230 Million AWS Cloud Environments Compromised

NHI Mgmt Group

by doing this, a new IAM role is created with full administrative permissions.

Execution

After failing to use EC2 instances, the attackers switched to AWS Lambda functions, it’s a serverless cloud computing service designed to run code in response to events, they could do automated tasks and run scripts stealthily and without being detected.

Data Exfiltration

The attackers used tools like S3 Browser to exfiltrate large amount of data. Then, Data was transferred to external servers over encrypted VPN tunnels to avoid detection.

Impact of the Incident

Data Loss

A large amount of sensitive data, including customer information, credentials, and secrets were exfiltrated by the attackers. The attackers can use these data for malicious and fraudulent actions.

Financial Impact

The extortion operation presents a significant financial risk. Victims had to dead with the possibility of paying a ransom to prevent data exposure.

Incident Analysis

Root Causes

Insecure Storage of Sensitive Data

Environment variable files containing critical credentials and secrets, which stored in publicly accessible places like GitHub repositories, were the main reason for this attack due to weak access controls.

Misconfigured Cloud Security Settings

The misconfigured IAM roles with excessive and unnecessary permissions allowed the attackers to escalate their privileges within the environment and gained access to more resources and data.

Lack of Monitoring and Detection

Attackers were able to move laterally and exfiltrate huge amounts of data from S3 Buckets using tools like S3 Browser without being detected or triggering any alarms. This indicates the lack of monitoring and anomaly detection systems in place.

Failure to implement Secure Secrets Management

Secrets and sensitive credentials were not rotated regularly or managed in a more secure manner, leaving them vulnerable to unauthorized access once get exposed.

Attack Techniques

Initial Access

The attackers gained initial access by using the exposed IAM key found in a publicly accessible environment files (.env) hosted on misconfigured servers. The attackers were able to find and discover these sensitive files during a scanning process of unsecured web applications. This highlights the growing trend of attackers targeting cloud credentials to compromise organizations’ cloud environments.

Discovery

After the initial access phase, the attackers performed reconnaissance within the compromised environment to identify valuable resources. This includes:

  • Service enumeration to list cloud services available such as S3 buckets, Security Token Service (STS), Simple Email Service (SES), EC2 instances, IAM, and databases.

  • Metadata API exploitation to collect information about the running cloud services, such as available permissions, network configurations, and linked accounts.

The attackers then ran the GetCallerIdentity API call to verify the exposed IAM credentials they found.

The attackers also used Tor network in initial access and discovery phases to anonymize their traffic and hide their location and make it difficult to be caught.

Privilege Escalation

After the discovery phase and verifying the IAM credentials, the attackers found out that the compromised IAM credentials were not granted full administrative privileges. Instead, these credentials permitted the creation of new IAM roles and the attachment of IAM policies. By using CreateRole API, the attackers were able to create a new IAM role called lambda-ex and attached the AdministratorAccess policy to it with the help of AttachRolePolicy API call.

Overview

In August 2024, many organizations fell victim to a recent large scale extortion campaign targeted improperly configured cloud environments. Attackers exploited unsecure environment variable files (.env) in these environments. The (.env) files, usually contain sensitive information and secrets such as API keys, database credentials, and cloud service tokens, which were exposed due to weak security configurations in public repositories. Attackers made use of these vulnerabilities to gain unauthorized access to cloud services, escalate privileges, exfiltrate large amounts of data, and carry out extortion operations. This incident shows us the risks of improper cloud security configurations and the importance of NHIs management.

Threat actor's operational architecture - Source: Paloalto

get-caller-identity and response - Source SANGFOR

JSON permissions for the AdministratorAccess Policy - Source: Paloalto

Reputational Damage

The exposure of compromised credentials could damage the organizations’ reputation, affecting customer trust, partnerships, and future business opportunities.

Remediation

Secrets Management

  • Avoid Storing Sensitive Data in (.env) Files: Use secure secret management solutions to store API keys and other sensitive credentials.

  • Enforce Key Rotation Policies: Regularly rotate keys and tokens to reduce exposure risks

IAM Best Practices

  • Adopt the Least Privilege Principle: Restrict IAM roles and policies and provide the necessary permissions only for every task.

  • Disable Unused IAM Roles: Regularly audit IAM roles and disable those that are inactive or unnecessary.

Continuous Monitoring and Logging

  • Monitor Network Traffic: Use network monitoring tools to detect unusual data traffic as an indicator if data exfiltration attempts.

  • Enhance Logging and Visibility: Enable and review detailed logs for API calls and resources access across the cloud environment.

Secure Access and Authentication

  • Enforce Multi-Factor Authentication: Require MFA for all IAM users and administrators.

  • Implement Role-Based Access Control (RBAC): Use RBAC to manage and restrict access to resources based on defined user roles within the organization.

Conclusion

This incident shows threat actors evolving techniques for attacking cloud environments, exploiting exposed credentials and misconfigurations to gain access, escalate privileges, and exfiltrate data. The use of complicated techniques, such as using AWS Lambda functions for stealth and using TOR and VPN to hide and make it complicated to trace them, highlights the need for strong cloud security measures and proactive defences.

Ransom note left by the threat actor - Source: Paloalto

About Contact Glossary

Terms & Conditions Privacy policy

Non-Human Identity Mgmt Group

The Non-Human Identity Management Group is a community focussed solely on helping solve the huge industry challenge around helping organisations manage and secure Non-Human / Machine Identity Risks

Subscribe to our Newsletter

Subscribe

© 2024