Skip to main content

Use of AWS APIs by a likely malicious caller

ID:aws_malicious_caller_likely
Data type:AWS CloudTrail
Severity:
Informational
-
High
MITRE ATT&CK:TA0001:T1078.004

Description

AlphaSOC found that an AWS API operation within the environment was initiated from a client IP address that is known to be malicious. This indicates potential unauthorized access to AWS resources using compromised credentials or exploitation of misconfigurations. Threat actors often use known malicious IP addresses to interact with cloud services, attempting to gain access, escalate privileges, or exfiltrate data. AlphaSOC curates and maintains threat intelligence used to identify malicious IP addresses, including blocklists from open sources and commercial partners, and maps of anonymizing circuit infrastructure, such as Tor and I2P exit nodes.

Impact

Malicious IP callers may gain unauthorized access to sensitive information, leading to data breaches. The threat actor may be able to view, modify, or delete sensitive data, create or manipulate resources, escalate privileges, or use AWS services for malicious purposes such as cryptomining or launching further attacks.

Severity

SeverityCondition
Informational
A potentially malicious IP address has been identified
Low
Unexpected action, user agent or region associated with a malicious IP address
High
A malicious IP address not associated with AWS IP address space
High
Two or more unexpected properties associated with a malicious IP address

Audit and Remediation

You should implement a graduated response strategy based on alert severity. For low-severity alerts, monitor the flagged IP address continuously and maintain detailed activity logs for future analysis. For medium-severity incidents, investigate user activities and associated IP addresses comprehensively, and isolate potentially compromised resources immediately. In high-severity scenarios, block the IP address immediately, activate incident response protocols, and contain the threat. Throughout all severity levels, document all actions clearly and establish communication channels with relevant stakeholders to coordinate response efforts effectively.

Known False Positives

  • An employee accessing company resources from a new or unexpected location
  • A sudden increase in data usage by a legitimate user
  • Temporary IP address reassignment by internet service providers