December 9, 2024 at 11:20AM
Security researchers report an ongoing massive online heist targeting AWS customers, exploiting public website misconfigurations to steal source codes, credentials, and secrets. The criminal operation, linked to the Nemesis and ShinyHunters gangs, remains active. Misconfigurations allowing these breaches are attributed to customer oversight, not AWS itself.
### Meeting Takeaways
1. **Ongoing Cyber Heist**:
– A significant online heist targeting AWS customers is currently in progress.
– Cybercriminals exploited misconfigurations in public websites to steal sensitive data, including source code and AWS customer credentials.
2. **Investigation by Security Researchers**:
– Researchers Noam Rotem and Ran Locar reported the identities of involved criminals to the Israeli Cyber Directorate and AWS Fraud Team.
– Evidence connects the operation to cybercrime gangs Nemesis and ShinyHunters.
3. **Stolen Data Overview**:
– The data theft includes AWS customer keys, database credentials, Git credentials, SMTP information, Twilio keys, and much more.
– Over 2 TB of victim data was discovered in an open, misconfigured S3 bucket, which the researchers encountered during their scans for vulnerabilities.
4. **Customer Responsibility**:
– Key takeaway from the report: Misconfigurations leading to the breaches are the responsibility of AWS customers, not AWS itself.
– Common misconfigurations include publicly available credentials, unguarded databases, and open code repositories.
5. **AWS’s Response**:
– AWS stated that their services are functioning correctly and emphasized the importance of secure handling of credentials.
– They have tools like AWS Secrets Manager to help prevent credential exposure.
6. **Method of Attack**:
– Criminals performed extensive scanning, starting with 26.8 million AWS IP addresses, using various tools for reconnaissance.
– Attackers specifically targeted exposed environment files and configuration files to extract sensitive information.
7. **Self-Protection Recommendations**:
– Researchers urge organizations to eliminate hard-coded credentials from their code and manage secrets securely.
– A report section details additional protective measures that organizations can adopt to safeguard against such attacks.
8. **Reporting Timeline**:
– The crime was reported to the Israeli Cyber Directorate in early September, followed by notification to AWS Security on September 26, with an investigation completed by AWS thereafter.
### Conclusion
Organizations are encouraged to enhance their security practices by understanding and addressing misconfigurations. The ongoing threat highlights the imperative for vigilance in managing cloud resources.