Hackers have set their sights on targeting vaults, buckets, and secrets to gain access to highly classified and valuable information, such as API keys, logins, and other critical data stored within these central storage solutions. The centralized and often inadequately protected nature of these storage solutions makes them prime targets for malicious actors seeking to exploit vulnerabilities and steal sensitive data.
Recently, cybersecurity analysts at DATADOG Security Labs uncovered a disturbing trend of hackers attacking vaults, buckets, and secrets to pilfer valuable data. The analysts discovered a series of unusual activities within a client’s AWS environment during a routine threat hunt from May 23 to May 27, 2024. An IP address, identified as 148.252.146.75, was found attempting ListSecrets and ListVaults API calls, indicating a potential breach in the system.
Moreover, the hackers were also observed engaging in ListBuckets activities to enumerate S3 buckets, followed by ListObjects on the available buckets – all automated to occur at specific times. The absence of activities such as GetSecretValue, BatchGetSecretValue, or GetObject, despite enabled S3 data events, raised suspicions among the cybersecurity experts. It was speculated that the attackers might have been conducting a broad automated campaign to assess available data before exfiltrating it or testing the AWS identity access level for potential resale value.
The initial target of the attackers appeared to be the S3 Glacier vault backup data. After an unsuccessful enumeration attempt, the hackers made subsequent InitiateJob calls to retrieve the vault archive list and specific archives, then used GetJobOutput to download the data. To mask their location, the attackers employed VPN services like free Cloudflare WARP, making their AWS API calls appear less suspicious compared to other VPN providers.
The requests-auth-aws-sigv4 Python library was identified as the tool used by the hackers to generate a user agent for manually signing AWS API requests, deviating from the typical AWS CLI or Boto3 SDK usage that automatically handles Sigv4 signing. While manually signing requests provides no real advantage, its presence could raise red flags in a secure environment.
In light of these findings, cybersecurity researchers have recommended that detection and response teams closely monitor and investigate such campaigns due to the potential severe operational impact of data exfiltration from cloud environments. Additionally, they highlighted several detection opportunities, including the use of Indicators of Compromise (IoCs) to identify specific attack campaigns, enriching CloudFlare IP addresses for expected API calls, and monitoring for spikes in AccessDenied events for ListSecrets, ListBuckets, ListObjects, and ListVaults, which could indicate improper permissions and unauthorized access attempts.
Overall, the threat posed by hackers targeting AWS vaults, buckets, and secrets underscores the need for robust cybersecurity measures and continuous monitoring to safeguard sensitive data and prevent unauthorized access to critical information. Stakeholders are advised to stay vigilant and adhere to best practices in securing their cloud environments to mitigate the risk of cyber threats.