List of Insights

This page covers the total list of insights TotalCloud offers, its overview, and mitigation steps as viewed in the application.

Public VM with TruRisk score > 800

Affected Control ID: CID 5000 

Overview

Identifying a public VM with a TruRisk score over 800 indicates substantial security concerns and potential threat exposure. Immediate action is crucial to mitigate risks and enhance security.

Mitigation

•    Disconnect the VM from the network to prevent further exploitation.
•    Conduct a detailed risk assessment to understand the specific vulnerabilities and weaknesses contributing to the elevated TruRisk score.
•    Apply the latest security patches to fix the critical vulnerability on the VM.
•    Restrict access to the VM by implementing network segmentation and configuring firewall rules to allow only necessary traffic. Utilize security groups and network ACLs (Access Control Lists) to control inbound and outbound traffic effectively.
•    Develop a remediation plan to address the identified vulnerabilities systematically. Implement controls and measures to mitigate risks effectively.

Port scan on public VM with a critical exploitable vulnerability

Affected Control ID: CID 5001

Overview

Detecting a port scan on a public VM with a critical exploitable vulnerability indicates potential reconnaissance by malicious actors. Swift intervention is essential to mitigate the risk of exploitation and prevent unauthorized access

Mitigation

•    Disconnect the VM from the network to prevent further exploitation.
•    Conduct a detailed investigation to identify the nature of the vulnerability and assess any potential exploitation.
•    Analyze the results of the port scan to identify the source, scope, and intent of the reconnaissance activity. Look for patterns indicative of targeted exploitation.
•    Apply the latest security patches to fix the critical vulnerability on the VM.
•    Restrict access to the VM by implementing network segmentation and configuring firewall rules to allow only necessary traffic. Utilize security groups and network ACLs (Access Control Lists) to control inbound and outbound traffic effectively.

Public VM with confirmed vulnerability type

Affected Control ID: CID 5002

Overview

The identification of a confirmed vulnerability on a public VM signifies a pressing security risk, potentially leading to unauthorized access, data breaches, or system compromise. Urgent action is essential to address this threat effectively.

Mitigation

•    Disconnect the VM from the network to prevent further exploitation.
•    Conduct a detailed investigation to identify the nature of the vulnerability and assess any potential exploitation.
•    Apply the latest security patches to fix the critical vulnerability on the VM.
•    Restrict access to the VM by implementing network segmentation and configuring firewall rules to allow only necessary traffic. Utilize security groups and network ACLs (Access Control Lists) to control inbound and outbound traffic effectively.

SSH brute-forcing on a public VM with critical/high vulnerabilities

Affected Control ID: CID 5003

Overview

SSH brute-forcing on a public VM with critical or high vulnerabilities indicates potential unauthorized access attempts and exploitation of security weaknesses. Swift action is crucial to mitigate risks and prevent further compromise.

Mitigation

•    Immediately disconnect the affected VM from the network to halt ongoing brute-force attempts and prevent further unauthorized access.
•    Conduct a detailed investigation to identify the nature of the vulnerability and assess any potential exploitation.
•    Apply the latest security patches to fix the critical vulnerability on the VM.
•    Restrict access to the VM by implementing network segmentation and configuring firewall rules to allow only necessary traffic. Utilize security groups and network ACLs (Access Control Lists) to control inbound and outbound traffic effectively.
•    Analyze authentication logs to identify the source and frequency of SSH login attempts. Look for patterns indicative of brute-force attacks, such as multiple failed login attempts from the same IP address.
•    Configure rate limiting measures for SSH authentication to limit the number of login attempts allowed within a certain timeframe, effectively mitigating brute-force attacks.
•    Enforce strong password policies for SSH authentication, including the use of complex passwords and regular password changes, to thwart brute-force attempts.
•    Disable password-based authentication for SSH and enforce the use of SSH key authentication, which provides a more secure method of authentication and is not vulnerable to brute-force attacks.

Malware detection on a public VM with misconfigurations and vulnerabilities

Affected Control ID: CID 5004

Overview

Identifying malware on a public VM with misconfigurations and vulnerabilities indicates a significant security breach. Swift intervention is essential to contain the threat, remediate the vulnerabilities, and mitigate potential damage

Mitigation

•    Immediately disconnect the infected public VM from the network to prevent the spread of malware to other systems or devices.
•    Quarantine the infected VM to prevent further access and ensure that it is isolated from other systems or networks.
•    Use reputable antivirus or antimalware software to scan the infected VM thoroughly and remove any detected malware or malicious files.
•    Identify and address any misconfigurations and vulnerabilities on the VM that may have facilitated the malware infection. Apply security patches and updates to remediate these vulnerabilities promptly.
•    Analyze system logs, network logs, and audit trails to determine the source and extent of the malware infection. Look for indicators of compromise (IOCs) and identify any unauthorized access or suspicious activities.
•    Conduct a analysis of the infected VM to understand how the malware gained access, its behavior, and any data exfiltration attempts. Gather evidence for investigation and remediation.
•    Apply the latest security patches to fix the critical vulnerability on the VM.
•    Restrict access to the VM by implementing network segmentation and configuring firewall rules to allow only necessary traffic. Utilize security groups and network ACLs (Access Control Lists) to control inbound and outbound traffic effectively.

Suspicious communication on public VM

Affected Control ID: CID 5005

Overview

Identifying suspicious communication on a public VM indicates potential unauthorized access or malicious activity. Immediate action is essential to investigate and mitigate any security risks.

Mitigation

•    Immediately disconnect the public VM from the network to halt any ongoing suspicious communication and prevent further compromise.
•    Analyze network logs, system logs, and firewall logs to identify the source, destination, and nature of the suspicious communication. Look for anomalies, unusual traffic patterns, or unauthorized access attempts.
•    Determine if the suspicious communication is indicative of malicious activity, such as unauthorized access attempts, data exfiltration, command and control (C2) traffic, or malware communication.
•    Conduct a thorough forensic analysis of the affected VM to determine the extent of the compromise, identify any malware or unauthorized access, and assess potential damage.
•    Apply the latest security patches to fix the critical vulnerability on the VM.
•    Restrict access to the VM by implementing network segmentation and configuring firewall rules to allow only necessary traffic. Utilize security groups and network ACLs (Access Control Lists) to control inbound and outbound traffic effectively.

Misconfigured VM with active port scan

Affected Control ID: CID 5006

Overview

Identifying a misconfigured VM with an active port scan suggests potential security gaps and unauthorized probing of the network. Immediate action is essential to address the misconfiguration and mitigate the risk of unauthorized access or exploitation. 

Mitigation

•    Disconnect the VM from the network to prevent further exploitation.
•    Analyze the results of the port scan to identify the source and scope of the scanning activity. Determine which ports were scanned and assess the potential impact on the VM and network. Apply the latest security patches to fix the critical vulnerability on the VM.
•    Review the configuration settings of the misconfigured VM to identify any security misconfigurations or vulnerabilities that may have contributed to the unauthorized scanning activity.
•    Apply security patches and updates to the misconfigured VM to address any vulnerabilities and ensure that it is up to date with the latest security fixes.
•    Review and strengthen access controls for the misconfigured VM, including firewall rules, network segmentation, and user permissions, to restrict access and prevent unauthorized scanning activity.

Resource infected with critical/high-severity malware

Affected Control ID: CID 5007

Overview

The discovery of critical or high-severity malware on a resource poses a serious security risk that requires urgent attention. Rapid response is essential to prevent further spread and mitigate the impact on the affected system and associated infrastructure. 

Mitigation

•    Immediately isolate the infected resource from the network to prevent the malware from spreading to other systems or devices. 
•    Quarantine any infected files or directories to prevent the malware from executing and causing further damage. Ensure that these files are securely stored and inaccessible to other users or processes.
•    Determine the type and behavior of the malware by conducting a thorough analysis. Identify its propagation methods, persistence mechanisms, and potential impact on the system.
•    If possible, restore the infected resource from a clean backup to eliminate the malware and restore the system to a known good state. Ensure that the backup is free from malware before restoring.
•    Apply security patches and updates to the infected resource to address any vulnerabilities that may have been exploited by the malware. Patching vulnerabilities can help prevent future infections.
•    Analyze access logs and audit trails to identify the source and entry point of the malware infection. Look for any suspicious activities or unauthorized access that may have facilitated the malware intrusion.

DNS exfiltration or tunneling on public VM

Affected Control ID: CID 5008

Overview

Identifying DNS exfiltration or tunneling on a public VM suggests potential data exfiltration or unauthorized communication channels. Immediate intervention is vital to prevent data loss and unauthorized access. 

Mitigation

•    Disconnect the VM from the network to prevent further exploitation.
•    Conduct a detailed investigation to identify the nature of the vulnerability and assess any potential exploitation.
•    Apply the latest security patches to fix the critical vulnerability on the VM.
•    Analyze DNS logs to identify the scope and extent of the exfiltration or tunneling activity. Look for patterns indicative of data exfiltration or communication with suspicious domains.
•    Conduct network forensics to understand the nature of the exfiltration or tunneling, including the type of data being transferred and the destination of the communication.
•    Implement DNS sinkholing to redirect DNS requests to controlled servers, preventing exfiltration or tunneling attempts and disrupting attacker operations.
•    Deploy intrusion detection systems (IDS) or security information and event management (SIEM) solutions to monitor for suspicious DNS activity and alert on potential exfiltration or tunneling.
•    Activate the incident response plan to coordinate response efforts, including containment, investigation, remediation

C2 DNS detected on VM with a critical exploitable vulnerability

Affected Control ID: CID 5010

Overview

The detection of C2 DNS activity on the VM indicates potential unauthorized communication with a malicious command and control server. Prompt intervention is crucial to prevent further compromise and mitigate potential risks.

Mitigation

•    Disconnect the VM from the network to prevent further exploitation.
•    Conduct a detailed investigation to identify the nature of the vulnerability and assess any potential exploitation.
•    Apply the latest security patches to fix the critical vulnerability on the VM.
•    Temporarily disable outbound DNS traffic from the VM to prevent communication with the C2 server until vulnerabilities are patched and additional security measures are implemented.
•    Analyze DNS logs to identify the source and scope of the C2 activity. Look for suspicious DNS queries, unusual domain names, or patterns indicative of C2 communication.
•    Implement DNS sink holing to redirect malicious DNS queries to a controlled environment, preventing the VM from communicating with the C2 server and disrupting attacker operations.
•    Conduct network forensics to understand the nature of the C2 communication, including the type of commands being exchanged and any data exfiltration attempts.
•    Deploy intrusion detection systems (IDS) or security information and event management (SIEM) solutions to monitor for suspicious DNS activity and alert on potential C2 communication.

C2 HTTP/HTTPS detected on VM with a critical exploitable vulnerability

Affected Control ID: CID 5011

Overview

Detecting C2 HTTP/HTTPS activity on a VM with a critical exploitable vulnerability indicates potential unauthorized control by malicious actors. Immediate action is essential to prevent further compromise and protect sensitive data.

Mitigation

•    Disconnect the VM from the network to prevent further exploitation.
•    Conduct a detailed investigation to identify the nature of the vulnerability and assess any potential exploitation.
•    Apply the latest security patches to fix the critical vulnerability on the VM.
•    Temporarily disable outbound HTTP/HTTPS traffic from the VM to prevent communication with the C2 server until vulnerabilities are patched and additional security measures are implemented.
•    Analyze network logs to identify the source and scope of the C2 HTTP/HTTPS activity. Look for indicators of compromise (IOCs) and patterns to understand the extent of the threat.
•    Perform network forensics to determine the nature of the C2 communication, including the type of commands being sent and any data exfiltration attempts.
•    Deploy intrusion detection systems (IDS) or security information and event management (SIEM) solutions to monitor for suspicious activities and alert on potential C2 communication.
•    Install and update endpoint protection software on the VM to detect and block malicious activity, including C2 communication attempts.

RDP brute-forcing on Windows VM with critical/high vulnerability

Affected Control ID: CID 5012

Overview

Identifying RDP brute-forcing on a Windows VM with critical/high vulnerabilities signals a severe security threat. Swift intervention is crucial to thwart unauthorized access attempts and safeguard sensitive data

Mitigation

•    Disconnect the VM from the network to prevent further exploitation.
•    Conduct a detailed investigation to identify the nature of the vulnerability and assess any potential exploitation.
•    Apply the latest security patches to fix the critical vulnerability on the VM.
•    Temporarily disable Remote Desktop Protocol (RDP) access to the Windows VM until vulnerabilities are patched and additional security measures are implemented.
•    Analyze access logs to identify the source and scope of the RDP brute-forcing activity. Look for patterns and anomalies to understand the extent of the threat.
•    Strengthen password policies by enforcing complex passwords and implementing account lockout mechanisms to deter brute-force attacks.
•    Deploy intrusion detection systems (IDS) or security information and event management (SIEM) solutions to monitor for suspicious activities and alert on potential intrusion attempts.

RDP hot account scan on Windows workload with critical vulnerability

Affected Control ID: CID 5013

Overview

RDP hot account scan on a Windows workload with a critical vulnerability indicates potential malicious activity targeting the system. Immediate action is crucial to prevent unauthorized access, exploitation of the vulnerability, and potential compromise of sensitive information.

Mitigation

•    Disconnect the VM from the network to prevent further exploitation.
•    Conduct a detailed investigation to identify the nature of the vulnerability and assess any potential exploitation.
•    Apply the latest security patches to fix the critical vulnerability on the VM.
•    Temporarily disable RDP access to the Windows system until the vulnerability is remediated and additional security measures are implemented.
•    Review access logs and audit trails to identify any unauthorized access attempts or suspicious activities related to the RDP hot account scan. Gather relevant information for further investigation.
•    Restrict access to the VM by implementing network segmentation and configuring firewall rules to allow only necessary traffic. Utilize security groups and network ACLs (Access Control Lists) to control inbound and outbound traffic effectively.
•    Deploy advanced monitoring and intrusion detection systems to monitor network traffic, system logs, and endpoint activities for signs of ongoing malicious activity or intrusion attempts.

Public VM with no encryption on attached EBS volumes

Affected Control ID: CID 5014

Overview

The identification of a critical exploitable vulnerability on a public VM signifies a pressing security risk, potentially leading to unauthorized access, data breaches, or system compromise. Urgent action is essential to address this threat effectively.

Mitigation

•    Disconnect the VM from the network to prevent further exploitation.
•    Conduct a detailed investigation to identify the nature of the vulnerability and assess any potential exploitation.
•    Apply the latest security patches to fix the critical vulnerability on the VM..
•    Restrict access to the VM by implementing network segmentation and configuring firewall rules to allow only necessary traffic. Utilize security groups and network ACLs (Access Control Lists) to control inbound and outbound traffic effectively.

