Cybercrime Gangs Abscond With Thousands of AWS Credentials

Cybercriminal gangs have exploited vulnerabilities in public websites to steal Amazon Web Services (AWS) cloud credentials and other data from thousands of organizations, in a mass cyber operation that involved scanning millions of sites for vulnerable endpoints.

Independent cybersecurity researchers Noam Rotem and Ran Locar of the loosely organized research group CyberCyber Labs uncovered the operation in August, and reported it to vpnMentor, which published a blog post on Dec. 9 about their findings. Attackers appear to be connected to known threat groups Nemesis and ShinyHunters, the latter of which is probably best known for a cloud breach earlier this year that stole data from half a million Ticketmaster customers.

“Both of these 'gangs' represent a technically sophisticated cybercriminal syndicate that operates at scale for profit and uses their technical skills to identify weaknesses in controls from enterprises migrating to cloud computing without fully understanding the complexity of services nor the controls offered in cloud computing," notes Jim Routh, chief trust officer at Saviynt, a cloud identity and security management firm.

Ironically, however, the researchers discovered the operation when the French-speaking attackers committed a cloud-based faux pas of their own — they stored some of the data harvested from the victims in an AWS Simple Storage Service (S3) bucket that contained 2TB of data and was left open due to a misconfiguration by its owner, according to the post.

Related:Attackers Can Use QR Codes to Bypass Browser Isolation

"The S3 bucket was being used as a 'shared drive' between the attack group members, based on the source code of the tools used by them," the vpnMentor research team wrote in the post.

Among the data stolen in the operation included infrastructure credentials, proprietary source code, application databases, and even credentials to additional external services. The bucket also included the code and software tools used to run the operation, as well thousands of keys and secrets lifted from victim networks, the researchers said.

Two-Part Attack Sequence

The researchers ultimately reconstructed a two-step attack sequence of discovery and exploitation. Attackers began with a series of scripts to scan vast ranges of IPs belonging to AWS, looking for "known application vulnerabilities as well as blatant mistakes," according to the vpnMentor team.

Attackers employed the IT search engine Shodan to perform a reverse lookup on the IP addresses, using a utility in their arsenal to get the domain names associated with each IP address that exists within the AWS ranges to expand their attack surface. In an effort to further extend the domains list, they also analyzed the SSL certificate served by each IP to extract the domain names associated with it.

Related:Wyden and Schmitt Call for Investigation of Pentagon's Phone Systems

After determining the targets, they began a scanning process, first to find exposed generic endpoints and then to categorize the system, such as Laravel, WordPress, etc. Once this was done, they would perform further tests, attempting to extract database access information, AWS customer keys and secrets, passwords, database credentials, Google and Facebook account credentials, crypto public and private keys (for CoinPayment, Binance, and BitcoinD), and more from product-specific endpoints.

"Each set of credentials was tested and verified in order to determine if it was active or not," according to the post. "They were also written to output files to be exploited at a later stage of the operation."

When exposed AWS customer credentials were found and verified, the attackers also tried to check for privileges on key AWS services, including: identity and access management (IAM), Simple Email Service (SES), Simple Notification Service (SNS), and S3.

Cyberattacker Attribution & AWS Response

Related:Pegasus Spyware Infections Proliferate Across iOS, Android Devices

The researchers tracked the perpetrators via tools used in the operation, which "appear to be the same" as those used by ShinyHunters. The tools are documented in French and signed by "Sezyo Kaizen," an alias associated with Sebastien Raoult, a ShinyHunters member who was arrested and pleaded guilty to criminal charges earlier this year.

The researchers also recovered a signature used by the operator of a Dark Web market called "Nemesis Blackmarket," which focuses on selling stolen access credentials and accounts used for spam.

The researchers, who work out of Israel, reported their findings to the Israeli Cyber Directorate in early September, and then notified AWS Security in a report sent on Sept. 26. The company immediately took steps to mitigate the impact and alert affected customers of the risk, according to vpnMentor.

Ultimately, the AWS team found that the operation targeted flaws present on the customer application side of the shared responsibility cloud model and did not reflect any fault of AWS, which the researchers said they "fully agree with." The AWS security team confirmed they completed their investigation and mitigation on Nov. 9 and gave the researchers the green light to disclose the incident.

How to Secure the Cloud IT Footprint

Some steps organizations can take to avoid a similar attack against their respective cloud environments include making sure hardcoded credentials are never present in their code or even in their filesystem, where they might be accessed by unauthorized parties.

Organizations also should conduct simple Web scans using open source tools like "dirsearch" or  "nikto," which are often used by lazy attackers to identify common vulnerabilities. This will allow them to find holes in their environment before a malicious actor does, the researchers noted.

A Web application firewall (WAF) also is a relatively low-cost solution to block malicious activity, and it's also worthwhile to "roll" keys, passwords, and other secrets periodically, they said. Organizations also can create CanaryTokens in their code in secret places, the researchers noted, which act as tripwires to alert administrators that an attacker may be poking around where they shouldn't be.

Routh says the incident also provides a learning opportunity for organizations which, when presented with new technology options, should adjust and design cyber controls to achieve resilience rather than go with conventional control methods.