Tuesday, August 15 • 9:00am - 9:25am
OPEN TALK: Old Services, New Tricks: Cloud Metadata Abuse by Threat Actors

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
Nader Zaveri, Mandiant/Google, Senior Manager - Incident Response & Remediation    
Mandiant identified exploitation of public-facing web applications by threat actors (UNC2903) to harvest and abuse credentials using Amazon’s Instance Metadata Service (IMDS). Although the threat actor specifically targeted Amazon Web Services (AWS) environments, many other cloud platforms offer similar metadata services that could be at risk of similar attacks. Related threat actor motives and operations are gaining prominence as enterprises continue their migration to cloud hosting services. Mandiant has tracked access attempts by the threat actors to access S3 buckets and additional cloud resources using the stolen credentials.

This presentation covers how threat actors performed the exploitation and IMDS abuse, as well as related security hardening guidance on how to detect, remediate, and prevent this type of instance metadata abuse in an organization’s environment. As part of this presentation, we will walk through a demo of the web application that was abused and show how easy it is to obtain credentials if the organization is using the legacy version of IMDS. Then, we will show how by performing the remediation techniques mentioned in the presentation, the organization will be able to block such credential harvesting methods via the instance metadata service.

avatar for Nader Zaveri

Nader Zaveri

Senior Manager - Incident Response & Remediation, Mandiant/Google
Nader Zaveri has over 15 years of experience in IT security, infrastructure, and risk management. Nader holds over a dozen industry-related certifications, has authored several blogs/books, and has presented at dozens of conferences, panel talks, webinars, and other industry-specific... Read More →

Tuesday August 15, 2023 9:00am - 9:25am PDT
OPEN Workshop Stage