Public VM with vulnerability detected in last 7 days

Affected Control ID: CID 5015

Overview

The recent detection of a vulnerability on a public VM indicates a potential security threat that requires immediate attention. Timely action is necessary to assess, remediate, and safeguard the VM and associated resources from exploitation or compromise

Mitigation

•    Disconnect the VM from the network to prevent further exploitation.
•    Conduct a detailed investigation to identify the nature of the vulnerability and assess any potential exploitation.
•    Apply the latest security patches to fix the critical vulnerability on the VM.
•    Perform additional vulnerability scans to identify any other potential security weaknesses or exposures on the VM and associated systems
•    Restrict access to the VM by implementing network segmentation and configuring firewall rules to allow only necessary traffic. Utilize security groups and network ACLs (Access Control Lists) to control inbound and outbound traffic effectively.
•    Implement continuous monitoring of the VM and associated infrastructure to detect any suspicious activities or attempted exploits following the vulnerability detection.

Public VM with critical exploitable vulnerability and attached EBS volumes not encrypted

Affected Control ID: CID 5016

Overview

The discovery of a critical exploitable vulnerability on a public VM, coupled with unencrypted attached EBS (Elastic Block Store) volumes, presents a significant security concern. This configuration increases the risk of unauthorized access, data breaches, and potential exposure of sensitive information. Immediate action is essential to address these vulnerabilities and safeguard the integrity of the system.

Mitigation

•    Disconnect the VM from the network to prevent further exploitation.
•    Conduct a detailed investigation to identify the nature of the vulnerability and assess any potential exploitation.
•    Apply the latest security patches to fix the critical vulnerability on the VM.
•    Implement encryption for attached EBS volumes to protect sensitive data from unauthorized access.
•    Restrict access to the VM by implementing network segmentation and configuring firewall rules to allow only necessary traffic. Utilize security groups and network ACLs (Access Control Lists) to control inbound and outbound traffic effectively.
•    Enhance monitoring and logging capabilities to detect and respond to any suspicious activities or attempted breaches in real-time. Monitor access logs, system logs, and network traffic for anomalies.

Public VM with a critical exploitable vulnerability

Affected Control ID: CID 5017

Overview

The identification of a critical exploitable vulnerability on a public VM signifies a pressing security risk, potentially leading to unauthorized access, data breaches, or system compromise. Urgent action is essential to address this threat effectively.

Mitigation

•    Disconnect the VM from the network to prevent further exploitation.
•    Conduct a detailed investigation to identify the nature of the vulnerability and assess any potential exploitation.
•    Apply the latest security patches to fix the critical vulnerability on the VM.
•    Restrict access to the VM by implementing network segmentation and configuring firewall rules to allow only necessary traffic. Utilize security groups and network ACLs (Access Control Lists) to control inbound and outbound traffic effectively.

Malware detection on publicly exposed VM with no encryption on attached EBS volumes

Affected Control ID: CID 5018

Overview

The absence of encryption on attached EBS volumes coupled with public exposure increases the vulnerability of the VM to malware attacks, potentially leading to data breaches, system compromise, and unauthorized access..

Mitigation

•    Conduct a comprehensive malware scan on the VM and attached EBS volumes using reputable antivirus software to detect and remove any malicious software.
•    Encrypt the attached EBS volumes to protect sensitive data from unauthorized access and mitigate the risk of data breaches. AWS provides native encryption options for EBS volumes that can be easily enabled.
•    Restrict access to the VM by implementing network segmentation and configuring firewall rules to allow only necessary traffic. Utilize security groups and network ACLs (Access Control Lists) to control inbound and outbound traffic effectively.
•    Ensure that the operating system, software, and antivirus definitions on the VM are up-to-date with the latest security patches to mitigate known vulnerabilities and reduce the attack surface.
•    Conduct regular security audits to identify and address any security gaps or misconfigurations on the VM and associated resources.
•    Enforce strong access controls by using IAM (Identity and Access Management) policies to manage user permissions and restrict access to sensitive resources.
•    Implement monitoring tools and intrusion detection systems to detect unusual behavior or unauthorized access attempts on the VM and attached EBS volumes.
•    Implement regular backups of data stored on the EBS volumes to facilitate data recovery in case of a malware infection or data loss event.

Critical exploitable vulnerability on public VM with administrative privilege 

Affected Control ID: CID 5019

Overview

The discovery of a critical exploitable vulnerability on a public VM with administrative privileges poses a significant risk to the system's security and integrity. Malicious actors could potentially leverage this vulnerability to gain unauthorized access, compromise sensitive data, disrupt services, or escalate privileges within the system. Prompt action is essential to mitigate the vulnerability and prevent any potential exploitation.

Mitigation

•    Disconnect the VM from the network to prevent further exploitation.
•    Conduct a detailed investigation to identify the nature of the vulnerability and assess any potential exploitation.
•    Apply the latest security patches to fix the critical vulnerability on the VM.
•    Restrict administrative privileges and review access policies.
•    Reset compromised passwords and enforce strong password policies.
•    Implement monitoring and logging to detect suspicious activity.

Privilege escalation risk  on public VM with critical exploitable vulnerability 

Affected Control ID: CID 5020

Overview

A public virtual machine (VM) with a critical exploitable vulnerability poses a severe risk of privilege escalation. If an attacker exploits this vulnerability, they could gain elevated privileges, potentially gaining full control of the VM, accessing sensitive data, compromising other systems, and executing arbitrary commands. Immediate and thorough mitigation actions are necessary to secure the VM and prevent unauthorized access and escalation.

Mitigation

•    Disconnect the VM from the network to prevent further exploitation.
•    Conduct a detailed investigation to identify the nature of the vulnerability and assess any potential exploitation.
•    Apply the latest security patches to fix the critical vulnerability on the VM.
•    Remove any unnecessary elevated permissions assigned to the VM.
•    Audit all permissions and enforce the principle of least privilege, ensuring the VM and its users have only the necessary access.
•    Change any credentials that might have been exposed or compromised.
•    Implement Multi-Factor Authentication for all accounts with access to the VM.
•    Deploy monitoring tools to detect and alert on any suspicious activities or attempts to exploit vulnerabilities.
•    Configure alerts for unauthorized access attempts and privilege escalation activities.
•    Use VPC security groups, network ACLs, and firewalls to control and limit network traffic to the VM.

Suspicious communication on public VM with full access to RDS  

Affected Control ID: CID 5021

Overview

A public virtual machine (VM) with full access to Amazon RDS (Relational Database Service) shows signs of suspicious communication. This situation presents a critical security risk as attackers could exploit the VM to access, modify, or exfiltrate sensitive database information. Immediate mitigation steps are essential to secure the VM, protect the RDS instance, and prevent data breaches.

Mitigation

•    Disconnect the VM from the network to halt any suspicious activity.
•    Investigate the source and nature of the suspicious communication, and identify any potential compromise.
•    Temporarily revoke the VM’s access to the RDS instance to prevent unauthorized data manipulation.
•    Audit and apply the principle of least privilege to the VM's permissions, ensuring it only has the necessary access.
•    Change database credentials and update configurations to use new credentials to prevent misuse of compromised access.
•    Update the VM, its software, and the RDS instance with the latest security patches.
•    Implement Multi-Factor Authentication for all accounts with access to the RDS instance and the VM.
•    Deploy monitoring tools to detect and respond to any unusual activities on the VM and RDS instance.
•    Configure alerts for suspicious communications, unauthorized access attempts, and unusual database activities.
•    Apply network security measures such as VPC security groups and network ACLs to restrict traffic to and from the VM and RDS.

Critical exploitable vulnerability on public VM with destructive permissions for AWS KMS 

Affected Control ID: CID 5022

Overview

A critical exploitable vulnerability has been identified on a public virtual machine (VM) that has destructive permissions for AWS Key Management Service (KMS). This poses a severe security risk, as attackers can exploit this vulnerability to delete or alter cryptographic keys, potentially leading to unauthorized data access, data loss, and the inability to decrypt essential data. Immediate action is required to mitigate this risk and protect sensitive information.

Mitigation

•    Disconnect the vulnerable VM from the network to prevent further exploitation.
•    Conduct a thorough investigation to understand the extent of the compromise and identify any actions taken by the attackers.
•    Immediately revoke the VM's destructive permissions for AWS KMS.
•    Audit all KMS permissions to ensure they follow the principle of least privilege, restricting destructive actions to only necessary roles.
•    Rotate any potentially compromised keys and re-encrypt data to ensure security.
•    Ensure the VM and its software are updated with the latest security patches.
•    Implement Multi-Factor Authentication for all accounts with access to KMS.
•    Set up centralized and immutable logging for all KMS activities to detect and prevent future tampering.
•    Deploy continuous monitoring tools to detect any suspicious activities related to KMS and other critical resources.
•    Configure alerts for unauthorized access attempts and unusual activities involving KMS.

Risk of cloud log tampering on public VM with SSH brute-forcing 

Affected Control ID: CID 5023

Overview

A public virtual machine (VM) exposed to SSH brute-force attacks is at high risk of cloud log tampering. Attackers who gain access through brute-forcing can alter or delete logs to cover their tracks, making it difficult to detect and respond to security incidents. This compromises the integrity of audit trails and hampers incident response efforts. Immediate mitigation is crucial to secure the VM and ensure the reliability of cloud logs.

Mitigation

•    Disconnect the VM from the network to prevent further brute-force attempts.
•    Investigate any successful brute-force attempts and assess potential log tampering.
•    Strengthen SSH Security:
•    Use key-based authentication for SSH access.
•    Move SSH to a non-standard port to reduce the attack surface.
•    Configure rate limiting to block repeated SSH login attempts.
•    Ensure that only authorized users can access the VM via SSH.
•    Configure remote logging to send logs to a centralized, immutable storage to prevent tampering.
•    Ensure the VM and all associated software are up-to-date with the latest security patches.
•    Implement Multi-Factor Authentication for all SSH logins.
•    Deploy monitoring tools to detect and alert on suspicious activities, including potential log tampering.
•    Configure alerts for unauthorized access attempts and unusual changes to log files.

Public serverless function with administrative privilege 

Affected Control ID: CID 5024

Overview

A public serverless function with administrative privileges poses a significant security risk. If exploited, attackers can leverage the function's elevated permissions to gain unauthorized access, modify resources, escalate privileges, and potentially compromise the entire cloud environment. Immediate and effective mitigation is crucial to protect sensitive data and maintain the integrity of the cloud infrastructure.

Mitigation

•    Disable the public access to the serverless function and investigate any potential exploitation and assess the impact.
•    Reconfigure the function to run with the least privilege necessary for its operation.
•    Review and adjust permissions for all serverless functions to follow the principle of least privilege.
•    Ensure that the function and related dependencies are updated with the latest security patches.
•    Implement Multi-Factor Authentication for all accounts with access to serverless function configurations.
•    Deploy monitoring tools to track function invocations and detect suspicious activities.
•    Configure alerts for any unauthorized access or changes to serverless functions.

Public VM with privilege to create IAM artifacts (User, Group, Role)

Affected Control ID: CID 5025

Overview

A public virtual machine (VM) with privileges to create IAM artifacts (users, groups, roles) represents a critical security risk. If exploited, attackers could create new IAM entities with elevated privileges, leading to unauthorized access, privilege escalation, and potential compromise of the entire cloud environment.

Mitigation

•    Disconnect the vulnerable VM from the network and investigate the extent of the issue and identify any unauthorized IAM artifacts created.
•    Revoke the VM's privileges to create IAM artifacts.
•    Review and delete any unauthorized users, groups, or roles that may have been created.
•    Update the VM and related software with the latest security patches.
•    Implement Multi-Factor Authentication for all accounts with IAM management permissions and restrict IAM creation permissions to only necessary roles.
•    Deploy tools to monitor IAM changes in real-time and configure alerts for the creation of new IAM artifacts.

Security group tampering risk on  public and vulnerable VM with 'write' permission over security groups 

Affected Control ID: CID 5026

Overview

A significant security risk has been identified where a public and vulnerable virtual machine (VM) has 'write' permissions over security groups. This vulnerability can be exploited by attackers to modify security group rules, potentially allowing unauthorized access to network resources, bypassing existing security measures, and compromising critical systems and data.

Mitigation

•    Disconnect the infected VM from the network and investigate how the VM was compromised and assess the extent of the tampering.
•    Revoke 'write' permissions from the vulnerable VM over security groups.
•    Audit and revert any unauthorized changes to security group rules..
•    Ensure the VM and associated software are updated with the latest security patches..
•    Implement Multi-Factor Authentication for all accounts managing security groups and restrict permissions to only those necessary for each role.

Malware detected on public and vulnerable VM with risky credential exposure permission

Affected Control ID: CID 5027

Overview

Public VM with vulnerability and malware detection poses a significant security threat, as the malware can exploit these exposed credentials to gain unauthorized access, escalate privileges, and potentially compromise sensitive data and critical cloud resources. Immediate and effective mitigation is essential to contain the threat and prevent further damage.

Mitigation

•    Disconnect the infected VM from the network and investigate the extent and entry point of the malware.
•    Clean the VM using trusted anti-malware tools.
•    Update the VM and software with the latest security patches.
•    Revoke and rotate any exposed or compromised credentials.
•    Implement Multi-Factor Authentication for all accounts and limit permissions to the minimum necessary.
•    Replace static credentials with managed identities where possible.
•    Deploy tools for real-time monitoring and anomaly detection.

IAM User with privilege escalation  or administrative privilege have console access with MFA not enabled 

Affected Control ID: CID 5028

Overview

IAM users with privilege escalation or administrative privileges who have console access without MFA (Multi-Factor Authentication) enabled pose a significant security risk. This vulnerability can be exploited by attackers to gain unauthorized access, escalate privileges, and potentially compromise critical cloud resources and data.

Mitigation

•    Activate Multi-Factor Authentication (MFA) for all IAM users with privilege escalation or administrative privileges.
•    Regularly audit and minimize administrative privileges following the principle of least privilege.
•    Implement continuous monitoring and alerts for unauthorized access attempts and privilege escalations.
•    Conduct security awareness training, focusing on the importance of MFA and safe access practices.
•    Conduct regular reviews of IAM user access, deactivating unnecessary accounts and access keys.

Public VM with data destructive permissions  

Affected Control ID: CID 5029

Overview

A public virtual machine (VM) with data destructive permissions poses a critical security risk. If an attacker gains access, they could delete or corrupt essential data, leading to significant data loss, operational disruptions, and potential financial and reputational damage. Immediate and comprehensive mitigation steps are necessary to secure the VM and protect data integrity.

Mitigation

•    Disconnect the VM from the network to prevent further access.
•    Conduct an investigation to understand any malicious activity and assess the extent of the potential damage.
•    Remove the VM's data destructive permissions immediately.
•    Audit all permissions assigned to the VM and enforce the principle of least privilege, ensuring it only has necessary access.
•    Ensure all critical data is backed up regularly and securely stored in multiple locations.
•    Update the VM and all associated software with the latest security patches.
•    Implement Multi-Factor Authentication for all accounts with permissions to perform destructive actions.
•    Deploy tools to monitor all activities on the VM and associated data repositories for signs of suspicious behavior.
•    Configure alerts for any unauthorized access attempts or activities involving data deletion or modification.
•    Use VPC security groups, network ACLs, and firewalls to restrict network traffic to and from the VM.

Public VM with elastic IP hijacking permissions 

Affected Control ID: CID 5030

Overview

A public virtual machine (VM) with permissions to hijack Elastic IP addresses poses a significant security risk. If exploited, attackers can reassign Elastic IPs to their own resources, intercepting network traffic and potentially gaining unauthorized access to services and sensitive data. Immediate mitigation actions are essential to secure the VM and prevent unauthorized manipulation of network configurations.

