Skip to main content

Unexpected AWS API calls indicating Autoscaling group change

ID:aws_autoscaling_group_changed_anomaly
Data type:AWS CloudTrail
Severity:
Informational
-
Medium
MITRE ATT&CK:TA0040:T1496

Description

AlphaSOC detected modifications to AWS Auto Scaling groups through the CreateAutoScalingGroup, UpdateAutoScalingGroup, or DeleteAutoScalingGroup actions. While legitimate administrators use these actions to manage infrastructure, threat actors exploit Auto Scaling to launch cryptomining operations, increase compute capacity for resource hijacking, or disrupt services by deleting critical groups. This detection identifies changes performed from unusual locations, with unfamiliar user agents, or in unexpected regions.

Impact

Unauthorized changes to Auto Scaling groups can lead to significant security and operational consequences. Threat actors may create or modify Auto Scaling groups to spawn numerous EC2 instances for cryptomining or distributed denial-of-service attacks, resulting in substantial unexpected cloud costs. Modifications to existing groups could alter launch configurations to deploy backdoored instances, enabling persistence and lateral movement within the environment. Deletion of Auto Scaling groups can cause service disruptions and impact application availability, potentially leading to business continuity issues.

Severity

SeverityCondition
Informational
Unexpected action, ASN, user agent, or region
Low
Two unexpected properties at the same time
Medium
Three unexpected properties at the same time

Investigation and Remediation

Review AWS CloudTrail logs to identify the specific Auto Scaling action performed (CreateAutoScalingGroup, UpdateAutoScalingGroup, or DeleteAutoScalingGroup) and examine the responsible IAM user or role. Verify the source IP address, ASN, and user agent to determine if the activity originated from an expected location and tool. Check the Auto Scaling group configuration changes, including instance types, desired capacity, and launch template modifications. If the activity is unauthorized, immediately revoke the associated IAM credentials and rotate access keys. Terminate any unauthorized EC2 instances launched by compromised Auto Scaling groups and restore or delete modified groups as appropriate. Review IAM policies to ensure the principle of least privilege is enforced for Auto Scaling permissions.

Further Reading