Hello everyone! My name is Asaf Aprozper, and I am thrilled to share some insights I recently presented at fwd:cloudsec 2023. For those who don't know me, I lead the SecOps team at Moon Active, a global gaming company. Our daily challenges involve securing an extensive cloud infrastructure using AWS and GCP, all coordinated with a worldwide network of dedicated DevOps teams.
Over the years, I've had the pleasure of speaking at numerous events, including CodeBlue Japan, BSides Cyprus, and Black Hat USA Arsenal. My topics ranged from memory process injection and threat hunting to external attack surface analysis. However, today, I want to focus on an area that has become my passion and daily routine - cloud security.
In this blog post, we're going to unmask a critical aspect of cloud security that often goes unnoticed: subnet misconfigurations and their potential for exploitation using lookalike IP ranges. This discovery isn't just an interesting quirk of cloud environments - it's a serious security concern that can bypass security groups and firewall rules.
So, let's dive in and explore how these lookalike IP ranges can be leveraged to exploit cloud misconfigurations.
2. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
● Leading the SecOps team at Moon Active
● Securing Gaming cloud infrastructures with a
global network of DevOps teams
● Previously spoken at CodeBlue Japan, BSides
Cyprus and Black Hat USA Arsenal
Asaf Aprozper
3. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
23%
Misconfiguration is the number one reason
of cloud security incidents in 2022
Check Point, 2022 Cloud Security Report
5. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
Takeaways
01
Private IP addresses
Implementation in
today’s cloud
RFC 1918 Standart
02
Common misconfigurations
Proactive hunting flow
New cloud misconfiguration
Misconfigurations
03 Identify the exact issue
Evaluate it using
different resources
Assessing scope of
security issue
05 Splunk & Sigma hunting
rules;IP Unmasker;SG
Unmasker
Open source tools
04 Getting a proxy
configure it using open
source tools
Proxying like a pro
6. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
Issue - Allowing unrestricted inbound access to some or all ports
using the IP range 0.0.0.0/0
Security Risks - Enabling external security attacks such as port
scans, log4shell payloads, and other exploitations attempts
Recommendation - Restrict inbound access to specific required IP
addressesVPN range and by port, even within internal networks
The Common MistakeMisconfiguration
0.0.0.0/0
7. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
AWS Suggestion - Easy to Get Misconfigured
8. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
Discovering a
New Cloud
Misconfiguration!
11. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
● Actively searching for undetected cyber threats that
have bypassed initial security defenses within a
network
● Not waiting for alerts, taking initiative
● Game-changer in the defense strategy of organizations
Proactive Threat Hunting
15. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
Detecting Unusual IPs over Security Groups
Aws
Region eventName
Recipient
AccountId
Source IP
Range
Security
Group Desc org asn country
us-east-2
Authorize
SecurityGroup
Ingress
123456789101 178.62.238.39/32 Site24x7 DIGITALOCEAN-ASN AS14061 Netherlands
us-east-2 123456789101 188.166.3.204/32 Site24x7 DIGITALOCEAN-ASN AS14061 Netherlands
us-east-2 123456789101 104.24.0.0/14 WAF CLOUDFLARE-NET AS13335 Canada
us-east-2 123456789101 172.64.0.0/13 WAF CLOUDFLARE-NET AS13335 Germany
us-east-2 123456789101 77.125.230.136/32 Home Lab
Partner Communications
Ltd. AS12400 Israel
us-east-2 123456789101 172.16.0.0/12 Private IP Range
us-east-2 123456789101 172.32.0.0/11 Private IP Range T-MOBILE AS21928 United States
us-east-1 123456789101 172.0.0.0/8 Private IP Range ATT-INTERNET AS7018 United States
Data Enrichment
CloudTrail Log
16. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
Source IP Range Security Group Desc org asn country
172.32.0.0/11 Private IP Range T-MOBILE-AS21928 AS21928
United
States
172.0.0.0/8 Private IP Range ATT-INTERNET4 AS7018
United
States
20. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
Is it possible to get a
lookalike IP address
of my own?
21. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
Let’s go back
to the start…
22. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
● Established by the Internet Engineering Task Force in 1996 due to
the rapid growth of the Internet and shortage of IPv4 addresses
● Enabled private organizations to use specific IP addresses
internally, separate from the public Internet
● Created a division between public and private hosts, with private
hosts not directly accessible from the Internet
RFC 1918 Standard
23. RFC 1918 Private Addresses
Class CIDR block Private Address Range
A 10.0.0.0/8 10.0.0.0 - 10.255.255.255
B 172.16.0.0/12 172.16.0.0 - 172.31.255.255
C 192.168.0.0/16 192.168.0.0 - 192.168.255.255
Asaf Aprozper | fwd:cloudsec 2023 https://github.com/3pun0x/Unmasking-The-Subnet
24. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
RFC 1918 in
The Cloud
25. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
What is Virtual Private Cloud (VPC)?
32. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
IP Addressing for Your Vpcs and Subnets
https://docs.aws.amazon.com/vpc/latest/userguide/vpc-ip-addressing.html
49. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
● Misconfiguration identified
● LookAlike IP address
● Attacker & Victim
● Scope of security risk
Where We Stand Now
53. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
Nginx EC2 in a Public Subnet
54. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
Attached to a Security Group with a lookalike
Private IP Range
CIDR LookAlike IP Range Total IPs
172.0.0.0/8 172.0.0.1 - 172.255.255.254 16,777,216
73. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
Detecting the
creation/modification of
security groups with lookalike
misconfigurations
74. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
Splunk Query: CreationModify of Security
Group with LookAlike Private IP Address
index="aws" (eventName="AuthorizeSecurityGroupIngress" OR eventName="ModifySecurityGroupRules") AND
errorCode=success
| rename requestParameters.ipPermissions.items{}.ipRanges.items{}.cidrIp as cidrIpAuthoriz
| rename requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv4
as cidrIpModify
| eval cidrIp = coalesce(cidrIpAuthoriz,cidrIpModify) #Combine different event types and grabbed the cidrIp
| mvexpand cidrIp #Handling multi-value CIDRs
| eval single_ip = mvindex(split(cidrIp, "/"), 0) #Split CIDR to single IP
| where cidrmatch("172.1.0.0/22", single_ip) OR cidrmatch("172.32.0.0/11", single_ip) #Search for single IP in
AT&T and T-Mobile lookalike private IP ranges
75. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
Preventing the
creation of lookalike
security groups
76. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
● AWS Config Rule
● GCP Organization Policy
● Raise Awareness for Cloud Users
○ Share this Talk with Your DevOps Teams
○ Use My Informative Stickers
○ Subnet Calculator Websites for Easy Checking
How to prevent?
77. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
The Shared
Responsibility Model
78. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
● Ensuring security by properly configuring and managing
security settings according to their needs
● Monitoring their cloud resources for unusual or
unauthorized activities
● Ensuring that the teams responsible for managing and
using cloud resources are well trained and aware of
security risks
Customer's Responsibility
79. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
Cloud Service Provider's Responsibility
● Can provide tools, best practices, guidelines to
assist in properly secure cloud
● UI Message alerts
● GuardDuty alerts for public exposure
80. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
New
Instance =
Public
Exposure
81. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
No alert when
creating a
public security
group
82. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
After Capital One
Data Hack, AWS Will
Scan for
Misconfigurations
83. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
Recommendation for the cloud service
provider - Check button for public exposure
over Security Groups as for S3 buckets
84. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
● As a cloud defender you must think ahead of the users, not only the
attackers
● The impact can be very high, I only scanned a small amount of AWS
EC2 ranges in only specific region and only under the HTTP service
● Think about what a bad actor could do - they could increase their
scan to GCP, Azure, more AWS ranges, and do more once found a
misconfigured asset - they can brute force directories too
● Can we leverage that issue to find lookalike over S3 buckets as
well?
Closing Words