Mitigation

•    Disconnect the VM from the network to prevent further exploitation.
•    Investigate any suspicious activities to determine if Elastic IP hijacking has occurred and assess the impact.
•    Immediately remove the VM’s permissions to manage Elastic IP addresses.
•    Audit and apply the principle of least privilege to the VM's IAM permissions, ensuring it only has the necessary access.
•    Update the VM and all associated software with the latest security patches to close any vulnerabilities.
•    Implement Multi-Factor Authentication for all accounts with permissions to manage network configurations.
•    Deploy monitoring tools to detect and alert on changes to Elastic IP assignments and other network configurations.
•    Configure alerts for any unauthorized attempts to reassign Elastic IPs or modify network settings.
•    Use VPC security groups and network ACLs to restrict network traffic and control access to Elastic IP management functions.

Public VM allows access to decrypt secrets in secrets manager 

Affected Control ID: CID 5031

Overview

A public virtual machine (VM) with access to decrypt secrets in Secrets Manager poses a significant security risk. If an attacker gains control of this VM, they can decrypt sensitive secrets, potentially leading to unauthorized access to critical systems, data breaches, and further exploitation of the cloud environment. Immediate mitigation is necessary to secure the VM and protect sensitive information.

Mitigation

•    Disconnect the VM from the network to prevent further exploitation.
•    Investigate the VM for signs of compromise and assess if any secrets have been accessed or decrypted.
•    Immediately remove the VM’s permissions to decrypt secrets in Secrets Manager.
•    Audit all permissions and enforce the principle of least privilege, ensuring the VM only has necessary access.
•    Rotate all secrets that the VM had access to, updating any systems that use these secrets to prevent misuse of potentially compromised data.
•    Update the VM and all associated software with the latest security patches.
•    Implement Multi-Factor Authentication for all accounts that manage or access Secrets Manager.
•    Deploy monitoring tools to detect and alert on any unauthorized attempts to access or decrypt secrets.
•    Configure alerts for any suspicious activities involving Secrets Manager, such as unexpected decryption requests.
•    Use VPC security groups, network ACLs, and firewalls to control and limit access to the VM and Secrets Manager.

Public VM with AWS Organization management permissions 

Affected Control ID: CID 5032

Overview

A public virtual machine (VM) with AWS Organization management permissions poses a critical security risk. If compromised, attackers could manipulate the entire AWS organization, including modifying accounts, altering billing settings, and changing security policies. This could lead to severe operational disruptions, unauthorized access to resources, and potential data breaches. Immediate mitigation is essential to secure the VM and protect the integrity of the AWS organization.

Mitigation

•    Disconnect the VM from the network to prevent further access.
•    Investigate any signs of compromise and assess the impact on the AWS organization.
•    Immediately remove the VM’s AWS Organization management permissions.
•    Audit all IAM permissions and enforce the principle of least privilege, ensuring the VM only has necessary access.
•    Implement Multi-Factor Authentication for all accounts with AWS Organization management permissions.
•    Change all credentials associated with the compromised VM and any affected IAM users or roles.
•    Update the VM and all associated software with the latest security patches.
•    Deploy monitoring tools to detect and alert on changes to the AWS organization, including account modifications and policy changes.
•    Configure alerts for any unauthorized attempts to access or modify the AWS organization settings.
•    Use VPC security groups, network ACLs, and firewalls to control and limit access to the VM and AWS Organization management functions.

Data breach risk due to a public serverless function with RDS database SQL query execution permissions 

Affected Control ID: CID 5034

Overview

A public serverless function with permissions to execute SQL queries on an RDS database poses a substantial data breach risk. If an attacker gains access to this function, they could execute malicious queries, retrieve sensitive data, alter or delete database records, and compromise the integrity and confidentiality of the data stored in the RDS instance. Immediate actions are necessary to mitigate this risk and secure the environment.

Mitigation

•    Disable public access to the serverless function to prevent further exploitation.
•    Investigate any unauthorized access to determine if the RDS database has been compromised.
•    Remove the serverless function's permissions to execute SQL queries on the RDS database.
•    Audit and enforce the principle of least privilege, ensuring the function only has the necessary permissions.
•    Change the database credentials used by the serverless function to prevent misuse of potentially compromised access.
•    Ensure the serverless function environment and the RDS instance are updated with the latest security patches.
•    Implement Multi-Factor Authentication for all accounts managing serverless functions and the RDS instance.
•    Deploy monitoring tools to detect and alert on suspicious activities, including unauthorized SQL query executions.
•    Configure alerts for any unauthorized access attempts or unusual query patterns on the RDS database.
•    Use VPC security groups and network ACLs to control and restrict network traffic to the serverless function and RDS instance.

Security group tampering risk due to a public serverless function 

Affected Control ID: CID 5035

Overview

A public serverless function with permissions to modify security groups poses a significant security risk. If exploited, attackers can alter security group rules, potentially allowing unauthorized access to sensitive resources, bypassing existing security controls, and facilitating further attacks on the cloud environment. Immediate and comprehensive mitigation steps are essential to secure the serverless function and prevent unauthorized network access.

Mitigation

•    Disable public access to the serverless function to prevent further tampering.
•    Investigate any unauthorized changes to security groups to determine the scope of potential exploitation.
•    Remove the serverless function’s permissions to modify security groups.
•    Audit all permissions assigned to serverless functions and enforce the principle of least privilege, ensuring functions only have necessary access.
•    Review and revert any unauthorized changes to security group rules to their secure state.
•    Ensure the serverless function environment is updated with the latest security patches.
•    Implement Multi-Factor Authentication for all accounts with permissions to manage security groups.
•    Deploy monitoring tools to detect and alert on changes to security groups and other critical network configurations.
•    Configure alerts for any unauthorized attempts to modify security groups.
•    Use VPC security groups and network ACLs to control and limit network traffic to and from the serverless function.

Anomalous credential access detection on IAM user with console access and privilege escalation/admin permission and No MFA

Affected Control ID: CID 5035:

 

Overview

Anomalous credential access on an IAM user with extensive permissions and no Multi-Factor Authentication (MFA) enabled represents a significant security threat. Prompt intervention is necessary to protect sensitive resources and mitigate the risk of privilege escalation.

Mitigation

  • Disable the IAM user account immediately to prevent further access.
  • Revoke any temporary security credentials that might have been issued.
  • Examine CloudTrail logs and other access logs to identify the nature and extent of the       anomalous activities.
  • Look for unusual login times, IP addresses, and API call patterns.

·   Identify the compromised credentials and revoke them.

·    Rotate access keys and change passwords for the affected IAM user.

  • Enable MFA for all IAM users with console access and administrative privileges to add an additional layer of security.

·    Conduct a thorough review of the IAM user’s permissions and roles.

  • Implement the principle of least privilege, ensuring users have only the permissions they need to perform their tasks.
  • Address any identified vulnerabilities or misconfigurations that may have facilitated the anomalous access.
  • Implement continuous monitoring of IAM activities with real-time alerts for suspicious behaviors.

 

Defense Evasion risk detected on IAM user with console access and privilege escalation/admin permission and No MFA

Affected Control ID: CID 5036

 

Overview

Defense Evasion on an IAM user with elevated permissions and no Multi-Factor Authentication (MFA) enabled is a serious security threat. Immediate action is required to prevent unauthorized access and potential damage to the system.

Mitigation

  • Disable the IAM user account immediately to prevent further access.
  • Revoke any temporary security credentials that might have been issued.
  • Examine CloudTrail logs and other access logs to identify the nature and extent of the      anomalous activities. Look for unusual login times, IP addresses, and API call patterns.
  • Identify the compromised credentials and revoke them.
  • Rotate access keys and change passwords for the affected IAM user.
  • Enable MFA for all IAM users with console access and administrative privileges to add an additional layer of security.
  • Conduct a thorough review of the IAM user’s permissions and roles.
  • Implement the principle of least privilege, ensuring users have only the permissions they need to perform their tasks.
  • Address any identified vulnerabilities or misconfigurations that may have facilitated the anomalous access.
  • Implement continuous monitoring of IAM activities with real-time alerts for suspicious behaviors.
  • Address any identified vulnerabilities or misconfigurations that may have facilitated the Defense Evasion activities.
  • Analyze how the Defense Evasion was carried out, such as through the use of malicious scripts, tools, or social engineering tactics. Identify any backdoors or persistent threats and eliminate them.

 

Data exfiltration risk on IAM user with console access and privilege escalation/admin permission and No MFA 

Affected Control ID: CID 5037

Overview

Detecting a data exfiltration risk on an IAM user with console access, privilege escalation/admin permissions, and no Multi-Factor Authentication (MFA) requires immediate and comprehensive action.

Mitigation

  • Disable the IAM user account to prevent further unauthorized access.
  • Revoke any active session tokens and temporary security credentials.
  • Examine CloudTrail logs and other access logs to identify unusual activities, such as large data transfers, atypical login times, or access from unfamiliar IP addresses.
  • Immediately change the passwords and rotate access keys for the affected IAM user.
  • Enforce MFA for all IAM users, especially those with console access and administrative permissions.
  • Conduct regular security audits and vulnerability assessments to identify and mitigate potential security risks proactively.

 

Anomalous data tamper risk detected on IAM user with console access and privilege escalation/admin permission and No MFA

Affected Control ID: CID 5038

 

Overview

Anomalous data tamper activities involving an IAM user with high-level permissions and no MFA pose a significant threat.

Mitigation

  • Disable the IAM user account to prevent further unauthorized access.
  • Revoke any active session tokens and temporary security credentials.
  • Examine CloudTrail logs and other access logs to identify unusual activities, such as large data transfers, atypical login times, or access from unfamiliar IP addresses.
  • Immediately change the passwords and rotate access keys for the affected IAM user.
  • Enforce MFA for all IAM users, especially those with console access and administrative permissions.

·    Conduct a thorough review of the IAM user’s permissions and roles.

  • Implement the principle of least privilege, ensuring users have only the necessary permissions.

 

 

CID 5039: Instance credential exfiltration  through instance launch role from another account within AWS

Affected Control ID: CID 5039

 

Overview

Exfiltrating credentials through an instance launch role from another AWS account typically involves an attack where an attacker gains access to an instance that has an IAM (Identity and Access Management) role attached.

Mitigation

  • Restrict inbound and outbound traffic to instances based on least privilege principles.
  • Assign IAM roles with the minimum permissions necessary for their intended function.
  • Enable AWS CloudTrail to log API calls and monitor for unusual activities, such as unexpected API calls from instances.
  • Enforce MFA for access to AWS Management Console and API calls.

 

CID 5040: Privilege escalation detected on IAM user with console access with admin permission and No MFA

Affected Control ID: CID 5040

 

Overview

Detecting privilege escalation on an IAM user with console access and admin permissions, especially without Multi-Factor Authentication (MFA), is a critical security incident in AWS.

Mitigation

  • Immediately change the IAM user’s password to prevent further unauthorized access.
  • Rotate all access keys associated with the IAM user to invalidate compromised keys.
  • Enable Multi-Factor Authentication for all IAM users, especially those with administrative permissions. This adds an additional layer of security to prevent unauthorized access even if credentials are compromised.
  • Conduct a comprehensive review of the IAM user’s permissions and roles. Ensure that permissions are set based on the Principle of Least Privilege to limit access strictly to what is necessary for their role.
  • Implement enhanced monitoring and alerting mechanisms for IAM activities. Set up alerts for unusual or suspicious activities, such as changes in IAM policies or permission

CID 5041: Initial access detected on IAM user with console access with privilege escalation/Admin permission and No MFA

Affected Control ID: CID 5041

 

Overview

Detecting initial access on an IAM user with console access, privilege escalation to admin permissions, and no Multi-Factor Authentication (MFA) is a critical security incident that requires an immediate and thorough response.

Mitigation

  • Immediately revoke any active session tokens and temporary security credentials associated with the compromised IAM user to terminate ongoing access.
  • Immediately change the IAM user’s password to prevent further unauthorized access.
  • Rotate all access keys associated with the IAM user to invalidate compromised keys.
  • Enable Multi-Factor Authentication for all IAM users, especially those with administrative permissions. This adds an additional layer of security to prevent unauthorized access even if credentials are compromised.
  • Conduct a comprehensive review of the IAM user’s permissions and roles. Ensure that permissions are set based on the Principle of Least Privilege to limit access strictly to what is necessary for their role.
  • Implement enhanced monitoring and alerting mechanisms for IAM activities. Set up alerts for unusual or suspicious activities, such as changes in IAM policies or permission

 

CID 5042:  Unauthorized access associated with persistence detected on IAM user with console access with privilege escalation/Admin permission and No MFA

Affected Control ID: CID 5042

 

Overview

Detecting unauthorized access associated with persistence on an IAM user with console access, privilege escalation to admin permissions, and no Multi-Factor Authentication (MFA) is a serious security incident that requires immediate and comprehensive response.

Mitigation

  • Immediately revoke any active session tokens and temporary security credentials associated with the compromised IAM user to terminate ongoing access.
  • Immediately change the IAM user’s password to prevent further unauthorized access.
  • Rotate all access keys associated with the IAM user to invalidate compromised keys.
  • Enable Multi-Factor Authentication for all IAM users, especially those with administrative permissions. This adds an additional layer of security to prevent unauthorized access even if credentials are compromised.
  • Conduct a comprehensive review of the IAM user’s permissions and roles. Ensure that permissions are set based on the Principle of Least Privilege to limit access strictly to what is necessary for their role.
  • Implement strict RBAC policies to restrict access based on job responsibilities and tasks.
  • Implement enhanced monitoring and alerting mechanisms for IAM activities. Set up alerts for unusual or suspicious activities, such as changes in IAM policies or permission
  • Deploy anomaly detection systems to monitor for abnormal patterns of access or behavior within your AWS environment.

 

 

CID 5043: Reconnaissance detected due to malicious IP address on IAM user with console access with privilege escalation/Admin permission and No MFA

Affected Control ID: CID 5043

 

Overview

Detecting reconnaissance due to a malicious IP address targeting an IAM user with console access, privilege escalation to admin permissions, and no Multi-Factor Authentication (MFA) is a critical security incident that requires prompt and thorough response.

Mitigation

  • Immediately revoke any active session tokens and temporary security credentials associated with the compromised IAM user to terminate ongoing access.
  • Immediately change the IAM user’s password to prevent further unauthorized access.
  • Rotate all access keys associated with the IAM user to invalidate compromised keys.
  • Enable Multi-Factor Authentication for all IAM users, especially those with administrative permissions. This adds an additional layer of security to prevent unauthorized access even if credentials are compromised.
  • Implement network-level controls to block or restrict access from the identified malicious IP address. Update security groups or network ACLs to prevent further reconnaissance attempts.
  • Strengthen monitoring and alerting mechanisms for IAM activities. Configure alerts for suspicious activities related to the compromised IAM user or similar reconnaissance attempts.
  • Deploy anomaly detection systems to identify abnormal patterns of access or behavior within your AWS environment.

