A recent cyber incident has left thousands of AWS customers vulnerable, with terabytes of sensitive data compromised due to vulnerabilities in multiple public-facing websites. This breach is connected to the ShinyHunters hacking group, which some believed to be defunct.
Independent cybersecurity researchers Noam Rotem and Ran Locar have uncovered the details of this breach, revealing that attackers exploited misconfigurations to gain unauthorized access to AWS credentials, customer information, and proprietary source code. "We have identified a significant operation that scanned millions of websites, exploiting vulnerabilities in improperly configured public sites," said the researchers from vpnMentor.
"We have identified a significant operation that scanned millions of websites, exploiting vulnerabilities in improperly configured public sites,"
Their report indicates that the operation employed a sophisticated infrastructure designed by French-speaking threat actors aimed at scanning the internet for exploitable vulnerabilities. "This incident resulted in the exposure of sensitive keys and secrets, granting unauthorized access to customer data," added the researchers.
"This incident resulted in the exposure of sensitive keys and secrets, granting unauthorized access to customer data,"
In response, an AWS spokesperson noted, "All services are operating as expected. AWS credentials include secrets that must be handled securely. AWS provides capabilities which remove the need to ever store these credentials in source code."
They further elaborated that AWS Secrets Manager assists customers in managing and rotating their credentials, but admitted that customers still occasionally make the mistake of exposing these credentials in public repositories. Upon detection of such exposures, AWS intervenes by quarantining the affected IAM user and notifying the customer of potential risks.
Interestingly, the breach was exposed due to a misconfiguration in the S3 bucket utilized by the attackers to store the stolen data. This error allowed researchers to analyze the bucket and its contents. "The S3 bucket was being used as a ‘shared drive’ between the attack group members, based on the source code of the tools used by them," stated the researchers.
"The S3 bucket was being used as a ‘shared drive’ between the attack group members, based on the source code of the tools used by them,"
Championship Implications
The analysis of the bucket’s contents indicated that attackers had devised methods for discovering and exploiting AWS IP ranges. By utilizing tools like Shodan and SSL certificate analysis, the attackers targeted exposed endpoints to extract valuable data, including database credentials and AWS keys.
Custom scripts implemented were designed to exploit open-source tools, enabling the harvest of various credentials. "Verified credentials were stored for later use, and remote shells were installed for deeper access when needed," the report detailed.
"Verified credentials were stored for later use, and remote shells were installed for deeper access when needed,"
Moreover, attackers used validated AWS keys to access various services such as IAM, SES, SNS, and S3. This access allowed them to maintain persistence within compromised systems, send out phishing emails, and gather sensitive information. Notably, AI service keys appeared to be avoided by the attackers, possibly due to outdated tools or lack of perceived value.
Impact and Legacy
"They began to take immediate actions to mitigate the impact and alert the affected customers of the risk,"
The incident brings to light the shared responsibility model inherent in cloud security, underscoring that customers must manage their configurations to prevent such vulnerabilities. On November 9, AWS confirmed they had fully addressed the issue following the researchers' findings.
Further investigation revealed that the infrastructure employed in the attack pointed to a potential regrouping of the ShinyHunters group, who had previously operated under the name 'Nemesis.' "While the group conducts its business under a different name, we were also able to connect some of the activity to the now-defunct attack group 'Shiny Hunters,'" Rotem and Locar reported.
"While the group conducts its business under a different name, we were also able to connect some of the activity to the now-defunct attack group 'Shiny Hunters,'"
ShinyHunters gained notoriety for their previous exploits, including managing BreachForums before it was taken down by law enforcement. As AWS customers grapple with the fallout from this breach, the resurgence of such hacking groups raises significant concerns over cybersecurity and the importance of proper configuration in cloud services.
Moving forward, vigilance and adherence to security best practices will be essential to safeguarding sensitive data against similar attacks.
