AWS’s 2020 Attacks

It’s rare that you ever get a chance to see what’s actually happening out there on the Internetz. When there’s an incident report, we often get the standard “sophisticated attack”. Sometimes even a “nation state” disclaimer is added, although why nation state actors would be attacking that particular organisation is somewhat of a mystery. But we so rarely ever get details. Mind you — if the victim is anything like many of the organisations I worked with, they may not have even the basics of logging covered, so there’s a good chance they may not know themselves exactly what happened.

Now — AWS does have the odd customer here and there, and there are some interesting real-life stories from 2020 here.

Now the DDoS (BTW some interesting stats are reported here from 2018 — not least; memcache DDoS’age is STILL going strong. I am fairly sure it was much earlier in the decade when this first popped up on my radar) is one thing (and if real this is indeed a huge amplification attack) and apparently AWS didn’t lose much in the way of service availability here. But then there are some other facets that were reported, in the way of attempts to compromise services:

• What was reported as “Docker unauthenticated RCE”s comes in many forms — I mean as well as the example given (containers built, possibly for bitcoin mining, thru the wide open API on TCP 2375/6), there’s another example here, given CVSS rating of 9.8!!
• SSH brute forces and other exploit attempts — don’t expose SSH! It was supposed to be one of the main benefits of moving to cloud — you get the chance to fix problems you had on-premise. So then why are there so many SSHs exposed?
• Redis unauthenticated RCE — there is even at least one Redis RCE in Metasploit — so you’re in trouble if you don’t lock down this service. The clue is in the “unauthenticated” part of the descrption for this issue. As well as authentication, there are some other things to consider with Redis.
• Apache Hadoop YARN RCE — again this is about remote code execution and has been to known to be a subject of business interests from Xbash Ransomware fans.

All of these are likely the same opportunist attacks from BOTs that are sweeping the whole Internet, not just AWS, but thanks to the publishing of details by AWS, we get a view of what’s happening out there.