 

CID 5044 : Denial of Service (Dos) attack using DNS/TCP/UDP protocol detected on public VM

Affected Control ID: CID 5044

 

Overview

Detecting a Denial of Service (DoS) attack using DNS, TCP, or UDP protocols on a public VM is a serious security incident that requires immediate attention and a structured response plan.

Mitigation

  • Immediately isolate the affected VM from the rest of your network to prevent further impact on other resources and services.
  • Use monitoring tools and logs to verify and confirm the type and scope of the DoS attack. Look for increased traffic volume or unusual patterns in DNS, TCP, or UDP requests.
  • Implement network filtering and firewall rules to block malicious traffic associated with the DoS attack. This may involve blocking specific IP addresses or filtering traffic based on protocols and patterns.

 

Critical Exploitable Vulnerability on Public VM Communicating with a Remote Host on an Unusual Server Port

Affected Control ID: 5045 

 

Overview

Detecting a critical exploitable vulnerability on a public VM communicating with a remote host on an unusual server port is a significant security incident that requires immediate attention and a structured response plan.

Mitigation

  • Immediately isolate the vulnerable VM from the rest of your network to prevent further exposure and potential exploitation.
  • Use vulnerability scanning tools or conduct manual analysis to verify and confirm the presence and severity of the vulnerability. Identify the exact nature of the vulnerability and its potential impact.
  • If a security patch is available for the vulnerability, apply it immediately to mitigate the risk of exploitation.
  • Implement temporary mitigations, such as firewall rules or network filtering, to block access to the vulnerable service or port until a patch can be applied.
  • Review and update your VM’s security configuration, including firewall rules, access controls, and network segmentation, to prevent similar vulnerabilities in the future.
  • Implement continuous monitoring and logging to detect and respond to any new attempts to exploit vulnerabilities.

 

Public VM with Unprotected EMR-Related Port Which Is Being Probed by a Known Malicious Host

Affected Control ID: 5046

 

Overview

Detecting a public VM with an unprotected EMR (Elastic MapReduce) related port being probed by a known malicious host is a critical security incident that requires immediate attention and swift action to prevent potential compromise.

Mitigation

  • Immediately isolate the vulnerable VM from the rest of your network to prevent further exposure and potential exploitation.
  • Implement firewall rules or network ACLs to block all traffic originating from the known malicious host targeting the unprotected EMR port.
  • Review logs, including network logs and system logs, to verify and confirm the probing activity from the known malicious host. Gather details such as source IP addresses, timestamps, and types of probes.
  • Apply any available security patches for the EMR service and related components to mitigate vulnerabilities that could be exploited through the unprotected port.
  • Implement strict access controls and firewall rules to restrict access to EMR-related ports to only trusted sources.
  •  

Data Exfiltration Risk Due to Public VM Running Malware That Uses DNS Queries for Outbound Data Transfers

Affected Control ID: 5047

Overview

Detecting a data exfiltration risk due to a public VM running malware that uses DNS queries for outbound data transmission is a severe security incident that demands immediate and thorough response

Mitigation

  • Immediately isolate the infected VM from the rest of your network to prevent further data exfiltration and the potential spread of malware.
  • Identify and terminate any processes associated with the malware running on the VM. Use system monitoring tools and logs to identify suspicious activities and processes.
  • Implement firewall rules or network ACLs to block outbound DNS traffic from the infected VM. Restrict DNS queries to trusted servers only if necessary for legitimate operations.
  • Verify the integrity of data stored on the VM to determine if any sensitive information has been accessed or exfiltrated. Take appropriate steps to mitigate the impact, such as notifying affected parties or stakeholders.
  • Use antivirus or anti-malware tools to scan and remove any remaining malware or malicious files from the infected VM.

 

Suspicious Activity on Public S3 Bucket Detected by IAM Entity Invoking S3 API to Delete Data

Affected Control ID: 5048

 

Overview

Detecting suspicious activity on a public S3 bucket where an IAM entity is invoking S3 API calls to delete data is a critical security incident that requires immediate action to prevent data loss and ensure the integrity of stored information.

Mitigation

  • Immediately change the access permissions of the affected S3 bucket to restrict write and delete operations. Ensure that only authorized entities have access to modify or delete data.
  • Disable or modify the IAM entity's permissions responsible for the suspicious activity to prevent further unauthorized deletion attempts.
  • Monitor ongoing API calls and consider blocking the IAM entity temporarily until the situation is fully assessed and resolved.
  • Review AWS CloudTrail logs and S3 access logs to understand the extent of the deletion activity. Identify the scope of data affected and the timeline of events.
  • If backups are available, restore the deleted data from the most recent backup to minimize data loss and maintain business continuity.
  • Conduct a thorough review of IAM policies and permissions associated with the S3 bucket. Implement the Principle of Least Privilege to ensure entities have only the necessary permissions required for their roles.
  • Enable versioning on the S3 bucket to preserve previous versions of objects and prevent data loss from accidental or malicious deletions.
  • Configure alerts for critical S3 actions such as object deletions or changes in access permissions. Implement anomaly detection to identify unusual patterns of activity that may indicate potential threats.

 

 

Anomalous Behavior Detected by IAM Entity Invoking an S3 API in Attempt to Write Data on Public S3 Bucket

Affected Control ID: 5049

 

Overview

Detecting anomalous behavior where an IAM entity is attempting to write data to a public S3 bucket is a significant security concern that warrants immediate investigation and response to prevent potential data exposure or misuse.

Mitigation

  • Immediately review and modify the access permissions of the affected public S3 bucket to restrict write operations. Ensure that only authorized IAM entities or roles have the necessary permissions to write data.
  • Disable or modify the IAM entity's permissions responsible for the anomalous write attempts to prevent further unauthorized access and data modification.
  • Review AWS CloudTrail logs and S3 access logs to understand the scope and nature of the write attempts. Identify the IAM entity involved, the data being written (if any), and any other associated activities.
  • Validate the integrity of data stored in the S3 bucket to ensure that no unauthorized or malicious data has been successfully written or modified. Restore from backups if needed.
  • Perform a comprehensive review of IAM policies and permissions associated with the S3 bucket. Implement the Principle of Least Privilege  to ensure entities have only the necessary permissions required for their roles.
  • Review and update S3 bucket policies to enforce stricter access controls and prevent unauthorized write operations.
  • Configure real-time alerts for critical S3 actions such as write attempts to public buckets. Implement anomaly detection mechanisms to identify unusual patterns of activity that may indicate potential threats

IAM Principal Has Granted Access to an S3 Bucket to the Internet by Changing Bucket Policies or ACLs

Affected Control ID: 5050

 

Overview

Granting public access to an S3 bucket exposes potentially sensitive data to the internet, increasing the risk of unauthorized access, data breaches, and compliance violations.

Mitigation

  • Immediately review and modify the bucket policy or ACLs to revoke public access permissions. Change permissions to ensure that only authorized entities have access to the S3 bucket.
  • If the bucket was set to allow public access, disable it immediately. Update the bucket policy or ACLs to enforce strict access controls and limit access to specific IAM roles or users.
  • Review AWS CloudTrail logs and S3 access logs to identify when and by whom the bucket permissions were modified. Determine the extent of exposure and any potential unauthorized access.
  • Perform a thorough review of the data stored in the S3 bucket to ensure that no sensitive or confidential information has been accessed or compromised.
  • Conduct a comprehensive review of IAM policies and permissions associated with the S3 bucket. Implement the Principle of Least Privilege to restrict access to only what is necessary for each IAM entity's role.
  • Implement stricter bucket policies and ACLs to prevent future unauthorized modifications or public access. Regularly audit and update these controls to maintain security posture.
  • Configure alerts for critical S3 actions, especially changes to bucket policies or ACLs that may grant public access. Implement continuous monitoring to detect and respond to unauthorized changes promptly.

 

Discovery of Resources from Malicious IP Address on Public S3 Bucket

Affected Control ID: 5051

 

Overview

The discovery of a malicious IP address accessing a public S3 bucket indicates potential unauthorized access or attempted data exfiltration. This incident demands swift identification of the scope of access, containment of the threat, and remediation to prevent further compromise.

Mitigation

  • Immediately review and modify the bucket policy or ACLs to restrict access permissions and prevent further unauthorized access. Consider temporarily disabling public access if not explicitly required.
  • Block the malicious IP address at the network level or within AWS services to prevent further access attempts to the S3 bucket.
  • Review AWS CloudTrail logs and S3 access logs to identify the extent and nature of the access from the malicious IP address. Determine if any data was accessed or downloaded
  • Conduct a thorough review of the data stored in the S3 bucket to assess if any sensitive information has been accessed or compromised.
  • Conduct a comprehensive review of IAM policies and permissions associated with the S3 bucket. Implement the Principle of Least Privilege to restrict access to only authorized entities.
  • Strengthen bucket policies and ACLs to enforce strict access controls and limit access to specific IAM roles or users. Regularly audit and update these controls to prevent future unauthorized access.
  • Configure alerts for critical S3 actions, especially unauthorized access attempts or changes to bucket permissions. Implement continuous monitoring to detect and respond to anomalies promptly.

 

Qualys Predicted High-Risk Vulnerabilities on Public VM with Administrative Privilege

Affected Control ID: 5052

 

Overview

Predicting high-risk vulnerabilities on a public VM with administrative privileges involves anticipating potential weaknesses that could lead to severe security breaches.

Mitigation

  • Regularly apply security patches and updates to all software and the operating system. Implement automated patch management systems to ensure timely updates.
  • Enforce strong password policies, use multi-factor authentication (MFA) for access, and regularly audit IAM policies to ensure least privilege access.
  • Restrict access to these services using firewall rules, IP whitelisting, or VPNs. Implement intrusion detection systems (IDS) to monitor for suspicious activities.
  • Segment networks to limit communication between different segments. Use Virtual Private Clouds (VPCs) and subnet isolation to reduce the attack surface.
  • Enable logging for all critical activities and monitor logs for unusual or suspicious behavior. Implement real-time alerting and response mechanisms for potential security breaches.
  • Review and audit security group rules and firewall configurations regularly. Follow the principle of least privilege and restrict access to only necessary ports and services.

 

Unauthenticated Vulnerability Detected in Public VM with Denial of Service Attack Risk

Affected Control ID: 5053

 

Overview

An unauthenticated vulnerability in a public VM makes it susceptible to exploitation by attackers, potentially leading to disruptive DoS attacks. Effective mitigation involves both immediate response measures and long-term security enhancements.

Mitigation

  • If feasible, isolate the affected VM from the network to prevent exploitation and mitigate the impact of any ongoing attacks
  • Identify and disable any services or protocols known to be vulnerable or targeted by potential attackers.
  • Use network monitoring tools to analyze incoming traffic patterns and detect any signs of ongoing or impending DoS attacks.
  • Immediately apply patches and security updates to the VM’s operating system and all installed software to address known vulnerabilities.
  • Configure firewalls and network access control lists (ACLs) to filter and block malicious traffic, especially traffic known to exploit the identified vulnerability.
  • Implement DDoS protection mechanisms, such as rate limiting and traffic filtering, at the network perimeter to mitigate volumetric attacks.
  • Disable unnecessary services and ports to limit exposure to potential attack vectors.

Zero-Day Vulnerability Detected on Public VM

Affected Control ID: 5054

 

Overview

Detecting a zero-day vulnerability on a public VM is a critical security incident due to its potential for exploitation by attackers without available patches or known mitigations. Addressing and mitigating such vulnerabilities requires a strategic and immediate response to minimize risk and protect the VM and associated data.

Mitigation

  • Immediately disconnect the vulnerable VM from the network to prevent potential exploitation and mitigate the impact of any ongoing attacks.
  • Disable network interfaces or isolate the VM within a segmented network environment until a resolution is implemented.
  • Identify and disable or restrict access to services or applications affected by the zero-day vulnerability to limit exposure.
  • Disable specific services or apply temporary access controls through firewall rules or network ACLs.
  • Monitor incoming and outgoing network traffic to detect any signs of exploitation or unusual activities targeting the vulnerable VM.
  • Review and update security controls, policies, and configurations to strengthen defenses against potential exploits and mitigate risks associated with the zero-day vulnerability.
  • Conduct regular vulnerability scans and assessments to identify and mitigate other potential vulnerabilities that could be exploited in a similar manner.

CISA Known Exploitable Vulnerability on Public VM

Affected Control ID: 5055

 

Overview

Detecting a CISA-known exploitable vulnerability on a public VM signifies a high-priority security issue that requires immediate and comprehensive action to prevent potential exploitation and mitigate risks.

Mitigation

  • Temporarily disconnect the affected VM from the network to prevent exploitation and minimize the impact.
  • Identify and disable any services or applications that are known to be vulnerable.
  • Immediately apply security patches or updates provided by the vendor to address the vulnerability.
  • Use configuration changes or deploy interim solutions as advised by the vendor or security community.

·    Perform detailed scans and assessments to identify other potential vulnerabilities.

  • Restrict access to the VM by implementing network segmentation and configuring firewall rules to allow only necessary traffic. Utilize security groups and network ACLs (Access Control Lists) to control inbound and outbound traffic effectively.

 

Public VM with Vulnerability Associated to Ransomware with No Encryption on Attached EBS Volume

Affected Control ID: 5056

 

Overview

A public VM with a vulnerability associated with ransomware poses a significant risk, especially if the attached Elastic Block Store (EBS) volume is not encrypted. Ransomware exploits such vulnerabilities to gain unauthorized access, encrypt data, and demand ransom for decryption. The absence of encryption on EBS volumes further exacerbates the risk, as attackers can more easily access and manipulate data.

Mitigation

  • Disconnect the affected VM from the network to prevent further exploitation and ransomware spread.
  • Identify and disable services or applications that may be vulnerable to ransomware attacks.
  • Increase monitoring to detect any signs of ransomware activity or suspicious behavior.
  • Immediately apply patches and updates to the VM's operating system and all installed software to address known vulnerabilities.
  • Restrict access to the VM by implementing network segmentation and configuring firewall rules to allow only necessary traffic. Utilize security groups and network ACLs (Access Control Lists) to control inbound and outbound traffic effectively.
  • Encrypt all attached EBS volumes to protect data from unauthorized access.
  • Deploy endpoint protection and anti-ransomware solutions to detect and prevent ransomware attacks.

 

Public Exploitable Vulnerability Detected on VM with Suspicious Communication

Affected Control ID: 5057

 

Overview

A public VM with an exploitable vulnerability detected alongside suspicious communication signifies a critical security threat. Such vulnerabilities can be targeted by attackers to gain unauthorized access, launch attacks, or exfiltrate data. Suspicious communication often indicates potential compromise or ongoing malicious activity.

Mitigation

  • Temporarily disconnect the affected VM from the network to prevent further exploitation and stop suspicious communications.
  • Identify and disable services or applications that may be vulnerable.
  • Increase monitoring to detect any signs of exploitation or suspicious behavior.
  • Immediately apply patches and updates to the VM's operating system and all installed software to address known vulnerabilities.
  • Determine if the suspicious communication is indicative of malicious activity, such as unauthorized access attempts, data exfiltration, command and control (C2) traffic, or malware communication.
  • Conduct a thorough forensic analysis of the affected VM to determine the extent of the compromise, identify any malware or unauthorized access, and assess potential damage.
  • Restrict access to the VM by implementing network segmentation and configuring firewall rules to allow only necessary traffic. Utilize security groups and network ACLs (Access Control Lists) to control inbound and outbound traffic effectively.

