Use of AWS APIs by a likely malicious caller
Description
AlphaSOC found that an AWS API operation within the environment was initiated from a client IP address that is known to be malicious. This indicates potential unauthorized access to AWS resources using compromised credentials or exploitation of misconfigurations. Threat actors often use known malicious IP addresses to interact with cloud services, attempting to gain access, escalate privileges, or exfiltrate data. AlphaSOC curates and maintains threat intelligence used to identify malicious IP addresses, including blocklists from open sources and commercial partners, and maps of anonymizing circuit infrastructure, such as Tor and I2P exit nodes.
Impact
Malicious IP callers may gain unauthorized access to sensitive information, leading to data breaches. The threat actor may be able to view, modify, or delete sensitive data, create or manipulate resources, escalate privileges, or use AWS services for malicious purposes such as cryptomining or launching further attacks.
Severity
Severity | Condition |
---|---|
Informational | A potentially malicious IP address has been identified |
Low | Unexpected action, user agent or region associated with a malicious IP address |
High | A malicious IP address not associated with AWS IP address space |
High | Two or more unexpected properties associated with a malicious IP address |
Audit and Remediation
You should implement a graduated response strategy based on alert severity. For low-severity alerts, monitor the flagged IP address continuously and maintain detailed activity logs for future analysis. For medium-severity incidents, investigate user activities and associated IP addresses comprehensively, and isolate potentially compromised resources immediately. In high-severity scenarios, block the IP address immediately, activate incident response protocols, and contain the threat. Throughout all severity levels, document all actions clearly and establish communication channels with relevant stakeholders to coordinate response efforts effectively.
Known False Positives
- An employee accessing company resources from a new or unexpected location
- A sudden increase in data usage by a legitimate user
- Temporary IP address reassignment by internet service providers