AWS Elastic IP address transfer to an unknown external account
Description
AlphaSOC detected the transfer of an AWS Elastic IP (EIP) address to an unknown external account. EIP addresses are static public IPv4 addresses designed for dynamic cloud computing. Transferring these addresses to unknown accounts may indicate that threat actors are attempting to acquire infrastructure that can be used during the attack.
Impact
Threat actors can associate an EIP with an EC2 instance to host command and control (C2) servers or malicious websites, such as phishing pages or fake login forms.
Severity
Severity | Condition |
---|---|
Medium | AWS Elastic IP address transfer to an unknown external account |
Investigation and Remediation
Review the AWS CloudTrail logs to identify the user or role responsible for the transfer. Change the credentials of the account responsible for the transfer and ensure that no unauthorized accounts have been added to your organization or granted permissions to perform actions such as EIP transfers.
Known False Positives
- Authorized EIP transfer during account restructuring or migration