 

Privilege Escalation Risk on Public VM with Malware Associated with Vulnerability

Affected Control ID: 5058

 

Overview

A privilege escalation risk on a public VM associated with malware and a known vulnerability poses a significant security threat. Privilege escalation allows attackers to gain higher-level permissions on the system, potentially leading to complete control over the VM. When combined with malware, this can result in data breaches, unauthorized access, and further propagation of malicious activities.

Mitigation

  • Temporarily disconnect the affected VM from the network to prevent further exploitation and stop suspicious communications.
  • Identify and disable services or applications that may be vulnerable.
  • Increase monitoring to detect any signs of exploitation or suspicious behavior.
  • Immediately apply patches and updates to the VM's operating system and all installed software to address known vulnerabilities.
  • Scan the VM for malware and remove any malicious software found.
  • Restrict access to the VM by implementing network segmentation and configuring firewall rules to allow only necessary traffic. Utilize security groups and network ACLs (Access Control Lists) to control inbound and outbound traffic effectively.
  • Strengthen access controls and authentication mechanisms to reduce the risk of unauthorized access and privilege escalation.

 

Easy Exploitable Vulnerability Detected on Public VM with Risky Credential Exposure Permission

Affected Control ID: 5059

 

Overview

An easily exploitable vulnerability on a public VM coupled with risky credential exposure permissions presents a critical security threat. Such vulnerabilities can be leveraged by attackers to gain unauthorized access, steal sensitive information, and further compromise the system.

Mitigation

  • Temporarily disconnect the affected VM from the network to prevent further exploitation and stop suspicious communications.
  • Identify and disable services or applications that may be vulnerable.
  • Increase monitoring to detect any signs of exploitation or suspicious behavior.
  • Immediately apply patches and updates to the VM's operating system and all installed software to address known vulnerabilities.
  • Rotate any exposed credentials immediately and enforce secure credential management practices.
  • Restrict access to the VM by implementing network segmentation and configuring firewall rules to allow only necessary traffic. Utilize security groups and network ACLs (Access Control Lists) to control inbound and outbound traffic effectively.
  • Strengthen access controls and authentication mechanisms to reduce the risk of unauthorized access and credential exposure.

Public VM with Vulnerability Detected with Potential Remote Code Execution Exploitation Risk with Administrative Privilege

Affected Control ID: 5060

 

Overview

A public VM with a detected vulnerability that poses a potential remote code execution (RCE) risk, especially with administrative privileges, represents a severe security threat. RCE vulnerabilities allow attackers to execute arbitrary code on the VM remotely, potentially gaining full control over the system. With administrative privileges, the attacker can escalate their actions, leading to data breaches, system compromises, and other malicious activities. Mitigation

  • Temporarily disconnect the affected VM from the network to prevent further exploitation and stop suspicious communications.
  • Identify and disable services or applications that may be vulnerable to RCE.
  • Increase monitoring to detect any signs of exploitation or suspicious behavior.
  • Immediately apply patches and updates to the VM's operating system and all installed software to address known vulnerabilities.
  • Rotate any exposed credentials immediately and enforce secure credential management practices.
  • Restrict access to the VM by implementing network segmentation and configuring firewall rules to allow only necessary traffic. Utilize security groups and network ACLs (Access Control Lists) to control inbound and outbound traffic effectively.
  • Strengthen access controls and authentication mechanisms to reduce the risk of unauthorized access and remote code execution exploitation.

 

 

Public VM with Vulnerability Associated to Ransomware

Affected Control ID: 5061

 

Overview

A public VM with a vulnerability associated with ransomware presents a critical threat to the security and integrity of an organization’s data and systems. Ransomware can encrypt critical data, disrupt services, and result in significant financial and reputational damage. The presence of a vulnerability that can be exploited by ransomware increases the risk of an attack

Mitigation

  • Temporarily disconnect the affected VM from the network to prevent further exploitation and stop suspicious communications.
  • Identify and disable services or applications that may be vulnerable.
  • Increase monitoring to detect any signs of ransomware activities or suspicious behavior.
  • Immediately apply patches and updates to the VM's operating system and all installed software to address known vulnerabilities.
  • Restrict access to the VM by implementing network segmentation and configuring firewall rules to allow only necessary traffic. Utilize security groups and network ACLs (Access Control Lists) to control inbound and outbound traffic effectively.

 

CID 5062: Easy exploitable vulnerability detected on public VM

 

Overview

An easily exploitable vulnerability on a public VM represents a critical security risk. Such vulnerabilities can be readily leveraged by attackers to gain unauthorized access, control over the VM, or compromise sensitive data.

Mitigation

  • Temporarily disconnect the affected VM from the network to prevent further exploitation and stop suspicious communications.
  • Identify and disable services or applications that may be vulnerable.
  • Increase monitoring to detect any signs of ransomware activities or suspicious behavior.
  • Immediately apply patches and updates to the VM's operating system and all installed software to address known vulnerabilities.
  • Restrict access to the VM by implementing network segmentation and configuring firewall rules to allow only necessary traffic. Utilize security groups and network ACLs (Access Control Lists) to control inbound and outbound traffic effectively.

 

CID 5063: Public exploitable vulnerability detected on VM

 

Overview

A public VM with a detected exploitable vulnerability poses a significant security threat. Such vulnerabilities can be exploited by attackers to gain unauthorized access, control over the VM, or compromise sensitive data.

Mitigation

  • Temporarily disconnect the affected VM from the network to prevent further exploitation and stop suspicious communications.
  • Identify and disable services or applications that may be vulnerable.
  • Increase monitoring to detect any signs of ransomware activities or suspicious behavior.
  • Immediately apply patches and updates to the VM's operating system and all installed software to address known vulnerabilities.
  • Restrict traffic to limit access to the VM.
  • Implement multi-factor authentication (MFA) for all users and ensure strong password policies.

 

CID 5064: Vulnerability detected on VM with potential privilege escalation risk

 

Overview

A vulnerability detected on a VM with a potential privilege escalation risk is a critical security concern. Privilege escalation vulnerabilities can allow attackers to gain elevated access to the system, potentially compromising the entire VM and any sensitive data it holds.

Mitigation

  • Temporarily disconnect the affected VM from the network to prevent further exploitation and stop suspicious communications.
  • Identify and disable services or applications that may be vulnerable.
  • Increase monitoring to detect any signs of ransomware activities or suspicious behavior.
  • Immediately apply patches and updates to the VM's operating system and all installed software to address known vulnerabilities.
  • Restrict traffic to limit access to the VM.
  • Implement multi-factor authentication (MFA) for all users and ensure strong password policies.
  • Regularly review and adjust permissions to ensure they are appropriate.

 

 

CID 5065: Unauthenticated exploitable vulnerability detected on VM

 

Overview

An unauthenticated exploitable vulnerability on a VM is a severe security threat. Such vulnerabilities can be exploited without needing valid user credentials, making it easier for attackers to gain unauthorized access, execute arbitrary code, or compromise the system.

Mitigation

  • Temporarily disconnect the affected VM to prevent further exploitation.
  • Identify and disable services or applications that may be vulnerable.
  • Increase monitoring to detect any signs of exploitation attempts or suspicious behavior.
  • Immediately update the VM's operating system and all installed software to address the known vulnerability.

 

CID 5066: Public VM with wormable vulnerability detected

 

Overview

A wormable vulnerability detected on a public VM represents a critical security risk. Wormable vulnerabilities allow malicious code to propagate automatically from one system to another without user intervention. This type of vulnerability can lead to widespread and rapid exploitation, compromising not only the affected VM but potentially spreading to other systems within the network.

Mitigation

  • Disconnect the affected VM to prevent further spread of the worm.
  • Identify and disable services or applications that may be vulnerable.
  • Increase monitoring to detect any signs of worm activity or propagation.
  • Immediately update the VM's operating system and all installed software to address the wormable vulnerability.
  • Restrict traffic to limit access to the VM.
  • Restrict access to the VM by implementing network segmentation and configuring firewall rules to allow only necessary traffic. Utilize security groups and network ACLs (Access Control Lists) to control inbound and outbound traffic effectively.

 

CID 5067: Public serverless function with IAM write permissions on RDS

 

Overview

A public serverless function with IAM write permissions on RDS (Relational Database Service) poses a significant security risk. Serverless functions, often accessible via public endpoints, can be exploited by attackers to gain unauthorized access to RDS databases, potentially leading to data breaches, data corruption, or loss of data integrity.

Mitigation

  • Update the serverless function configuration to limit public access. Use VPC (Virtual Private Cloud) to restrict access to the function.
  • Immediately review and, if necessary, revoke excessive IAM permissions for the serverless function.
  • Ensure the serverless function has only the necessary permissions required to perform its tasks. Avoid broad permissions and grant only specific write permissions needed
  • Create IAM roles with tailored policies that provide minimal required permissions and assign these roles to the serverless function.
  • Ensure strong authentication mechanisms are in place for accessing the serverless function and RDS databases.
  • Encrypt data in transit and at rest in RDS, and enable SSL/TLS for connections to RDS.
  • Enable detailed logging for both the serverless function and RDS. Use CloudTrail and RDS logs to monitor access and activities.
  • Configure alerts for unusual activities or unauthorized access attempts on the serverless function and RDS.

CID 5068: Public serverless function with data destructive privilege

 

Overview

A public serverless function with data destructive privileges poses a critical security threat. If exploited, it can lead to severe consequences such as data loss, data corruption, or system compromise. This risk is amplified due to the public exposure of the function, making it accessible to potential attackers.

Mitigation

  • Update the serverless function configuration to limit public access. Use VPC (Virtual Private Cloud) to restrict access to the function.
  • Immediately review and, if necessary, revoke excessive IAM permissions for the serverless function.
  • Ensure the serverless function has only the necessary permissions required to perform its tasks. Avoid broad permissions and grant only specific write permissions needed
  • Create IAM roles with tailored policies that provide minimal required permissions and assign these roles to the serverless function.
  • Require authentication mechanisms such as API keys or tokens for accessing the serverless function.
  • Encrypt data in transit and at rest in RDS, and enable SSL/TLS for connections to RDS.
  • Enable detailed logging for both the serverless function and RDS. Use CloudTrail and RDS logs to monitor access and activities.
  • Configure alerts for unusual activities or unauthorized access attempts on the serverless function and RDS.

 

 

 

 

CID 5069: Public serverless function IAM role with KMS destructive privilege

 

Overview

Using a public serverless function with destructive privileges on AWS KMS (Key Management Service) poses several security risks. KMS is used to encrypt and decrypt sensitive data, and granting destructive privileges such as key deletion or disabling can compromise its integrity and availability. Public serverless functions, like those run by AWS Lambda, can potentially be exploited if they have excessive permissions, leading to unauthorized access or modification of sensitive data.

Mitigation

  • Update the serverless function configuration to limit public access. Use VPC (Virtual Private Cloud) to restrict access to the function.
  • Immediately review and, if necessary, revoke excessive IAM permissions for the serverless function.
  • Grant only the minimum permissions necessary for the function to perform its intended tasks. Avoid broad permissions like kms:* and focus on specific actions required for your function’s operations.
  • Use KMS key policies to restrict access to specific IAM roles or users, ensuring that only authorized entities can perform sensitive operations.
  • Create IAM roles with specific policies attached that limit access to only necessary KMS operations.
  • Use AWS CloudTrail to track and log all API calls related to KMS. This helps in detecting any unauthorized or unintended operations.

CID 5070: Public serverless function with write permission on critical configuration for s3

 

Overview

A public serverless function, such as an AWS Lambda function that has to write permissions on critical S3 configurations (like bucket policies, ACLs, or object tags) can potentially make unauthorized changes.

Mitigation

  • Update the serverless function configuration to limit public access. Use VPC (Virtual Private Cloud) to restrict access to the function.
  • Immediately review and, if necessary, revoke excessive IAM permissions for the serverless function.
  • Grant only the permissions necessary for the function to operate. Avoid providing broad permissions like s3:* and instead use specific actions.
  • Implement bucket policies to restrict access to sensitive S3 operations, ensuring only authorized IAM roles or users can make changes.
  • Enable AWS CloudTrail to log and monitor API calls related to S3. This helps in tracking any changes made to critical configurations.
  • Use S3 event notifications to alert you about changes to objects or configurations.

 

CID 5071: Public serverless function with write permissions on security group

 

Overview

Using a public serverless function with write permissions on security groups can introduce significant security risks, as it allows the function to modify network access rules, potentially exposing your infrastructure to unauthorized access.

Mitigation

  • Update the serverless function configuration to limit public access. Use VPC (Virtual Private Cloud) to restrict access to the function.
  • Immediately review and, if necessary, revoke excessive IAM permissions for the serverless function.
  • Grant only the necessary permissions required for the function to operate, avoiding broad permissions like ec2:*.
  • Implement IAM policies that precisely define what the serverless function can do with security groups.
  • Enable AWS CloudTrail to log all API calls related to EC2 security groups, helping you detect and respond to unauthorized changes.

CID 5072: Data breach risk due to a public VM  with Amazon RDS database SQL query execution permissions

 

Overview

Using a public virtual machine (VM) with permissions to execute SQL queries on an Amazon RDS (Relational Database Service) database poses significant security risks. If the VM is compromised, unauthorized users can access, modify, or delete sensitive data, leading to a data breach.

Mitigation

  • Ensure that your RDS instance is deployed within a private subnet of a VPC (Virtual Private Cloud) that restricts direct internet access. This limits exposure to external threats.
  • Configure security groups to allow access to your RDS instance only from specific IP addresses or ranges. For example, restrict access to only the IP address of your VM.
  • Use Network ACLs (Access Control Lists) to provide an additional layer of security by controlling inbound and outbound traffic at the subnet level.
  • Apply the principle of least privilege by granting the VM only the necessary permissions to execute specific SQL queries. Avoid granting broad permissions like rds:*.
  • Regularly update and patch the VM to protect against known vulnerabilities.
  • Enable encryption for your RDS instance and its backups using AWS KMS (Key Management Service). This ensures that data at rest is protected.
  • Use IAM database authentication to connect to your RDS instance, reducing reliance on static database credentials.
  • Enable detailed monitoring with Amazon CloudWatch and AWS CloudTrail to track and log all actions performed on your RDS instance. Set up alarms for unusual activities.

 

CID 5073: Data destruction risk due to malware affected on public VM with data destruction permissions

 

Overview

A public virtual machine (VM) with permission to delete or alter critical data introduces substantial risks, particularly if the VM becomes compromised by malware. This can lead to data loss, disruption of services, and significant recovery efforts.

Mitigation

  • Implement strict security group rules and network ACLs to control inbound and outbound traffic. Only allow necessary traffic to and from the VM.
  • Grant the VM only the necessary permissions to perform its required tasks. Avoid broad permissions that could lead to data destruction.
  • Regularly update and patch the VM’s operating system and software to protect against vulnerabilities.
  • Enable detailed monitoring and logging with Amazon CloudWatch and AWS CloudTrail to track all actions performed on your resources.

