AWS API calls by a likely malicious caller
Description
AlphaSOC found that an AWS API operation within the environment was initiated from a client IP address that is known to be malicious. This indicates potential unauthorized access to AWS resources using compromised credentials or exploitation of misconfigurations. Threat actors often use known malicious IP addresses to interact with cloud services, attempting to gain access, escalate privileges, or exfiltrate data. AlphaSOC curates and maintains threat intelligence used to identify malicious IP addresses, including blocklists from open sources and commercial partners, and maps of anonymizing circuit infrastructure, such as Tor and I2P exit nodes.
Impact
Malicious IP callers may gain unauthorized access to sensitive information, leading to data breaches. The adversary may be able to view, modify, or delete leading to data breaches. The adversary may be able to view, modify, or delete sensitive data, create or manipulate resources, escalate privileges, or use AWS services for malicious purposes such as cryptomining or launching further attacks.
Severity
| Severity | Condition |
|---|---|
Informational | A potentially malicious IP address has been identified |
Low | Unexpected action, user agent or region associated with a malicious IP address |
High | A malicious IP address not associated with AWS IP address space |
High | Two or more unexpected properties at the same time |
Audit and Remediation
Investigate user activities and associated IP addresses, and isolate potentially compromised resources. Verify if the activity is authorized. If malicious activity is confirmed, block the IP address immediately, activate incident response protocols, and contain the threat. Document all actions clearly and establish communication channels with relevant stakeholders to coordinate response efforts effectively.
Known False Positives
- An employee accessing company resources from a new or unexpected location
- A sudden increase in data usage by a legitimate user
- Temporary IP address reassignment by internet service providers