AWS customers hit by major cyberattack which then stored stolen credentials in plain sight
Many sites were misconfigured, allowing hackers to exfiltrate sensitive data
- Researchers discover campaign to scan for exposed data from "millions of websites"
- The crooks were selling the data on the dark web for "hundreds of euros"
- AWS says it has now fixed the issue, but users should still exercise caution
Misconfigured cloud instances have once again been abused to steal sensitive information such as login credentials, API keys, and more.
This time around, the victims were countless Amazon Web Services (AWS) customers who don’t seem to understand the shared responsibility model of cloud infrastructure.
In August 2024, independent security researchers Noam Rotem and Ran Loncar uncovered vulnerabilities in public sites that could be abused to access sensitive customer data, infrastructure credentials, and proprietary source code.
Selling the data on Telegram
Further investigation determined French-speaking threat actors, possibly linked to Nemesis and ShinyHunters hacking groups, were scanning “millions of websites” and using the vulnerabilities to extract sensitive data.
The information pulled this way included AWS customer keys and secrets, database credentials, Git credentials and source code, SMTP credentials (for email sending), API keys for services like Twilio, Binance, and SendGrid, SSH credentials, cryptocurrency-related keys and mnemonics, and other sensitive access credentials (e.g., for CPanel, Google accounts, and third-party services). Some victims were identified, but not named in the report, for obvious security reasons.
The miscreants were then selling the archives in a dedicated Telegram channel, earning “hundreds of euros per breach.” Good, since they will probably need the money for legal counsel, once they’re arrested and tried.
“Our investigation has identified the names and contact information of some of the individuals behind this incident,” the researchers said. “This may assist in further actions against the perpetrators.”
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Rotem and Loncar reported their findings, first to the Israeli Cyber Directorate, and later to AWS Security. The two “began to take immediate actions” to mitigate the risk, although AWS stressed that the vulnerability was not in the system, but rather in the way customers were using it:
“The AWS Security team emphasized that this operation does not present a security concern to AWS, rather, it is on the customer side of the shared responsibility model — a statement that we fully agree with,” vpnMentor said in its report.
Cybersecurity pros are constantly warning about cloud misconfigurations being one of the key reasons for breaches. Ironically enough, hackers don’t seem to be heeding these warnings, either, since the researchers found all of the stolen files - in an unprotected AWS database.
“Data harvested from the victims was stored in an S3 bucket, which was left open due to a misconfiguration by its owner,” it was said. “The S3 bucket was being used as a "shared drive" between the attack group members, based on the source code of the tools used by them.”
Ultimately, the researchers reported AWS, “completed handling this issue” on November 9.
“All services are operating as expected. AWS credentials include secrets that must be handled securely," an AWS spokesperson told TechRadar Pro in a statement.
"AWS provides capabilities which remove the need to ever store these credentials in source code. For example, AWS Secrets Manager helps you manage, retrieve, and rotate database credentials, API keys, and other secrets throughout their lifecycles. Customers still sometimes inadvertently expose credentials in public code repositories. When AWS detects this exposure, we automatically apply a policy to quarantine the IAM user with the compromised credentials to drastically limit the actions available to that user, and we notify the customer. If a customer's credentials are compromised, we recommend they revoke the credentials, check AWS CloudTrail logs for unwanted activity, and review their AWS account for any unwanted usage.”
You might also like
- Halliburton says ransomware attack cost it $35 million in losses
- Here's a list of the best antivirus
- These are the best endpoint protection tools right now
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.