CID 5074: Public VM with write access on database with SSH brute-forcing

 

Overview

A public virtual machine (VM) with write access to a database presents significant security risks, especially if it is susceptible to SSH brute-force attacks. If an attacker gains access to the VM, they could potentially execute malicious SQL queries, corrupt data, or delete critical information.

Mitigation

  • Limit SSH access to the VM by allowing connections only from specific, trusted IP addresses.
  • Configure security groups to restrict inbound SSH traffic.
  • Use SSH key pairs for authentication instead of passwords.
  • Change the default SSH port from 22 to a non-standard port to reduce the likelihood of brute-force attacks.
  • Grant the VM only the necessary permissions to interact with the database. Avoid broad permissions and use specific actions.
  • Use IAM database authentication to connect to your RDS instance, reducing reliance on static database credentials.
  • Enable detailed monitoring and logging with Amazon CloudWatch and AWS CloudTrail to track all actions performed on your VM and database.

CID 5075: Public VM with wildcard access on IAM with vulnerability associated with ransomware

 

Overview

A public virtual machine (VM) with wildcard access on IAM (Identity and Access Management) is a significant security risk, especially in the context of ransomware. Wildcard permissions (*) provide broad access to all IAM actions and resources, which can be exploited by ransomware to escalate privileges, exfiltrate data, and disrupt operations.

Mitigation

  • Assign the VM the minimum permissions necessary for its tasks. Avoid using wildcard permissions and instead, specify exact actions and resources.
  • Limit SSH access to the VM by allowing connections only from specific, trusted IP addresses.
  • Configure security groups to restrict inbound and outbound traffic, allowing only necessary connections
  • Use SSH key pairs for authentication instead of passwords to reduce the risk of brute-force attacks.
  • Enforce MFA for all IAM users, especially those with elevated permissions.
  • Enable detailed monitoring and logging with Amazon CloudWatch and AWS CloudTrail to track all actions performed on IAM resources.

CID 5076: Potential privilege escalation on public VM with wildcard access on EKS detected with vulnerability 

 

Overview

The detection of a potential privilege escalation vulnerability on a public VM with wildcard access on EKS (Elastic Kubernetes Service) is a critical security concern. This vulnerability could allow an attacker to gain elevated privileges, potentially compromising the entire Kubernetes cluster, accessing sensitive data, and manipulating resources. The VM's public exposure, coupled with the broad permissions granted, exacerbates the risk.

Mitigation

  • Temporarily disconnect the affected VM from the network to prevent further exploitation.
  • Identify and disable any services that may be susceptible to the detected vulnerability.
  • Immediately apply the latest security patches and updates to the VM’s operating system and all installed applications.
  • Audit and restrict IAM policies associated with EKS to eliminate wildcard (*) permissions and replace them with specific actions and resources.
  • Define and apply fine-grained permissions to ensure that IAM roles and users have the minimum necessary access.
  • Use security groups and network ACLs to restrict access to the VM and EKS clusters to only necessary IP ranges and ports.
  • Implement strong authentication mechanisms for accessing both the VM and the EKS cluster, including multi-factor authentication (MFA).
  • Use Kubernetes RBAC to enforce strict access controls within the EKS cluster.
  • Enable detailed logging for the VM and EKS cluster using CloudTrail, CloudWatch Logs, and Kubernetes audit logs.
  • Configure alerts for unusual or unauthorized activities to detect and respond to potential threats in real-time.

 

CID 5077: CISA known exploitable vulnerability detected on public VM with wildcard access on Lambda

 

Overview

A CISA-known exploitable vulnerability on a public VM combined with wildcard access on Lambda presents a severe security risk. This scenario can lead to unauthorized access, execution of arbitrary code, data breaches, and potential compromise of other services and resources. The VM's public exposure and the broad permissions granted to Lambda functions increase the attack surface and potential impact.

Mitigation

  • Temporarily disconnect the affected VM from the network to prevent further exploitation.
  • Identify and disable services that are susceptible to the known vulnerability.
  • Immediately apply the latest security patches and updates to the VM's operating system and all installed applications.
  • Audit and restrict the IAM policies associated with Lambda functions to ensure they follow the principle of least privilege.
  • Eliminate wildcard (*) permissions and replace them with specific actions and resources.
  • Use security groups and network ACLs to restrict access to the VM and Lambda functions to only necessary IP ranges and ports.
  • Implement strong authentication mechanisms for accessing both the VM and Lambda functions, including multi-factor authentication (MFA).
  • Enable detailed logging for both the VM and Lambda functions using CloudTrail, CloudWatch Logs, and other relevant logging services.
  • Configure alerts for unusual or unauthorized activities to detect and respond to potential threats in real-time.

 

CID 5078: Publicly exposed S3 bucket with cross-account access

 

Overview

A publicly exposed S3 bucket with cross-account access poses significant security risks, including unauthorized access, data leakage, and potential data manipulation. This exposure can allow external entities to access or modify the contents of the S3 bucket, leading to a breach of sensitive information or other malicious activities.

Mitigation

  • Update the S3 bucket's ACL (Access Control List) and bucket policies immediately to disable public access.
  • Remove any unnecessary cross-account access permissions from the bucket policies.
  • Review the current bucket policies and identify any permissions that allow cross-account access. Ensure only authorized accounts have the necessary permissions.
  • Apply the principle of least privilege by granting only the minimum necessary permissions to the bucket.
  • Enable versioning on the S3 bucket to protect against accidental or malicious data deletion or modification.
  • Enable server access logging to track requests for access to the S3 bucket. Use AWS CloudTrail to log and monitor bucket activities.
  • Update bucket policies to restrict access to specific IAM roles or users within trusted AWS accounts.
  • Ensure that IAM policies do not grant overly broad permissions to the S3 bucket. Use resource-based policies to control access.

 

CID 5079: Public Load Balancer

 

Overview

A public load balancer, while essential for distributing traffic to multiple backend servers and ensuring high availability, can introduce security risks if not properly configured. These risks include unauthorized access, data interception, and potential denial-of-service attacks. Proper security measures must be implemented to safeguard the load balancer and the infrastructure it supports.

Mitigation

  • Limit access to the load balancer by restricting allowed IP ranges using security groups or network ACLs.
  • Enforce HTTPS to ensure that all data transmitted to and from the load balancer is encrypted.
  • Implement strong authentication mechanisms for accessing applications behind the load balancer.
  • Ensure that IAM policies grant the minimum necessary permissions for managing the load balancer.
  • Enable access logs for the load balancer to monitor incoming requests. Use AWS CloudTrail and CloudWatch Logs for comprehensive monitoring.
  • Configure alerts for unusual traffic patterns or potential security incidents.

 

CID 5080: Public VM with wildcard resource access on S3 bucket with critical exploitable vulnerability

 

Overview

A public VM with wildcard resource access to an S3 bucket and a critical exploitable vulnerability poses significant security risks. This scenario can lead to unauthorized data access, data breaches, and potential exploitation of the vulnerability to compromise the VM and associated resources. Immediate mitigation steps are essential to secure the VM, the S3 bucket, and the overall environment.

Mitigation

  • Temporarily disconnect the affected VM from the network to prevent further exploitation.
  • Identify and disable any services that may be susceptible to the detected vulnerability.
  • Immediately apply the latest security patches and updates to the VM’s operating system and all installed applications.
  • Audit and restrict IAM policies associated with the VM to eliminate wildcard (*) permissions and replace them with specific actions and resources.
  • Apply the principle of least privilege to ensure that the VM has only the necessary permissions to access specific S3 bucket resources.
  • Update bucket policies to restrict access to specific IAM roles or users within trusted AWS accounts.
  • Review and adjust ACLs to ensure proper permissions are set for accessing the bucket.
  • Ensure that all data stored in the S3 bucket is encrypted using server-side encryption (SSE-S3) or customer-managed keys (SSE-KMS)
  • Enable S3 server access logging and use AWS CloudTrail to monitor all activities related to the S3 bucket and the VM.

CID 5081:  Privilege escalation and lateral movement risk detected on public VM due to Arbitrary Code Execution via Windows Themes vulnerability 

Overview

A critical security concern is the detection of a privilege escalation and lateral movement risk on a public VM due to an arbitrary code execution vulnerability via Windows Themes. This vulnerability allows attackers to execute arbitrary code with elevated privileges, potentially compromising the VM and enabling lateral movement within the network.

Mitigation

  • Disconnect the affected VM from the network to prevent further exploitation and limit potential lateral movement.
  • Identify and disable any services or features related to Windows Themes that may be susceptible to exploitation.
  • Immediately apply the latest security patches from Microsoft to address the Windows Themes vulnerability.
  • Limit the number of accounts with administrative privileges and enforce the principle of least privilege.
  • Implement MFA for all accounts with administrative access to the VM.
  • Enable detailed logging and monitoring for the VM using Windows Event Logs, AWS CloudTrail, and CloudWatch Logs.
  • Configure alerts for unusual or unauthorized activities, such as privilege escalation attempts or changes in system configurations.

CID 5082: OpenSSH Remote Code Execution (RCE) exploitation attempt on public VM with critical exploitable vulnerability

Overview

A Remote Code Execution (RCE) exploitation attempt on a public VM via OpenSSH with a critical exploitable vulnerability poses severe security risks. RCE vulnerabilities allow attackers to execute arbitrary commands on the affected system, potentially leading to full system compromise, data breaches, and further malicious activities.

Mitigation

  • Temporarily disconnect the affected VM from the network to prevent further exploitation and contain any potential damage.
  • Identify and terminate any active sessions that may be associated with the exploitation attempt.
  • Immediately apply the latest security patches and updates for OpenSSH to address the critical vulnerability.
  • Establish a process for regular updates and patch management to ensure the VM and all installed software remain secure.
  • Restrict SSH access to the VM by limiting allowed IP ranges using security groups or firewall rules.
  • Enforce the use of key-based authentication for SSH access instead of password-based authentication.
  • Require MFA for all accounts that have SSH access to the VM, adding an extra layer of security.
  • Enable detailed logging for SSH activities and monitor these logs for any unusual or unauthorized access attempts.

 

CID 5083: Atlassian confluence data center and server remote code execution (RCE) vulnerability detected on public VM

 

Overview

A remote code execution (RCE) vulnerability detected in the Atlassian Confluence Data Center and Server on a public VM presents a severe risk. This vulnerability can allow an attacker to execute arbitrary code on the server, potentially leading to full system compromise, data theft.

Mitigation

  • Disconnect the affected VM from the network to prevent further exploitation and contain potential damage.
  • Temporarily disable the Confluence service to halt any ongoing exploitation attempts.
  • Immediately apply the latest security patches and updates provided by Atlassian to address the RCE vulnerability in Confluence.
  • Restrict access to the Confluence server by limiting allowed IP ranges using security groups or firewall rules.
  • To add an extra layer of security, enforce multi-factor authentication (MFA) for all accounts with access to the Confluence server.
  • Enable detailed logging for the Confluence server and monitor logs for unusual or unauthorized activities.

 

CID 5084:  Microsoft HTTP/2 Protocol Distributed Denial of Service (DoS) Vulnerability detected on public VM

 

Overview

Distributed Denial of Service (DoS) vulnerability in the Microsoft HTTP/2 protocol detected on a public VM is a significant security risk. Attackers can exploit this vulnerability to overwhelm the VM with malicious HTTP/2 traffic, causing service disruptions, degrading performance, or completely crashing the system. Public-facing VMs are especially vulnerable as they are accessible over the internet, making them prime targets for such attacks.

Mitigation

  • Continuously monitor the network traffic to detect and mitigate ongoing DoS attacks.
  • Implement rate limiting to control the number of requests per second to the HTTP/2 service.
  • Ensure that the VM and all related services are updated with the latest patches provided by Microsoft to address the HTTP/2 vulnerability.
  • Keep the operating system, software, and dependencies up-to-date with the latest security patches.
  • Set up alerts for abnormal activities, such as sudden increases in traffic or resource utilization, to enable quick response to potential attacks.
  • Review and update security groups and firewall rules to limit inbound and outbound traffic and prevent further unauthorized access or data exfiltration.

 

CID 5085: Public VM running with  Chrome Browser 120.0.6099.234(Mac) and 120.0.6099.224(Windows and Linux) which are actively attacked vulnerabilities and have public exploit

 

Overview

Running a public VM with outdated versions of Google Chrome (120.0.6099.234 on Mac and 120.0.6099.224 on Windows and Linux) that have known vulnerabilities and public exploits is a significant security risk. These vulnerabilities can be exploited by attackers to execute arbitrary code, steal sensitive data, or gain unauthorized access to systems. Publicly accessible VMs are particularly vulnerable as they are more likely to be targeted by attackers scanning for such exploits.

Mitigation

  • Disconnect the VM from the network to prevent any ongoing exploitation or data exfiltration.
  • Immediately update Google Chrome to the latest version on all affected VMs (Mac, Windows, and Linux).
  • Implement a patch management policy to ensure all software, including browsers, is regularly updated with the latest security patches.
  • Enable automatic updates for browsers and other critical software to minimize the window of vulnerability.
  • Use firewalls and security groups to restrict access to the VM, allowing only necessary traffic.
  • Enable security features in Chrome, such as safe browsing, to protect against malicious websites and downloads.
  • Configure alerts for unusual activities, such as attempts to exploit browser vulnerabilities or unauthorized access attempts.

CID 5086: Data destruction risk due to public and vulnerable VM with data destruction permissions

 

Overview

A public virtual machine (VM) with permissions allowing data destruction poses a significant security risk. If compromised, attackers could manipulate and destroy sensitive data across various storage services, leading to potentially irreversible data loss.

 

Mitigation

  • Disconnect the VM from the network to prevent further access.
  • Investigate any signs of compromise and assess the impact on the AWS organization.
  • Immediately assess and remove the VM’s data deletion/destruction permissions.
  • Audit all IAM permissions and enforce the principle of least privilege, ensuring the VM only has necessary access.
  • Implement Multi-Factor Authentication for all accounts with AWS Organization management permissions.
  • Change all credentials associated with the compromised VM and any affected IAM users or roles.
  • Update the VM and all associated software with the latest security patches.
  • Deploy monitoring tools to detect and alert on changes to the storage resources.
  • Configure alerts for any unauthorized attempts to access or modify the storage resources settings.
  • Use VPC security groups, network ACLs, and firewalls to control and limit access to the VM.
  • Additionally enable options such as soft-delete, MFA delete protection or purge protection wherever applicable on storage resources.

 

CID 5087: Public VM with write access on database

 

Overview

A Distributed Denial of Service (DoS) vulnerability detected in the Microsoft HTTP/2 protocol on a public VM presents a critical threat. Attackers can exploit this vulnerability to overwhelm the VM with malicious traffic, rendering it unresponsive and potentially impacting the availability of services hosted on it.

Mitigation

  • Temporarily disconnect the affected VM from the network to prevent further attacks while mitigation measures are implemented.
  • Use security groups, firewalls, or network ACLs to limit incoming traffic to essential sources.
  • Immediately apply any available security patches and updates from Microsoft to address the HTTP/2 DoS vulnerability.
  • Limit access to the VM to only trusted IP addresses using security groups or firewall rules.
  • Employ load balancers to distribute traffic and reduce the load on the VM, making it harder for an attacker to overwhelm a single endpoint.
  • Enable logging for HTTP/2 traffic and monitor logs for signs of unusual activity, such as spikes in traffic from specific IP addresses.

