The Risks of AWS CDK Vulnerabilities for Businesses

Lưu Tuấn AnhLưu Tuấn Anh
5 min read

Overview

In December 2024, BeyondTrust, a leading company in privileged access management, discovered a zero-day vulnerability in a third-party application. An attacker exploited this vulnerability to access an online asset in BeyondTrust's AWS account, obtaining an infrastructure API key. This API key was then used to reset local application passwords, allowing unauthorized access to the Remote Support SaaS instances of 17 customers.

During the investigation, BeyondTrust identified two vulnerabilities in its product:

  • CVE-2024-12356: A command injection vulnerability that allows an unauthenticated attacker to execute operating system commands remotely.

  • CVE-2024-12686: A vulnerability that allows users with administrative privileges to upload malicious files and inject commands.

BeyondTrust quickly revoked the compromised API key, isolated the affected customer instances, and provided replacement Remote Support SaaS instances. The company also released patches for the discovered vulnerabilities and recommended that self-hosted customers update their systems.

Affected Versions

  • BeyondTrust Remote Support: All versions from 22.1.x to 24.3.1 and earlier are affected by the CVE-2024-12356 vulnerability.

  • BeyondTrust Privileged Remote Access: Similarly, versions from 22.1.x to 24.3.1 and earlier are also affected by this vulnerability.

Key Findings

According to recorded reports, this attack is believed to have been carried out by the hacker group Silk Typhoon (formerly known as Hafnium) based in China. This group used the stolen API key to access unclassified data from the U.S. Department of the Treasury.

This incident highlights the importance of tightly managing API keys and regularly updating security patches to protect systems from potential threats.

Campaign Implementation Stages

  1. Collect and steal the API key.

    • Initially, the attackers exploited a security issue related to the AWS Cloud Development Kit (CDK), which could allow them to take control of some customer accounts. This vulnerability arises from CDK's use of predictable naming structures for their resources, especially the "S3 buckets" created during the bootstrap process. If the attacker knows the victim's AWS account ID and region, they can pre-create an S3 bucket with this predictable name.

    • Note: S3 Bucket - Amazon S3 (Simple Storage Service) Bucket is a storage space on AWS S3 used to store data as objects. A bucket is like a "folder" in the cloud.

    • According to AWS reports, to gain control of BeyondTrust's AWS account, the attacker will:

      • Identify target information: The attacker needs to know the victim's AWS account ID and region.

      • Create a fake S3 bucket: Based on CDK's predictable naming structure, the attacker creates an S3 bucket with the corresponding name.

      • Insert malicious code: The attacker configures the bucket to allow public access and creates a Lambda function to insert malicious code into CloudFormation template files when they are uploaded to the bucket.

      • Wait for deployment: When the victim uses the cdk deploy command, this process uploads the template files to the fake bucket, where the malicious code is inserted.

      • Gain control: The inserted malicious code creates an administrator role that the attacker can use to access and control the victim's AWS account.

Overview of CDK attack vector

  1. Use API keys to access the system.

    • After obtaining the API key, the attacker will use it to gain unauthorized access to the BeyondTrust Remote Support SaaS instances of 17 affected customers.

    • According to recorded reports, this API key can allow the attacker to perform various unauthorized actions on the system, particularly including:

      • Change or reset local passwords on the system.

      • Retrieve sensitive information of BeyondTrust customers.

      • Execute remote commands on BeyondTrust Remote Support SaaS servers.

  2. Exploiting the Vulnerability to Escalate the Attack

    • In this targeted attack campaign, the hacker group "Silk Typhoon" exploited two vulnerabilities: CVE-2024-12356 and CVE-2024-12686 to carry out malicious activities:

      • Expand access from BeyondTrust Remote Support SaaS to more critical systems.

      • Create new admin accounts to maintain long-term control.

      • Install malware (Backdoor or RAT) to monitor and conduct future attacks.

    • How CVE-2024-12356 executes the attack campaign

      • The hacker group will send malicious HTTP requests to the BeyondTrust system. These requests are embedded with Powershell.

      • The embedded commands will be executed with site user privileges, allowing the hacker group to control the system.

      • Once they have control of the system, the attackers will access sensitive data and expand the targeted attack.

    • After gaining admin access through CVE-2024-12356, the security vulnerability CVE-2024-12686 is then exploited, inserting operating system commands causing several impacts:

      • Remote code execution.

      • Access to sensitive data.

      • Attack expansion.

  3. Erase traces and maintain access

    • Finally, after escalating privileges, the attacker will perform actions like deleting system logs or hiding malware to avoid detection by cybersecurity experts.

    • Additionally, the Backdoor will continue to execute to exploit the system even after the API Key has been revoked.

IOC

  1. Related IP Addresses

    • 24.144.114.85

    • 142.93.119.175

    • 157.230.183.1

    • 192.81.209.168

    • 2604:a880:400:d1::7293:c001

    • 2604:a880:400:d1::72ad:3001

    • 2604:a880:400:d1::7716:1

    • 2604:a880:400:d1::7df0:7001

    • 2604:a880:400:d1::8622:f001

Recommendations

  • Update BeyondTrust Remote Support SaaS to the latest version to patch security vulnerabilities.

  • Restrict API access and monitor unusual requests.

  • Enable multi-factor authentication (MFA) for admin accounts.

  • Check system logs to detect suspicious activity.

Conclusion

The BeyondTrust Zero-Day attack highlights the importance of protecting API Keys and SaaS systems. This attack could be part of a cyber-espionage campaign targeting key organizations in the United States. Businesses and organizations should update their systems, monitor API activity, and enhance security policies to avoid similar risks.

When attackers successfully escalate privileges, it poses many potential threats, such as exposing sensitive customer information and internal data. Additionally, it could impact the entire BeyondTrust system if not promptly controlled.

References

  1. BeyondTrust Zero-Day Breach - 17 SaaS Customers API Key Compromised

  2. AWS CDK Vulnerabilities Let Attackers Gain Admin Access to AWS Accounts

  3. BeyondTrust Zero-Day Breach Exposed 17 SaaS Customers via Compromised API Key

0
Subscribe to my newsletter

Read articles from Lưu Tuấn Anh directly inside your inbox. Subscribe to the newsletter, and don't miss out.

threat intelligenceCVEAWSBeyondtrust

Written by

Lưu Tuấn Anh
Lưu Tuấn Anh