Check https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws for further details of the attack!

Passive network inspection in a cloud environment has been challenging, requiring major configuration changes to monitor network traffic. However, a new feature called “VPC Traffic Mirroring” has been introduced by AWS to simplify this process. With VPC Traffic Mirroring, network traffic within VPCs can be duplicated without installing any software on the instances themselves. This duplicated traffic can be sent to a network intrusion detection system (IDS) for analysis.

To address the need for automated deployment of the necessary infrastructure for mirroring and exfiltrating VPC traffic, we have developed a proof-of-concept script called “malmirror”. This script can be used with compromised AWS credentials to set up mirroring for all supported EC2 instances in a target VPC. It is important to note that VPC Traffic Mirroring is only supported by EC2 instances powered by the AWS Nitro system, and the VPC mirror target must be within the same VPC as the mirrored hosts.

The impact of malicious VPC traffic mirroring can be significant, as it allows attackers to access sensitive information transmitted within VPCs. The likelihood of such malicious mirroring is high, considering the presence of cleartext traffic flowing through VPCs. Many companies use cleartext protocols within their internal networks for performance reasons, assuming traditional man-in-the-middle attacks are not possible.

For more information and access to the malmirror script, it can be found on our GitHub repository. The script automates and streamlines the process, making it quick, simple, and repeatable for offensive research purposes.