CID 5088: Public VM with wildcard access on IAM

 

Overview

A public VM with wildcard access on IAM roles poses a severe security risk. Wildcard access grants overly broad permissions, which can lead to unauthorized access and manipulation of AWS resources. This can potentially expose sensitive data, enable unauthorized actions, and increase the risk of lateral movement and privilege escalation within your AWS environment.

Mitigation

  • Immediately review and update IAM policies to replace wildcard (*) permissions with specific, least-privilege permissions
  • If feasible, isolate the VM to prevent further unauthorized access and limit its interaction with other resources.
  • Conduct a comprehensive audit of all IAM roles and policies associated with the VM to identify and rectify any overly permissive policies.
  • Apply the principle of least privilege by configuring IAM roles and policies to grant only the minimum permissions necessary for the VM’s intended operations.
  • Update security groups associated with the VM to limit inbound and outbound traffic to only necessary IP addresses and ports.
  • Use network segmentation to isolate the VM from other critical resources within the AWS environment.
  • Enable AWS CloudTrail and other logging mechanisms to capture and monitor API calls and activities associated with the IAM roles and the VM.

CID 5089: Public VM with wildcard access on EKS

 

Overview

A public VM with wildcard access on Amazon EKS (Elastic Kubernetes Service) presents a significant security risk. Wildcard access grants overly broad permissions, potentially allowing unauthorized operations on Kubernetes resources and services within the cluster. This can lead to unauthorized data access, modification, or deletion and could facilitate lateral movement within the Kubernetes environment.

Mitigation

  • Immediately review and update IAM policies associated with the VM to replace wildcard (*) permissions with specific, least-privilege permissions tailored to the required EKS operations.
  • If possible, isolate the VM to prevent further unauthorized interactions with the EKS cluster.
  • Conduct a thorough audit of IAM roles and policies associated with the VM and EKS cluster to identify and correct overly permissive policies.
  • Apply the principle of least privilege by configuring IAM roles and policies to grant only the necessary permissions required for the VM's intended functions in the EKS environment.
  • Review and update Kubernetes RBAC (Role-Based Access Control) policies within EKS to ensure that the VM's access is appropriately restricted.
  • Apply Kubernetes best practices to secure resources, such as namespaces, deployments, and services, by using role-based access control (RBAC) and Network Policies.
  • Update security groups and network policies associated with the VM and EKS cluster to restrict inbound and outbound traffic to only necessary IP addresses and ports.
  • Use network segmentation to isolate the VM and EKS cluster from other critical resources and reduce potential attack surfaces.
  • Enable AWS CloudTrail, Kubernetes audit logs, and other relevant logging mechanisms to capture and monitor activities related to the VM and EKS cluster.

 

CID 5090: Public VM with wildcard access on Lambda

 

Overview

A public VM with wildcard access on AWS Lambda poses significant security risks. Wildcard access grants overly broad permissions to Lambda functions, which can lead to unauthorized execution and data access and potentially compromise other AWS services.

Mitigation

  • Immediately review and update IAM policies associated with the VM to replace wildcard (*) permissions with specific, least-privilege permissions tailored to Lambda functions.
  • If possible, isolate the VM to prevent further interactions with AWS Lambda and reduce the risk of unauthorized access.
  • Conduct a thorough audit of IAM roles and policies associated with the VM to identify and correct any overly permissive policies related to Lambda.
  • Apply the principle of least privilege by configuring IAM roles and policies to grant only the minimum permissions necessary for the VM’s intended Lambda operations.
  • Review and update Lambda function permissions to ensure that they are appropriately restricted and do not use wildcard permissions.
  • Apply resource-based policies to Lambda functions to control which services and entities can invoke them.
  • Update security groups and network policies to limit the VM’s network access to only necessary IP addresses and services.
  • Enable AWS CloudTrail, Lambda logging, and other relevant logging mechanisms to capture and monitor activities related to Lambda functions and the VM.

 

CID 5091: Malware detected on public VM with privilege escalation risk

 

Overview

Malware detected on a public VM with privilege escalation risk poses a serious threat to the security of your environment. This situation indicates that the malware may not only compromise the VM but also exploit vulnerabilities to escalate its privileges, potentially gaining unauthorized access to sensitive resources and increasing the risk of further attacks.

Mitigation

  • Disconnect the affected VM from the network to prevent the malware from spreading or communicating with external command and control servers.
  • Use endpoint protection tools to contain and disable the malware on the VM.
  • Analyze the malware to understand its behavior and impact. Use a secure, isolated environment for this analysis.
  • Audit and review user and system permissions on the VM. Restrict any unnecessary elevated privileges and ensure that users operate with the least privilege necessary.
  • Apply security patches and updates to the VM's operating system and applications to address any vulnerabilities that the malware may exploit for privilege escalation.
  • Review and update security groups and firewall rules to limit inbound and outbound traffic and prevent further unauthorized access or data exfiltration.
  • Ensure that detailed logging is enabled for the VM and monitor logs for unusual or unauthorized activities, such as unexpected changes or access attempts.

 

CID 5092:  Public VM with wildcard access on Cloudtrail

 

Overview

A public VM with wildcard access on AWS CloudTrail poses a significant security risk. Wildcard access grants CloudTrail overly broad permissions, which can lead to unauthorized access and manipulation of audit logs. This can expose sensitive activity records, hinder forensic investigations, and compromise the integrity of your logging and monitoring processes.

Mitigation

  • Immediately review and update IAM policies associated with the VM to replace wildcard (*) permissions with specific, least-privilege permissions related to CloudTrail.
  • If possible, isolate the VM to prevent further access or interaction with CloudTrail and other AWS resources.
  • Conduct a comprehensive audit of IAM roles and policies related to the VM and CloudTrail to identify and correct any overly permissive policies.
  • Apply the principle of least privilege by configuring IAM roles and policies to grant only the necessary permissions required for CloudTrail operations.
  • Review and restrict permissions for accessing and managing CloudTrail logs. Ensure that only authorized entities have access to these logs.
  • Apply resource-based policies to CloudTrail to control which users and roles can access or modify logs.
  • Ensure that CloudTrail logging is enabled and configured to capture all relevant API activity across your AWS environment.
  • Configure alerts for unusual or unauthorized activities related to CloudTrail access or modifications.
  • Review and update security groups associated with the VM to limit inbound and outbound traffic to only necessary sources and destinations.

 

CID 5093:  Public VM with wildcard access on Cloudwatch

 

Overview

A public VM with wildcard access on AWS CloudWatch represents a serious security concern. Wildcard access grants overly broad permissions to CloudWatch, which can lead to unauthorized access and manipulation of monitoring data and alerts. This can compromise the integrity of your monitoring and logging processes, expose sensitive information, and hinder effective incident response.

Mitigation

  • Immediately review and update IAM policies associated with the VM to replace wildcard (*) permissions with specific, least-privilege permissions related to CloudWatch.
  • If feasible, isolate the VM to prevent further interactions with CloudWatch and other AWS resources.
  • Conduct a comprehensive audit of IAM roles and policies related to the VM and CloudWatch to identify and rectify any overly permissive policies.
  • Apply the principle of least privilege by configuring IAM roles and policies to grant only the necessary permissions required for CloudWatch operations.
  • Review and restrict permissions for accessing and managing CloudWatch metrics, logs, and alarms. Ensure that only authorized users and roles have access.
  • Apply resource-based policies to CloudWatch to control access to specific metrics, logs, and alarms.
  • Ensure that CloudWatch logging is enabled and properly configured to capture all relevant metrics and logs for your AWS environment.

CID 5094:  Potential indication of data exfiltration activity on a public and vulnerable VM

 

Overview

A potential indication of data exfiltration activity on a public and vulnerable VM suggests that unauthorized data might be leaving your environment through the VM. This could be due to vulnerabilities in the VM or weaknesses in security configurations, which attackers exploit to extract sensitive information.

Mitigation

  • Disconnect the affected VM from the network to prevent further data exfiltration and limit the spread of any potential compromise.
  • Use endpoint protection tools to contain the threat on the VM.
  • Perform a detailed forensic analysis to understand how the data exfiltration occurred, which data was accessed, and how it was transmitted.
  • Examine CloudTrail, VPC flow logs, and other relevant logs for unusual or unauthorized data access or transfer activities.
  • Update the VM’s operating system and applications with the latest security patches to address known vulnerabilities.
  • Ensure that sensitive data is encrypted both in transit and at rest to prevent unauthorized access during and after exfiltration attempts.
  • Implement strict access controls to limit who can access and export data.
  • Review and update security groups and firewall rules to restrict inbound and outbound traffic to only necessary sources and destinations.

 

CID 5095:  Privilege escalation risk on public and vulnerable VM with active port scan

Overview

Privilege escalation risk on a public and vulnerable VM, combined with active port scanning, indicates that an attacker may be attempting to exploit vulnerabilities to gain elevated permissions on the VM. Port scanning suggests the attacker is probing the VM for open ports and services, potentially looking for weaknesses to exploit for privilege escalation or further attacks.

Mitigation

  • Disconnect the affected VM from the network to prevent further attacks and mitigate the risk of privilege escalation.
  • Use endpoint protection tools to contain the threat on the VM and stop any ongoing malicious activities.
  • Perform a forensic analysis to determine the nature of the attack, any compromised data, and how the attacker may be escalating privileges.
  • Examine security logs, including CloudTrail, VPC flow logs, and system logs, for signs of unauthorized access or privilege escalation attempts.
  • Update the VM’s operating system and applications with the latest security patches to
  • address known vulnerabilities.
  •  Review and update security groups and firewall rules to restrict inbound and outbound traffic to only necessary services and IP addresses.

 

 

 

 

CID 5096:  Suspicious communication on public VM with wildcard access on IAM

 

Overview

Suspicious communication on a public VM with wildcard access on IAM suggests that the VM may be involved in unauthorized or malicious activities due to overly permissive IAM roles. Wildcard access grants extensive permissions, which can be exploited by attackers to perform unauthorized actions, including accessing or modifying sensitive resources and exfiltrating data.

Mitigation

  • Disconnect the affected VM from the network to prevent further suspicious communication and limit the risk of data exfiltration or further exploitation.
  • Use endpoint protection tools to halt any ongoing malicious activities and prevent the spread of any compromise.
  • Immediately review and update IAM policies associated with the VM to replace wildcard (*) permissions with specific, least-privilege permissions.
  • Configure IAM roles and policies to grant only the necessary permissions required for the VM’s intended operations.
  • Perform a forensic analysis to determine the nature and scope of the suspicious communication, including any data accessed or transmitted.
  • Update the VM’s operating system and software with the latest security patches to address the identified vulnerability. 
  • Examine CloudTrail, VPC flow logs, and other relevant logs for signs of unauthorized access, unusual API calls, or unexpected data transfers. 
  • Review and update security groups and firewall rules to restrict inbound and outbound traffic to only necessary sources and destinations.

 

CID 5097:  Critical exploitable vulnerability on public VM with cross-account access

 

Overview

A critical exploitable vulnerability on a public VM with cross-account access indicates a significant security risk. This scenario suggests that an attacker could exploit vulnerabilities in the public VM to gain unauthorized access to resources in other AWS accounts. Cross-account access allows permissions to span multiple accounts, potentially amplifying the impact of the exploitation.

Mitigation

  • Disconnect the affected VM from the network to prevent further suspicious communication and limit the risk of data exfiltration or further exploitation.
  • Use endpoint protection tools to halt any ongoing malicious activities and prevent the spread of any compromise.
  • Perform a forensic analysis to determine how the vulnerability was exploited and which cross-account resources may have been affected.
  • Examine CloudTrail, VPC flow logs, and other relevant logs for signs of unauthorized cross-account access or unusual activity.
  • Update the VM’s operating system and software with the latest security patches to address the identified vulnerability.
  • Review and update IAM roles and policies to restrict cross-account access to only necessary and authorized entities.
  • Ensure that cross-account access is granted based on the principle of least privilege, minimizing the permissions to only what is essential.
  • Review and update security groups and firewall rules to restrict traffic to and from the VM, ensuring only necessary connections are allowed.

 

CID 5098:  Malware detected on public VM which allows access to decrypt secrets in secrets manager 

 

Overview

Malware detected on a public VM that allows access to decrypt secrets in AWS Secrets Manager presents a significant security threat. This situation suggests that the VM has been compromised and the attacker could potentially access sensitive secrets stored in AWS Secrets Manager, which could lead to data breaches, further exploitation, and unauthorized access to critical resources.

Mitigation

  • Disconnect the affected VM from the network to prevent further suspicious communication and limit the risk of data exfiltration or further exploitation.
  • Use endpoint protection tools to halt any ongoing malicious activities and prevent the spread of any compromise.
  • Perform a forensic analysis to determine how the vulnerability was exploited and which cross-account resources may have been affected.
  • Examine CloudTrail, VPC flow logs, and other relevant logs for signs of unauthorized cross-account access or unusual activity.
  • Immediately revoke IAM roles and policies that grant the VM access to decrypt secrets in Secrets Manager.
  • Change all secrets in AWS Secrets Manager that could have been accessed by the compromised VM, ensuring new secrets are securely distributed.
  • Update the VM’s operating system and software with the latest security patches to address vulnerabilities that may have been exploited.
  • Apply security best practices to the VM, including disabling unnecessary services, changing default configurations, and closing unused ports.
  • Review and update security groups and firewall rules to restrict inbound and outbound traffic, allowing only necessary connections.

 

CID 5099:  Critical exploitable vulnerability detected on VM with privilege to create IAM artifacts (User, Group, Role )

 

Overview

A critical exploitable vulnerability detected on a VM with the privilege to create IAM artifacts (Users, Groups, Roles) poses a severe security threat. An attacker exploiting this vulnerability could create malicious IAM entities, granting themselves or others unauthorized access to various resources, potentially leading to data breaches, privilege escalation, and overall system compromise.

Mitigation

  • Immediately disconnect the compromised VM from the network to prevent further exploitation.
  • Use endpoint protection tools to halt any ongoing malicious activities and prevent the spread of the compromise.
  • Perform a forensic analysis to determine how the vulnerability was exploited and which cross-account resources may have been affected.
  • Examine CloudTrail, VPC flow logs, and other relevant logs for signs of unauthorized cross-account access or unusual activity.
  • Update the IAM policies and roles associated with the VM to immediately revoke the VM’s ability to create IAM artifacts.
  • Review and restrict IAM policies to ensure that only necessary permissions are granted, following the principle of least privilege.
  • Update the VM’s operating system and applications with the latest security patches to address the identified vulnerability.
  • Review all IAM users, groups, and roles created recently for any unauthorized entities and remove them if found.
  • Review and update security groups and firewall rules to restrict traffic to and from the VM and allow only necessary connections.

 

 

CID 5100:  Potential unauthorized access due to  persistence privilege detected on public VM 

 

Overview

Potential unauthorized access due to persistence privilege detected on a public VM signifies a serious security threat. Persistence privileges enable an attacker to maintain access to the VM even after initial entry, potentially allowing long-term unauthorized activities, data exfiltration, and further compromise of the system and connected resources.

