AWS Elastic IP Transfer Feature Gives Cyberattackers Free Range

Threat actors can take over victims cloud accounts to steal data, or use them for command-and-control for phishing attacks, denial of service, or other cyberattacks.

Attackers can compromise a new feature in Amazon Web Services (AWS) to hijack cloud accounts static public IP addresses and abuse them for various malicious purposes, researchers have found.
Threat actors can use the Amazon Virtual Private Cloud (VPC) Elastic IP (EIP) transfer feature to steal someone elses EIP and use it as their own command-and-control (C2), or to launch
phishing campaigns
that impersonate the victim, researchers from cloud incident response firm Mitiga revealed in
a blog post
on Dec. 20.
Attackers also can use the stolen EIP to attack a victims own firewall-protected endpoints, or to serve as the original victim’s network endpoint to extend opportunities for data theft, the researchers said.
The potential damage to the victim by hijacking an EIP and using it for malicious purposes can mean using the victim’s name, jeopardizing the victim’s other resources in other cloud providers/on-premises, and [stealing the] victim’s customers information, Or Aspir, software engineer at Mitiga, wrote in the post.
Threat actors must already have permissions on an organizations AWS account to leverage the new attack vector, which the researchers call a post-initial-compromise attack.
However, because the attack was not possible before the feature was added and is not yet listed in the MITRE ATT&CK Framework, organizations may be unaware that they are vulnerable to it, as its not likely to be picked up by existing security protections, the researchers said.
With the right permissions on the victim’s AWS account, a malicious actor using a single API call can transfer the victim’s used EIP to their own AWS account, thus practically gaining control over it, Aspir wrote. In many cases it allows greatly increasing the impact of the attack and gaining access to even more assets.
AWS introduced EIP in October as a legitimate feature to allow transfer of Elastic IP addresses from one AWS account to another. An Elastic IP (EIP) address is a public and static IPv4 address that can be reached from the Internet and can be allocated to an Elastic Compute Cloud (EC2) instance for Web-facing activities, such as website hosting or communicating with network endpoints under a firewall.
AWS introduced the feature to make it easier to move Elastic IP addresses during AWS account restructuring by transferring the EIP to any AWS account — even AWS accounts that are not owned by someone or his or her organization, the researchers said.
With the feature, the transfer is a mere two-step handshake between AWS accounts — the source account (either a standard AWS account or an AWS Organizations account) and the transfer account, Aspir explained.
The ease with which EIPs can now be transferred creates an unintentional issue, however — while it certainly facilitates the process of transferring IP for legitimate account owners, it also makes it easier for malicious actors as well, the researchers said.
Researchers described a basic scenario to illustrate how attackers can take advantage of EIP transfer, assuming that attackers already have permissions that allow them to see existing EIPs and their status, or whether or not they are associated with other computer resources.
Typically, EIPs are associated, but sometimes an organization keeps dissociated EIP for later use, or as a result of an unmanaged environment that keeps unused resources, the researchers said. Either way, the attacker only needs to enable the EIP transfer, and the IP address is theirs, Aspir wrote.
Attackers can do this in two ways with the correct permissions: either transfer a dissociated EIP or remove the association of an associated EIP and then transfer it, the researchers said.
For the former, an adversary must have the following action in its attached Identity and Access Management (IAM) policy on AWS: ec2:DisassociateAddress action on the elastic IP addresses and the network interfaces that the IP addresses are attached to.
To transfer an EIP, a threat actor must have the following actions in its attached IAM policy: ec2:DescribeAddresses on all the IP addresses and ec2:EnableAddressTransfer on the EIP address that the attacker wants to transfer, the researchers said.
There are a wide range of attack scenarios that a threat actor can engage in after successfully transferring someone elses EIP to their own control.
In external firewalls used by the victim, for example, an attacker can communicate with the network endpoints behind the firewalls if there is an allow rule on the specific IP address, the researchers said.
Moreover, in cases in which a victim uses DNS providers such as a Route53 service, there could be DNS records of an A type in which the target is the transferred IP address. In this case, an attacker can abuse the address for hosting a malicious Web server under a legitimate victim’s domain, then launch other malicious actions, such as
phishing attacks
, the researchers said.
Attackers also can use the stolen IP address as C2, using it for malware campaigns that appear legitimate and thus fly under the radar of security defensives. A threat actor can even cause denial of service (DoS) to a victims public services if they dissociate an EIP from a running endpoint and transfer it, the researchers said.
Anyone using EIP resources in an AWS account is at risk, and thus must treat the EIP resources like other resources in AWS that are in danger of exfiltration, the researchers advised.
To protect themselves from an EIP transfer attack, Mitiga recommends that enterprises use the principle of least privilege on AWS accounts and even disable the ability to transfer EIP entirely if its not a necessary feature on their environment.
To do this, an organization can use native AWS IAM features such as service control policies (SCPs), which offer central control over the maximum available permissions for all accounts in an organization, the researchers said, providing an example in their post of how this works.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
AWS Elastic IP Transfer Feature Gives Cyberattackers Free Range