Massive Cyber Attack On AWS Cloud Environments

-

 

Massive Cyber Attack On AWS Cloud Environments

A complex large-scale campaign was detected by Unit 42 researchers that manipulated and extorted several organizations using cloud systems.

Security analysts discovered this massive, large-scale cyber-attack on AWS cloud environments had over 230 million unique targets.

The attackers crafted a smart tactic of exploiting exposed environment variable (.env) files on misconfigured cloud infrastructures.

These .env files, often overlooked in security measures, contained confidential data such as access codes to different programs and services.

This allowed the hackers to gain unauthorized entry into the victims’ systems, through which they infiltrated further into the networks.

Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with         ANY.RUN --->   Get 14 Days Free Access.                                                                                

Technical Analysis
The threat actors utilized automated tools to check for 10,000 domains and access publicly exposed .env files that contained critical information.

Once in, they started by conducting extensive reconnaissance of the breached environments using AWS API calls such as GetCallerIdentity, ListUsers, and ListBuckets.

The next thing that happened was the actors elevated their privileges by forming new IAM roles that had full administrative rights on them, and this showed how they understood AWS IAM elements well.

They then proceeded to deploy Lambda functions that were maliciously designed to perform recursive scans for more .env files across multiple Amazon Web Services regions including a particular focus on Mailgun credentials useful for a large-scale phishing campaign.

The huge reach of the campaign was visible in that as they were able to access .env files in over 110,000 domains and had a target list that surpassed 230 million unique endpoints.

The operation finished with data exfiltration into S3 buckets controlled by attackers.




Such sophisticated attack tactics highlight the importance of implementing sturdy IAM policies, keeping an eye on cloud activities at all times, and observing a very demanding security approach for configuration files to avoid unauthorized entry and risks concerning data loss or leakage in cloud environments.

“Following the threat actor’s discovery operations, they identified that the original IAM credential used to gain initial access to the cloud environment did not have administrator access to all cloud resources. We determined that the attackers discovered the original IAM role used for initial access did have the permissions to both create new IAM roles and attach IAM policies to existing roles.” Palo Alto research.

This cloud-based extortion campaign revealed sophisticated tactics in data exfiltration and operational security. 

S3 Browser was exploited by the attackers to make specific API calls that gave away their operations without going through object-level logging.

It is important to note that Exfiltration could be detected through Cost and Usage Reports, which would indicate spikes in GetObject and DeleteObject operations.

After exfiltrating and deleting data, attackers uploaded ransom notes to the emptied S3 buckets, demanding payment to prevent data leaks and potentially restore deleted information.



These notes represented the final level of cyber-extortion that sometimes managed to be sent to targeted company shareholders via emails.

The campaign went beyond cloud services, which compromised social media login credentials and revealed various infrastructure details.

It was also a tactical error on the part of the attackers using both Tor nodes and VPN clients as they could potentially disclose locations in Ukraine and Morocco.


Consequently, organizations need to implement proper security measures such as disabling unused AWS regions, having robust logs with a 90-day retention period, and employing Amazon GuardDuty.

To this end, companies should adopt the least privilege and temporary credentials preference and develop custom alerting systems suited to their usage pattern within AWS.

A multi-layered defense system that includes these strategies in conjunction with continuous monitoring and periodic security audits is very crucial in mitigating vulnerabilities from such advanced attack campaigns.

AWS Response
“AWS services and infrastructure are not affected by the findings of these researchers. The issues described in this blog were a result of a bad actor abusing misconfigured web applications—hosted both in the cloud and elsewhere—that allowed public access to environment variable (.env) files.”

Some of these files contained various kinds of credentials, including AWS credentials which were then used by the bad actor to call AWS APIs.

“Environment variable files should never be publicly exposed, and even if kept private, should never contain AWS credentials. AWS provides a variety of easy-to-use mechanisms for web applications to access temporary AWS credentials in a secure fashion.” Cyber Security News learned from an AWS spokesperson.

Comments

Post a Comment

Popular posts from this blog

systemd 256 arrives with run0, the ‘sudo clone’ that aims to improve security

-
Image
systemd 256 arrives with run0, the ‘sudo clone’ that aims to improve security systemd 256 is now a reality, featuring an interesting innovation that could represent a significant change in Linux in the not-too-distant future, although this will ultimately depend on the decisions made by various distributions. Without further delay, let’s go over the main new features. First, we have the introduction of run0, a kind of clone of sudo that aims to enhance security by reducing the attack surface. According to Lennart Poettering, the creator of systemd, this is achieved by ensuring “the target command is invoked in an isolated execution context, freshly forked from PID 1, without inheriting any context from the client,” making its behavior more akin to SSH. And since we’ve mentioned SSH, there’s the systemd-ssh-generator , which has been added to detect if the SSHD binary (the SSH daemon) is present and then link it through socket activation per connection to various sockets depending on
Read more

Kubernetes 1.30 Available, New Version of the Container Orchestrator

-
Image
Kubernetes 1.30, named “Uwurnetes,” has been released as the new stable version of the well-known container orchestrator, which originated at Google and is now under the umbrella of The Linux Foundation. The developers have described this release as "the most beautiful" in the history of the software and have announced it includes a total of 45 new features, with 17 in stable phase, 18 in beta, and 10 in alpha. However, here we will only mention the most important ones. The first notable update in Kubernetes 1.30 is the stable release of the Robust VolumeManager rebuild after restarting the kubelet. This involves a refactoring of the volume manager that allows the kubelet to complete additional information on how existing volumes are mounted during the kubelet's startup. Generally, this makes volume cleanup more robust after restarting the kubelet or the machine. Also arriving in stable phase is the prevention of unauthorized volume mode conversion during volume restora
Read more

Fedora Asahi Remix 40, the new version of Linux for Apple Silicon

-
Image
  Fedora Asahi Remix 40 has been announced as the latest version of the Fedora-based system designed to run on Mac computers with Apple Silicon processors. This version primarily represents an evolution of what was already present, which is quite significant given the project's potential to enhance the Linux desktop experience, particularly in areas like sound. According to Fedora Magazine, Fedora Asahi Remix is developed through close collaboration between the Asahi Linux team and the Fedora Asahi Special Interest Group (SIG). It's worth noting that Asahi Linux is not a traditional distribution but rather a technology platform that enables running Linux on Apple Silicon processors. However, this doesn't stop its Fedora remix from being a reference system. As expected, Fedora Asahi Remix 40 is based on Fedora 40 and uses KDE Plasma 6 as its desktop environment. Therefore, the Wayland session should be the default, especially given the strong support this system has for th
Read more