A recent cyber operation has been uncovered by independent cybersecurity researchers, Noam Rotem and Ran Locar, revealing how cybercriminal gangs exploited vulnerabilities in public websites to steal Amazon Web Services (AWS) cloud credentials and other data from thousands of organizations. This mass cyber operation involved scanning millions of sites for vulnerable endpoints.
The operation was reported by the researchers to vpnMentor, which then published a blog post on December 9 detailing their findings. The attackers behind this operation are believed to be associated with known threat groups Nemesis and ShinyHunters. ShinyHunters, in particular, made headlines earlier this year for a cloud breach that affected Ticketmaster customers.
Jim Routh, the chief trust officer at Saviynt, a cloud identity and security management firm, noted that these cybercriminal syndicates operate at scale for profit and leverage their technical skills to exploit weaknesses in cloud computing environments.
Interestingly, the researchers stumbled upon this operation when the attackers made a critical error of their own by storing stolen data in an AWS Simple Storage Service (S3) bucket that was left open due to misconfiguration. The bucket contained a significant amount of data, including infrastructure credentials, source code, application databases, and credentials to external services.
The researchers reconstructed a two-step attack sequence used by the attackers. They started by scanning vast ranges of IPs belonging to AWS to identify vulnerabilities and mistakes. Subsequently, they used tools to expand their attack surface by extracting domain names associated with the IPs and analyzing SSL certificates to further identify potential targets.
Once the targets were identified, the attackers scanned for exposed endpoints, categorized systems, and extracted sensitive information like database access credentials, AWS customer keys, passwords, and more. The stolen data was then stored for exploitation at a later stage of the operation.
The researchers were able to track the attackers using tools and signatures associated with ShinyHunters and Nemesis Blackmarket. They promptly reported their findings to Israeli authorities and AWS Security, which took immediate action to mitigate the impact and notify affected customers.
AWS confirmed that the operation targeted flaws on the customer application side of the shared responsibility cloud model, absolving AWS of any responsibility. The security team completed their investigation and mitigation, allowing the researchers to disclose the incident.
To prevent similar attacks, organizations are advised to avoid hardcoded credentials, conduct regular web scans for vulnerabilities, implement a web application firewall, and rotate keys and passwords periodically. Additionally, embedding CanaryTokens in code can serve as tripwires to alert administrators of unauthorized access attempts.
This incident serves as a valuable lesson for organizations to adapt and enhance their cyber controls to achieve resilience in the face of evolving cyber threats. Organizations should prioritize cybersecurity measures to protect their valuable data and resources from malicious actors.