of IAM users, roles, and serverless functions help catch unauthorized changes before they can be exploited. Eliminating the use of long-term AccessKeys in favor of AWS Single Sign-On reduces the attack surface.
Restricting permissions for AWS Config, CloudTrail, and GuardDuty ensures attackers cannot disable logging or alerting services.
As cloud environments grow in scale and complexity, tools like AWSDoor make it easier for attackers to hide in plain sight.
By combining continuous monitoring, least-privilege practices, and automated compliance checks, organizations can reduce their risk and detect persistence techniques before they lead to major breaches.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
