A complex large-scale campaign was detected by Unit 42 researchers that manipulated and extorted several organizations using cloud systems.
Security analysts discovered that this massive large-scale cyber attack on AWS targets over 230 million unique cloud environments.
The attackers crafted a smart tactic of exploiting exposed environment variable (.env) files on cloud infrastructures.
These .env files, often overlooked in security measures, contained confidential data such as access codes to different programs and services.
This allowed the hackers to gain unauthorized entry into the victims’ systems, through which they infiltrated further into the networks.
Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Access
Technical Analysis
The threat actors utilized automated tools to check for millions of domains, hacking into exposed .env files that contained critical information.
Once in, they started by carrying out extensive reconnaissance of the breached environments with AWS API calls such as GetCallerIdentity, ListUsers, and ListBuckets.
The next thing that happened was the actors elevated their privileges by forming new IAM roles that had full administrative rights on them and this showed how they understood AWS IAM elements well.
They then proceeded to deploy Lambda functions that were maliciously designed to perform recursive scans for more .env files across multiple Amazon Web Services regions including a particular focus on Mailgun credentials useful for a large-scale phishing campaign.
The huge reach of the campaign was visible in that as they were able to access .env files in over 110,000 domains and had a target list that surpassed 230 million unique endpoints.
The operation finished with data exfiltration into S3 buckets controlled by attackers.
Such sophisticated attack tactics highlight the importance of implementing sturdy IAM policies, keeping an eye on cloud activities at all times, and observing a very demanding security approach for configuration files to avoid unauthorized entry and risks concerning data loss or leakage in cloud environments.
“Following the threat actor’s discovery operations, they identified that the original IAM credential used to gain initial access to the cloud environment did not have administrator access to all cloud resources. We determined that the attackers discovered the original IAM role used for initial access did have the permissions to both create new IAM roles and attach IAM policies to existing roles. ” Palo Alto research.
This cloud-based extortion campaign revealed sophisticated tactics in data exfiltration and operational security.
S3 Browser was exploited by the attackers to make specific API calls that gave away their operations without going through object-level logging.
It is important to note that Exfiltration could be detected through Cost and Usage Reports, which would indicate spikes in GetObject and DeleteObject operations.
After exfiltrating and deleting data, attackers uploaded ransom notes to the emptied S3 buckets, demanding payment to prevent data leaks and potentially restore deleted information.
These notes represented the final level of cyber-extortion that sometimes managed to be sent to targeted company shareholders via emails.
The campaign went beyond cloud services, which compromised social media login credentials and revealed various infrastructure details.
It was also a tactical error on the part of the attackers using both Tor nodes and VPN clients as they could potentially disclose locations in Ukraine and Morocco.
Consequently, organizations need to implement proper security measures such as disabling unused AWS regions, having robust logs with a 90-day retention period, and employing Amazon GuardDuty.
To this end, companies should adopt the least privilege and temporary credentials preference and develop custom alerting systems suited to their usage pattern within AWS.
A multi-layered defense system that includes these strategies in conjunction with continuous monitoring and periodic security audits is very crucial in mitigating vulnerabilities from such advanced attack campaigns.
Free Webinar on Detecting & Blocking Supply Chain Attack -> Book your Spot