Cyberattacks keep happening every day. Hackers keep carrying out one incident after another due to their antics. Researchers associated with Unit 42 have detected one such big cyber attack. In which hackers tampered with many organizations using cloud systems and extorted money from them. According to security analysts, more than 230 million unique cloud environments were on the radar in this cyberattack.
Hackers hacked env files
Attackers devised a smart strategy to grab env (exposed environment variable) on cloud infrastructure. Actually, env files, which are often overlooked in security measures, contain confidential data such as access codes to different programs and services. Through this, hackers hacked this file of the system and obtained all the confidential information.
Investigation of millions of domains through automated tools
The big thing is that the hackers investigated millions of domains through automated tools. Not only did they investigate, but they also hacked the important and confidential information stored in the env files. After hacking, they started investigating AWS API calls like GetCallerIdentity, ListUsers, and ListBuckets. After this, the attackers increased their privileges by creating new IAM roles, due to which they now had full administrative rights, and this shows that they were well aware of the nuances of AWS IAM.
Hackers hacked the files of more than 110,000 domains.
After this, they started deploying Lambda functions that were designed to recursively scan for.env files in several Amazon Web Services regions, with special attention on Mailgun credentials useful for large-scale phishing campaigns. The research also revealed that the hackers had compromised the.env files of more than 110,000 domains and had a target list that crossed 230 million unique endpoints. This is how they eventually hacked data exfiltration in S3 buckets as well.
Well, such sophisticated attack tactics demonstrate the importance of implementing strong IAM policies, monitoring cloud activities at all times, and following the necessary security standards for configuration files to avoid risks related to unauthorized entry and data loss or leaks in cloud environments.
Palo Alto Research Reveals
According to Palo Alto research, it did not take long for the hackers to understand that the original IAM credentials used to gain initial access to cloud environments did not have administrator access to all cloud resources. The attackers understood that the original IAM role used for initial access had permission to create new IAM roles and attach IAM policies to existing roles. Indeed, this cloud-based extortion campaign revealed sophisticated tactics in data exfiltration and operational security. The S3 browser was used by the attackers to make specific API calls that exposed their operations without undergoing object-level logging.
Extortion was done.
The important thing to note is that exfiltration can be detected through cost and usage reports, which can indicate spikes in Get Object and Delete Object operations. After extracting and deleting the data, the attackers uploaded ransom notes to the empty S3 bucket, demanding payment to stop the data leak and restore potentially deleted information. Not only this, sometimes it was sent to the shareholders of the targeted company through email and extorted money from them.
Going a step further, the hackers also obtained social media login credentials and information related to basic infrastructure. But it is said that even the smartest people make mistakes. The attackers made the same mistake; in fact, they were using both Tor nodes and VPN clients so that they could potentially appear to be in Ukraine and Morocco.
Adopting strong security measures
Organizations need to implement proper security measures such as disabling unused AWS regions, keeping strong logs with a 90-day retention period, and employing Amazon GuardDuty.
For this, companies should adopt least privilege and temporary credential preference and develop custom alerting systems that suit their usage patterns within AWS.
A multilayered defense system, which includes continuous monitoring and periodic security audits, can prevent any major cyberattack like this.
#AWSCloud #DataProtection #CloudEnvironments #CyberAttack2024 #CloudSecurityBreach #AWSIncident #CyberSecurity
