Need some FUD? Want to demonstrate and understand how vulnerable cloud environments are and the importance of secure credential management? This article is for you!

Risks:

Misconfiguration, Web App/Website Vulnerability, Hardcoded Secrets, Weak or Compromised Credentials

Keywords:

AWS, Cloud Vulnerabilities, Credential Theft, Nemesis, ShinyHunters, Cyber Attack

CVE:

N/A

Affected:

AWS, Ticketmaster

 

Cybercriminal Groups Exploit AWS Vulnerabilities

Cybercriminal gangs, including Nemesis and ShinyHunters, have targeted thousands of organizations by exploiting vulnerabilities in public websites to steal AWS credentials and other sensitive data. This large-scale cyber operation involved scanning millions of sites for vulnerable endpoints.

Discovery of the Operation

The operation was uncovered by independent cybersecurity researchers from CyberCyber Labs in August. The attackers, linked to known threat groups Nemesis and ShinyHunters, have a history of cloud breaches, including a significant data theft from Ticketmaster earlier this year. Ironically, the attackers themselves were exposed due to a misconfiguration in their AWS S3 bucket, which was used to store stolen data and left open to the public.

Attack Methodology

The attackers executed a two-step attack sequence: discovery and exploitation. They began by scanning a wide range of AWS IP addresses using scripts to identify known vulnerabilities and misconfigurations. The attackers utilized the IT search engine Shodan for reverse lookup of domain names associated with these IPs, expanding their attack surface. They also analyzed SSL certificates to extract additional domain names.

Once targets were identified, the attackers scanned for exposed endpoints and categorized the systems, such as Laravel or WordPress. They then attempted to extract various credentials, including AWS keys, database access information, and social media account credentials. These credentials were tested for validity and stored for later exploitation.

Exploitation of AWS Services

When valid AWS credentials were found, the attackers checked for privileges on key AWS services such as Identity and Access Management (IAM), Simple Email Service (SES), Simple Notification Service (SNS), and S3.

Attribution and Response

The tools used in the operation were linked to ShinyHunters, with documentation in French and signed by an alias associated with a known member of the group. The researchers reported their findings to the Israeli Cyber Directorate and AWS Security, prompting immediate mitigation actions by AWS. AWS emphasized the shared responsibility model in cloud security, noting that the flaws were on the customer application side.

Security Recommendations

Organizations can protect their cloud environments by implementing several best practices:

• Avoid storing hardcoded credentials in code or filesystems.
• Conduct regular web scans using tools like "dirsearch" or "nikto" to identify vulnerabilities.
• Use a Web Application Firewall (WAF) to block malicious activities.
• Periodically update keys, passwords, and other secrets.
• Employ CanaryTokens as tripwires to detect unauthorized access attempts.

AWS also advises customers to manage and rotate credentials securely using AWS Secrets Manager and to monitor their AWS accounts for any unusual activity.

 

Read More

https://www.darkreading.com/endpoint-security/cybercrime-gangs-steal-thousands-aws-credentials