Attack technique leveraging newer AWS functionality.

Mitiga yesterday released research discussing a new potential threat vector that leverages an AWS functionality known as Elastic IP transfer.

What is Elastic IP transfer?

In October of this year, a new Amazon VPC (Virtual Private Cloud) feature was released, called “Elastic IP transfer.” The function allows for the transfer of Elastic IP addresses between AWS accounts. Something important to note is that the Elastic IP transfer capability extends beyond the user, and even their organization; the EIPs can be transferred between any active AWS accounts.

How Elastic IP transfer can be abused.

If the correct permissions are enabled on the AWS account of a potential victim, a malicious actor can dive in with a single API and transfer the EIP of the victim to their own account. This is noted to be a later-stage attack, occurring after initial compromise.

What can a cybercriminal do with a stolen EIP?

Mitiga notes that threat actors may attempt to use the stolen EIP to reach a victim’s network endpoints that are often secured by firewalls. Malicious mimicry is also a concern, with stolen IPs in use by threat actors having the capability of running phishing campaigns under the victim’s identity, or even running a C&C (command and control) malware server. The stolen EIP may also allow for a malicious actor to serve as the victim’s network endpoint that utilized the EIP before its theft.