December 10, 2024 at 11:21AM
Cybercriminal gangs exploited public website vulnerabilities to steal AWS cloud credentials from numerous organizations, uncovered by researchers from CyberCyber Labs. The attackers, linked to groups Nemesis and ShinyHunters, misconfigured an AWS S3 bucket containing stolen data. AWS confirmed the incident was due to customer application flaws, not their systems.
### Meeting Takeaways
1. **Cyber Operation Overview**:
– Cybercriminals are exploiting vulnerabilities in public websites to access AWS cloud credentials and sensitive data from numerous organizations.
– The operation involved scanning millions of websites for weak points.
2. **Research Discovery**:
– Independent researchers Noam Rotem and Ran Locar from CyberCyber Labs uncovered this operation in August, leading to a report published by vpnMentor on December 9.
– Attacks are linked to identified groups: Nemesis and ShinyHunters, which are known for previous breaches, including a significant incident involving Ticketmaster.
3. **Attack Methodology**:
– Attackers used scripts to scan AWS IPs for known vulnerabilities and errors, utilizing tools like Shodan for targeting.
– They extracted credentials and sensitive data through a two-step process involving discovery of exposed endpoints and systematic exploitation.
4. **Data Compromised**:
– Stolen data included infrastructure credentials, proprietary source code, application databases, and various external service credentials.
– Notably, attackers stored harvested data in an AWS S3 bucket, which was misconfigured and publicly accessible.
5. **Attribution & AWS’s Response**:
– The operation’s tools were linked to ShinyHunters, with some being documented in French.
– The researchers reported their findings to the Israeli Cyber Directorate and AWS Security, which promptly acted on the information.
– AWS confirmed the attack did not reflect any faults on their end, aligning with the researchers’ assessment.
6. **Preventative Recommendations**:
– Organizations should:
– Ensure no hardcoded credentials in code or filesystem.
– Conduct security scans using tools like “dirsearch” or “nikto” to identify vulnerabilities.
– Implement a Web Application Firewall (WAF) to block malicious activities.
– Regularly rotate keys and secrets to enhance security.
– Use CanaryTokens as tripwires to detect unauthorized access attempts.
– Emphasis on designing cyber controls for resilience with new technologies is crucial.
7. **Learning Opportunity**:
– The incident highlights the need for organizations to adapt their cyber controls when adopting new technology to prevent similar attacks.
These takeaways serve as essential points for understanding the vulnerabilities in cloud computing environments and the necessary steps organizations can take to safeguard their data and systems.