Mitigation

  • Disconnect the compromised VM from the network immediately to prevent further unauthorized access and limit potential damage.
  • Utilize endpoint protection tools to halt any ongoing malicious activities and ensure the VM is isolated.
  • Perform a thorough forensic analysis to determine the extent of the compromise, how persistence was achieved, and what actions were taken by the attacker.
  • Examine logs from CloudTrail, the VM, and other relevant sources to identify unauthorized activities and persistence mechanisms.
  • Locate and eliminate any backdoors, scheduled tasks, scripts, or other mechanisms that allow the attacker to regain access.
  • Update IAM roles and policies to remove any excessive privileges that might have been exploited to establish persistence.
  • Ensure the VM's operating system and applications are updated with the latest security patches to address known vulnerabilities.
  • Review and update security group and firewall rules to restrict traffic, allowing only necessary and secure connections.

 

CID 5101:  Suspicious communication detected on public VM with access to discover other resources within AWS 

 

Overview

Suspicious communication detected on a public VM with access to discover other resources within AWS indicates a potential security breach. An attacker may be using the compromised VM to map out and identify other valuable resources within your AWS environment, which could be targeted for further attacks. This could lead to data exfiltration, privilege escalation, or broader system compromise.

Mitigation

  • Disconnect the compromised VM from the network immediately to prevent further malicious activities.
  • Use endpoint protection tools to stop any ongoing suspicious activities and limit the attack's spread.
  • Perform a thorough forensic analysis to determine the nature of the suspicious communication, its origin, and potential targets.
  • Examine CloudTrail, VPC flow logs, and other relevant logs to identify unauthorized access attempts and resource discovery activities.
  • Immediately revoke any unnecessary IAM roles or policies that grant the VM broad discovery capabilities.
  • Conduct a thorough review of IAM roles and policies to ensure the principle of least privilege is enforced.
  • Ensure the VM’s operating system and applications are updated with the latest security patches to address any vulnerabilities.
  • Secure the VM by disabling unnecessary services, changing default configurations, and ensuring only necessary ports are open.
  • Review and update security group and firewall rules to restrict traffic, allowing only necessary and secure connections.

CID 5102:  Public VM with wildcard access on CloudWatch with vulnerability associated with ransomware

 

Overview

A public VM with wildcard access on CloudWatch combined with a vulnerability associated with ransomware poses a significant threat. This setup allows an attacker to exploit the vulnerability to gain unauthorized access and potentially monitor, modify, or exfiltrate data. Additionally, the wildcard access on CloudWatch means the attacker could potentially access logs, metrics, and other monitoring data across your AWS environment, aiding in their malicious activities.

Mitigation

  • Disconnect the compromised VM from the network immediately to prevent further exploitation and limit the attack's spread.
  • Utilize endpoint protection tools to halt any ongoing ransomware activities.
  • Perform a forensic analysis to understand the nature of the ransomware attack and how the vulnerability was exploited.
  • Examine CloudWatch logs and other relevant logs to identify unauthorized access and actions taken by the attacker.
  •  Immediately revoke the VM’s wildcard access to CloudWatch by updating IAM policies to follow the principle of least privilege.
  • Conduct a thorough review of IAM policies to ensure no excessive permissions are granted to any entity.
  • Ensure the VM’s operating system and applications are updated with the latest security patches to address known vulnerabilities.
  • Review and update security group and firewall rules to restrict traffic, allowing only necessary and secure connections.

CID 5103:  CISA known exploitable vulnerability detected on public VM with wildcard access on CloudTrail

Overview

A public VM with a CISA-known exploitable vulnerability and wildcard access on CloudTrail poses a significant security risk. The vulnerability could be exploited to gain unauthorized access, and the broad access to CloudTrail logs means an attacker could cover their tracks by modifying or deleting logs, thereby making it difficult to detect and respond to malicious activities.

Mitigation

  • Disconnect the compromised VM from the network immediately to prevent further exploitation and limit the attack's spread.
  • Utilize endpoint protection tools to halt any ongoing ransomware activities.
  • Perform a forensic analysis to understand the nature of the ransomware attack and how the vulnerability was exploited.
  • Examine CloudWatch logs and other relevant logs to identify unauthorized access and actions taken by the attacker.
  • Immediately revoke the VM’s wildcard access to CloudTrail by updating IAM policies to follow the principle of least privilege.
  • Conduct a thorough review of IAM policies to ensure no excessive permissions are granted to any entity.
  • Ensure the VM’s operating system and applications are updated with the latest security patches to address known vulnerabilities.
  • Review and update security group and firewall rules to restrict traffic, allowing only necessary and secure connections.

 

CID 5104:  Public VM with wildcard resource access on S3 bucket 

Overview

A public VM with wildcard resource access on an S3 bucket poses a serious security risk. Wildcard access means that the VM has broad and unrestricted access to all resources within the S3 bucket, including reading, writing, and deleting data. If this VM is compromised, an attacker could exploit this access to exfiltrate sensitive data, delete important files, or inject malicious data, leading to potential data breaches and loss of data integrity.

Mitigation

  • Disconnect the compromised VM from the network immediately to prevent further exploitation and limit the attack's spread.
  • Utilize endpoint protection tools to halt any ongoing ransomware activities.
  • Perform a forensic analysis to understand the nature of the ransomware attack and how the vulnerability was exploited.
  • Examine S3 access logs and CloudTrail logs to identify unauthorized access and actions taken by the attacker.
  • Immediately revoke the VM’s wildcard access to the S3 bucket by updating IAM policies to follow the principle of least privilege.
  • Conduct a thorough review of IAM policies to ensure no excessive permissions are granted to any entity.
  • Ensure the VM’s operating system and applications are updated with the latest security patches to address any known vulnerabilities.
  • Review and update security group and firewall rules to restrict traffic, allowing only necessary and secure connections.

 

CID 5105:  Critical exploitable vulnerability on public VM with full access to RDS 

Overview

A public VM with a critical exploitable vulnerability and full access to RDS (Relational Database Service) is a major security concern. This setup can lead to unauthorized access to sensitive data stored in the RDS databases. An attacker exploiting this vulnerability could potentially read, modify, delete data, or even gain full control over the database, leading to data breaches, data loss, and integrity issues.

Mitigation

  • Disconnect the compromised VM from the network immediately to prevent further exploitation and limit the attack's spread.
  • Utilize endpoint protection tools to halt any ongoing ransomware activities.
  • Perform a forensic analysis to understand the nature of the ransomware attack and how the vulnerability was exploited.
  • Examine RDS logs, CloudTrail logs, and other relevant logs to identify unauthorized access and actions taken by the attacker.
  • Immediately revoke the VM’s full access to RDS by updating IAM policies to follow the principle of least privilege.
  • Conduct a thorough review of IAM policies to ensure no excessive permissions are granted to any entity.
  • Ensure the VM’s operating system and applications are updated with the latest security patches to address any known vulnerabilities.
  • Review and update security group and firewall rules to restrict traffic, allowing only necessary and secure connections.

CID 5106:  Wildcard access on RDS detected on public VM 

Overview

A public VM with wildcard access on RDS (Relational Database Service) poses a significant security risk. Wildcard access means that the VM has unrestricted access to all RDS resources, including databases, instances, and snapshots. If this VM is compromised, an attacker could exploit this access to read, modify, delete data, or even gain full control over the databases, potentially leading to data breaches, data loss, and integrity issues.

Mitigation

  • Disconnect the compromised VM from the network immediately to prevent further exploitation and limit the attack's spread.
  • Utilize endpoint protection tools to halt any ongoing ransomware activities.
  • Perform a forensic analysis to understand the nature of the ransomware attack and how the vulnerability was exploited.
  • Conduct a thorough review of IAM policies to ensure no excessive permissions are granted to any entity.
  • Examine RDS logs, CloudTrail logs, and other relevant logs to identify unauthorized access and actions taken by the attacker.
  • Ensure the VM’s operating system and applications are updated with the latest security patches to address any known vulnerabilities.
  • Review and update security group and firewall rules to restrict traffic, allowing only necessary and secure connections

 

CID 5107:  Suspicious communication detected on public VM with access to discover other resources within AWS 

Overview

A public VM with the ability to discover other AWS resources and detected with suspicious communication poses a significant security threat. This capability can allow an attacker to gather intelligence about the infrastructure, identify high-value targets, and plan further attacks.

Mitigation

  • Disconnect the compromised VM from the network immediately to prevent further reconnaissance and potential data exfiltration.
  • Utilize endpoint protection tools to halt any ongoing malicious activities and prevent the spread of the threat.
  • Immediately revoke the VM’s access to discover other AWS resources by updating IAM policies to follow the principle of least privilege.
  • Conduct a thorough review of IAM policies to ensure no excessive permissions are granted to any entity.
  • Perform a forensic analysis to determine the extent of the reconnaissance and identify any data or resources that may have been accessed or targeted.
  • Examine CloudTrail logs, VPC flow logs, and other relevant logs to identify unauthorized access and actions taken by the attacker.
  • Ensure the VM’s operating system and applications are updated with the latest security patches to address known vulnerabilities.
  • Review and update security group and firewall rules to restrict traffic, allowing only necessary and secure connections.

 

CID 5108:  Public VM with administrative privilege and allows to create IAM artifacts (User, Group, Role )

Overview

A public VM with administrative privileges that allows the creation of IAM artifacts (such as users, groups, and roles) poses a significant security risk. If this VM is compromised, an attacker could create new IAM entities with elevated privileges, enabling them to gain persistent access to your AWS environment, escalate their privileges, and potentially exfiltrate or destroy data. This could lead to severe security breaches, unauthorized access, and loss of sensitive information.

Mitigation

  • Disconnect the VM from the network immediately to prevent any further unauthorized actions.
  • Use endpoint protection tools to stop any ongoing malicious activities and prevent the attacker from creating new IAM entities.
  • Immediately revoke the VM’s permissions to create IAM artifacts by updating IAM policies to follow the principle of least privilege.
  • Conduct a thorough review of IAM policies to ensure no excessive permissions are granted to any entity, especially those involving IAM management.
  • Perform a forensic analysis to determine the extent of the compromise and identify any new IAM entities that may have been created by the attacker.
  • Ensure the VM’s operating system and applications are updated with the latest security patches to address any vulnerabilities.
  • Change passwords, rotate access keys, and update any other credentials associated with the compromised VM and related IAM entities.
  • Review access logs to identify any other resources that may have been accessed or targeted by the attacker.
  • Review and update security group and firewall rules to restrict traffic, allowing only necessary and secure connections.

CID 5109:  Data breach risk due to a public VM  with Amazon RDS database SQL query execution permissions detected with a critical vulnerability

Overview

A public VM with Amazon RDS database SQL query execution permissions that has been detected with a critical vulnerability presents a significant data breach risk. This combination of factors means that if the VM is compromised, an attacker could potentially exploit the vulnerability to gain unauthorized access to the RDS database, execute arbitrary SQL queries, and exfiltrate sensitive data. Such access could lead to data leaks, data corruption, and loss of data integrity.

Mitigation

  • Disconnect the compromised VM from the network immediately to prevent further unauthorized access to the RDS database.
  • Utilize endpoint protection tools to halt any ongoing malicious activities and prevent the spread of the threat.
  • Immediately revoke the VM’s permissions to execute SQL queries on the RDS database by updating IAM policies to follow the principle of least privilege.
  • Conduct a thorough review of IAM policies to ensure no excessive permissions are granted to any entity.
  • Perform a forensic analysis to determine the extent of the compromise and identify any data that may have been accessed or exfiltrated.
  • Examine RDS logs, CloudTrail logs, and other relevant logs to identify unauthorized access and actions taken by the attacker.
  • Ensure the VM’s operating system and applications are updated with the latest security patches to address the critical vulnerability.
  • Ensure that data at rest and in transit in the RDS database is encrypted to protect sensitive information.
  • Adjust the security group rules for the RDS database to allow connections only from trusted sources.
  • Review and update security group and firewall rules to restrict traffic, allowing only necessary and secure connections.

 

CID 5110:  Zero-day vulnerability detected on public VM with administrative privilege

Overview

A zero-day vulnerability detected on a public VM with administrative privileges poses a critical security threat. Zero-day vulnerabilities are flaws in software that are unknown to the vendor and do not yet have a patch available, making them particularly dangerous. When combined with administrative privileges on a public VM, attackers can exploit this vulnerability to gain full control over the VM, access sensitive data, execute arbitrary commands, and potentially compromise other resources within the network.

Mitigation

  • Disconnect the affected VM from the network immediately to prevent any potential exploitation of the zero-day vulnerability.
  • Use endpoint protection tools to halt any ongoing malicious activities and prevent further spread.
  • Implement enhanced monitoring to detect any attempts to exploit the zero-day vulnerability.
  • Examine system logs, application logs, and network logs for signs of compromise or attempted exploitation.
  • Restrict administrative privileges to only those users who absolutely need it and review all privileged accounts.
  • Tighten security group and firewall rules to minimize exposure to the internet and allow only necessary traffic.
  • To reduce the risk of exploitation, apply any workarounds or temporary mitigations recommended by the software vendor or security community.
  • Disable any unnecessary services and ports on the VM to limit the potential attack vectors.
  • As soon as a patch becomes available for the zero-day vulnerability, apply it immediately to the affected VM.
  • Ensure the VM’s operating system and all installed software are regularly updated to the latest versions to prevent exploitation of other known vulnerabilities.
  • Change all administrative passwords, rotate access keys, and update any other credentials associated with the compromised VM. 

CID 5111:  Malware detected on public VM  with destructive permissions for AWS KMS

Overview

Detection of malware on a public VM with destructive permissions for AWS Key Management Service (KMS) is a critical security threat. AWS KMS creates and manages cryptographic keys that secure data across AWS services. If malware with destructive permissions accesses these keys, it can decrypt sensitive data, delete encryption keys, or perform other malicious activities, potentially leading to significant data breaches, data loss, and system compromise.

Mitigation

  • Disconnect the infected VM from the network immediately to prevent the malware from spreading or causing further damage.
  • Use endpoint protection tools to stop any ongoing malicious activities and prevent further exploitation.
  • Immediately revoke the VM’s permissions to access and manage AWS KMS keys by updating IAM policies to follow the principle of least privilege.
  • Conduct a thorough review of IAM policies to ensure no excessive permissions are granted to any entity.
  • Perform a forensic analysis to determine the extent of the malware infection and identify any data or keys that may have been accessed or compromised.
  • Examine CloudTrail logs, KMS audit logs, and other relevant logs to identify unauthorized access and actions taken by the malware.
  • Ensure the VM’s operating system and applications are updated with the latest security patches to address any vulnerabilities.
  • Secure the VM by disabling unnecessary services, changing default configurations, and ensuring only necessary ports are open.
  • Rotate the encryption keys managed by AWS KMS to ensure that any potentially compromised keys are replaced.
  • Review and implement strict key policies to control access and operations on encryption keys.
  • Review and update security group and firewall rules to restrict traffic, allowing only necessary and secure connections.