Hello everyone! My name is Asaf Aprozper, and I am thrilled to share some insights I recently presented at fwd:cloudsec 2023. For those who don't know me, I lead the SecOps team at Moon Active, a global gaming company. Our daily challenges involve securing an extensive cloud infrastructure using AWS and GCP, all coordinated with a worldwide network of dedicated DevOps teams. Over the years, I've had the pleasure of speaking at numerous events, including CodeBlue Japan, BSides Cyprus, and Black Hat USA Arsenal. My topics ranged from memory process injection and threat hunting to external attack surface analysis. However, today, I want to focus on an area that has become my passion and daily routine - cloud security. In this blog post, we're going to unmask a critical aspect of cloud security that often goes unnoticed: subnet misconfigurations and their potential for exploitation using lookalike IP ranges. This discovery isn't just an interesting quirk of cloud environments - it's a serious security concern that can bypass security groups and firewall rules. So, let's dive in and explore how these lookalike IP ranges can be leveraged to exploit cloud misconfigurations.

1. Unmasking the Subnet:
Lookalike IP Ranges in Cloud
Environments
Asaf Aprozper
June, 2023

2. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
● Leading the SecOps team at Moon Active
● Securing Gaming cloud infrastructures with a
global network of DevOps teams
● Previously spoken at CodeBlue Japan, BSides
Cyprus and Black Hat USA Arsenal
Asaf Aprozper

3. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
23%
Misconfiguration is the number one reason
of cloud security incidents in 2022
Check Point, 2022 Cloud Security Report

4. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
2022 Cloud Security Incidents

5. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
Takeaways
01
Private IP addresses
Implementation in
today’s cloud
RFC 1918 Standart
02
Common misconfigurations
Proactive hunting flow
New cloud misconfiguration
Misconfigurations
03 Identify the exact issue
Evaluate it using
different resources
Assessing scope of
security issue
05 Splunk & Sigma hunting
rules;IP Unmasker;SG
Unmasker
Open source tools
04 Getting a proxy
configure it using open
source tools
Proxying like a pro

6. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
Issue - Allowing unrestricted inbound access to some or all ports
using the IP range 0.0.0.0/0
Security Risks - Enabling external security attacks such as port
scans, log4shell payloads, and other exploitations attempts
Recommendation - Restrict inbound access to specific required IP
addressesVPN range and by port, even within internal networks
The Common MistakeMisconfiguration
0.0.0.0/0

7. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
AWS Suggestion - Easy to Get Misconfigured

8. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
Discovering a
New Cloud
Misconfiguration!

9. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
Lookalike Private
IP Ranges
Asaf Aprozper | @3pun0x | fwd:cloudsec 2023

10. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
Proactive
Threat Hunting

11. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
● Actively searching for undetected cyber threats that
have bypassed initial security defenses within a
network
● Not waiting for alerts, taking initiative
● Game-changer in the defense strategy of organizations
Proactive Threat Hunting

12. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
Proactive Threat Hunting Flow

13. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
Proactive Hunting After
Cloud Misconfigurations
That Can Lead for
Threats

14. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
Proactively Hunting Using Splunk

15. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
Detecting Unusual IPs over Security Groups
Aws
Region eventName
Recipient
AccountId
Source IP
Range
Security
Group Desc org asn country
us-east-2
Authorize
SecurityGroup
Ingress
123456789101 178.62.238.39/32 Site24x7 DIGITALOCEAN-ASN AS14061 Netherlands
us-east-2 123456789101 188.166.3.204/32 Site24x7 DIGITALOCEAN-ASN AS14061 Netherlands
us-east-2 123456789101 104.24.0.0/14 WAF CLOUDFLARE-NET AS13335 Canada
us-east-2 123456789101 172.64.0.0/13 WAF CLOUDFLARE-NET AS13335 Germany
us-east-2 123456789101 77.125.230.136/32 Home Lab
Partner Communications
Ltd. AS12400 Israel
us-east-2 123456789101 172.16.0.0/12 Private IP Range
us-east-2 123456789101 172.32.0.0/11 Private IP Range T-MOBILE AS21928 United States
us-east-1 123456789101 172.0.0.0/8 Private IP Range ATT-INTERNET AS7018 United States
Data Enrichment
CloudTrail Log

16. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
Source IP Range Security Group Desc org asn country
172.32.0.0/11 Private IP Range T-MOBILE-AS21928 AS21928
United
States
172.0.0.0/8 Private IP Range ATT-INTERNET4 AS7018
United
States

17. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023

18. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023

19. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
New Cloud Misconfiguration!

20. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
Is it possible to get a
lookalike IP address
of my own?

21. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
Let’s go back
to the start…

22. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
● Established by the Internet Engineering Task Force in 1996 due to
the rapid growth of the Internet and shortage of IPv4 addresses
● Enabled private organizations to use specific IP addresses
internally, separate from the public Internet
● Created a division between public and private hosts, with private
hosts not directly accessible from the Internet
RFC 1918 Standard

23. RFC 1918 Private Addresses
Class CIDR block Private Address Range
A 10.0.0.0/8 10.0.0.0 - 10.255.255.255
B 172.16.0.0/12 172.16.0.0 - 172.31.255.255
C 192.168.0.0/16 192.168.0.0 - 192.168.255.255
Asaf Aprozper | fwd:cloudsec 2023 https://github.com/3pun0x/Unmasking-The-Subnet

24. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
RFC 1918 in
The Cloud

25. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
What is Virtual Private Cloud (VPC)?

26. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
IPv4 VPC CIDR blocks

27. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
Public/Private
Subnet
Architecture

28. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
Where is The
LookAlike
Misconfiguration?

29. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
Creating a VPC
with LookAlike
IPv4 CIDR?

30. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
AT&T IP
Ranges

31. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023

32. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
IP Addressing for Your Vpcs and Subnets
https://docs.aws.amazon.com/vpc/latest/userguide/vpc-ip-addressing.html

33. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
Security
Groups?

34. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
Security Group - LookAlike Inbound Rule

35. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
Security Group - LookAlike Inbound Rule
LookAlike IP Range Total
172.0.0.1 172.255.255.254 16,777,216

36. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
Implemented
over
Infrastructure

37. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
Public Subnet

38. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
Getting a
LookAlike Private
IP Address
$4.99

39. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
Generic Website Selling Mobile Proxy

40. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
1 - Choose The
Proxy Package

41. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
2 - Select the Desired
LookAlike IP Range
(Carrier)

42. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
3 - Pay by
Credit
Card/Crypto

43. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
60 Seconds
Later

44. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
��

45. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
Proxy Information

46. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023

47. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
Using Mobile Proxy to bypass restrictions

48. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
Now What?

49. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
● Misconfiguration identified
● LookAlike IP address
● Attacker & Victim
● Scope of security risk
Where We Stand Now

50. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
Attacker

51. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
Attacker’s Toolset
Kali Linux
LookAlike Proxy

52. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
Victim

53. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
Nginx EC2 in a Public Subnet

54. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
Attached to a Security Group with a lookalike
Private IP Range
CIDR LookAlike IP Range Total IPs
172.0.0.0/8 172.0.0.1 - 172.255.255.254 16,777,216

55. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
PoC Demo

56. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023

57. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
Misconfiguration
Scope

58. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
GitHub

59. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
GitHub -
Search
after
lookalike
ranges

60. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
GitHub -
Hashicorp
● AS7018 - AT&T
Services, Inc.

61. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
GitHub - AWS ELB Listen Rule Example
Misconfigured
CIDR LookAlike IP Range Total IPs
172.0.0.0/8 172.0.0.1 172.255.255.254 16,777,216

62. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
Scanning the
Internet after
Misconfiguration

63. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
Proxy IP Unmasker

64. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
AWS EC2s IP
Ranges as
Ready-To-Scan
Targets

65. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023

66. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
Reviewing The Findings
● Dev environments
● Sensitive internal companies
web platforms
● Apache directory listing of
internal files
● More…

67. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023

68. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
Leveraging ProxyChains
with Nmap to scan a
Misconfigured Asset After
Exposed Services

69. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
ProxyChains

70. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
ProxyChains

71. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
ProxyChains + Nmap
CMDline:
proxychains nmap -Pn -n -sT --top-ports 10 --open target_ip_address

72. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023

73. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
Detecting the
creation/modification of
security groups with lookalike
misconfigurations

74. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
Splunk Query: CreationModify of Security
Group with LookAlike Private IP Address
index="aws" (eventName="AuthorizeSecurityGroupIngress" OR eventName="ModifySecurityGroupRules") AND
errorCode=success
| rename requestParameters.ipPermissions.items{}.ipRanges.items{}.cidrIp as cidrIpAuthoriz
| rename requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv4
as cidrIpModify
| eval cidrIp = coalesce(cidrIpAuthoriz,cidrIpModify) #Combine different event types and grabbed the cidrIp
| mvexpand cidrIp #Handling multi-value CIDRs
| eval single_ip = mvindex(split(cidrIp, "/"), 0) #Split CIDR to single IP
| where cidrmatch("172.1.0.0/22", single_ip) OR cidrmatch("172.32.0.0/11", single_ip) #Search for single IP in
AT&T and T-Mobile lookalike private IP ranges

75. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
Preventing the
creation of lookalike
security groups

76. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
● AWS Config Rule
● GCP Organization Policy
● Raise Awareness for Cloud Users
○ Share this Talk with Your DevOps Teams
○ Use My Informative Stickers
○ Subnet Calculator Websites for Easy Checking
How to prevent?

77. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
The Shared
Responsibility Model

78. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
● Ensuring security by properly configuring and managing
security settings according to their needs
● Monitoring their cloud resources for unusual or
unauthorized activities
● Ensuring that the teams responsible for managing and
using cloud resources are well trained and aware of
security risks
Customer's Responsibility

79. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
Cloud Service Provider's Responsibility
● Can provide tools, best practices, guidelines to
assist in properly secure cloud
● UI Message alerts
● GuardDuty alerts for public exposure

80. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
New
Instance =
Public
Exposure

81. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
No alert when
creating a
public security
group

82. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
After Capital One
Data Hack, AWS Will
Scan for
Misconfigurations

83. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
Recommendation for the cloud service
provider - Check button for public exposure
over Security Groups as for S3 buckets

84. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023
● As a cloud defender you must think ahead of the users, not only the
attackers
● The impact can be very high, I only scanned a small amount of AWS
EC2 ranges in only specific region and only under the HTTP service
● Think about what a bad actor could do - they could increase their
scan to GCP, Azure, more AWS ranges, and do more once found a
misconfigured asset - they can brute force directories too
● Can we leverage that issue to find lookalike over S3 buckets as
well?
Closing Words

85. Asaf Aprozper | @3pun0x | fwd:cloudsec 2023

86. Thank You
Asaf Aprozper
@3pun0x
GitHub Repository