Independent cybersecurity experts Noam Rotem and Ran Locar have exposed a sophisticated cyber operation targeting vulnerabilities in public websites, leading to unauthorized access to sensitive customer data, infrastructure credentials, and proprietary source code.
The researchers collaborated with the AWS Fraud team on a customer notification to implement measures aimed at mitigating the impact of this event. They said that although they identified some of the victims of this operation, they have not been included in the report for privacy reasons.
They said: “Our investigation has identified the names and contact information of some of the individuals behind this incident. This may assist in further actions against the perpetrators, who are selling their loot in dedicated Telegram channels for hundreds of Euros per breach. While the group conducts its business under a different name, Nemesis, we were also able to connect some of the activity to the now defunct attack group ShinyHunters.”
Exploiting the Weakest Links
The report given to vpnMentor revealed how the attackers deployed an extensive infrastructure to scan millions of websites, exploiting misconfigured public sites to access sensitive information. These vulnerabilities, arising from customer-side errors within the shared responsibility model of cloud service providers, exposed critical assets such as database credentials, AWS keys, and external service credentials.
The malefactors, identified as coming from a French-speaking country, used sophisticated scanning tools and techniques. By analyzing AWS IP address ranges, SSL certificates, and domain names, the group extended its attack surface to vulnerable endpoints, such as misconfigured environment files and exposed repositories. The attackers even employed known exploits to install remote shells for deeper access.
Tools and Techniques
The operation’s arsenal included a combination of custom scripts, open-source tools, and cracked versions of exploit frameworks. Key tools included:
- MultiGrabber: Extracted sensitive information from compromised endpoints.
- Shodan Integration: Mapped domains and IP addresses to expand the attack surface.
- Python and PHP Scripts: Automated the discovery and exploitation of vulnerable systems.
The group’s targets spanned thousands of entities globally, with stolen data stored in an open S3 bucket serving as a “shared drive” for the hackers. The repository contained over 2 TB of data, including harvested keys and secrets, stolen databases, and a list of tens of thousands of vulnerable targets.
Attack Flow and Attribution
The operation unfolded in two phases: discovery and exploitation. During discovery, threat actors scanned AWS-hosted applications for known vulnerabilities. Exploitation involved accessing misconfigured endpoints to exfiltrate sensitive credentials and, in some cases, installing persistence mechanisms like remote shells.
Cyber artifacts recovered from the operation revealed connections to the now-defunct ShinyHunters group, known for high-profile breaches, and Nemesis, a darknet market specializing in stolen credentials. Tools used in the operation bore documentation in French, and some were linked to Sebastien Raoult, a bad actor recently convicted in the US.
Mitigation Efforts and Response
The incident was reported to the Israeli Cyber Directorate and AWS Security, prompting immediate action to notify affected customers and mitigate the attack’s impact. AWS stressed that the breaches happened due to misconfigurations on the customer side and reiterated the importance of sticking to shared responsibility best practices.
The operation also highlights the critical need for vigilance in cloud security. Simple measures, such as rolling credentials, using web application firewalls (WAFs), and implementing CanaryTokens to detect unauthorized access, can dramatically limit the risk of exploitation.
Strengthening Cloud Security
To prevent similar incidents, entities should prioritize:
- Eliminating Hardcoded Credentials: Use secure storage solutions like AWS Secrets Manager.
- Regular Vulnerability Scanning: Identify misconfigurations with tools like Dirsearch or Nikto.
- Periodic Credential Rotation: Limit the usefulness of stolen keys.
- Deploying Tripwire Mechanisms: Use CanaryTokens to detect unauthorized access attempts.
Operating as Expected
All services are operating as expected. AWS credentials include secrets that must be handled securely. AWS provides capabilities which remove the need to ever store these credentials in source code. For example, AWS Secrets Manager helps you manage, retrieve, and rotate database credentials, API keys, and other secrets throughout their lifecycles. Customers still sometimes inadvertently expose credentials in public code repositories. When AWS detects this exposure, we automatically apply a policy to quarantine the IAM user with the compromised credentials to drastically limit the actions available to that user, and we notify the customer. If a customer’s credentials are compromised, we recommend they revoke the credentials, check AWS CloudTrail logs for unwanted activity, and review their AWS account for any unwanted usage.
About the Author
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.
