Full Report
Hackers exploited AWS misconfigurations, leaking 2TB of sensitive data, including customer information, credentials and proprietary source code
Analysis Summary
# Incident Report: Massive Data Breach Exploiting AWS Misconfigurations
## Executive Summary
A massive cyber operation, attributed to the Nemesis and ShinyHunters groups, exploited customer-side misconfigurations within Amazon Web Services (AWS) environments, leading to the breach of over 2TB of sensitive data. The attack involved large-scale internet scanning to find vulnerable public endpoints, resulting in the exfiltration of credentials, API keys, and proprietary source code, which were subsequently sold online. Response efforts focused on advising clients on configuration remediation as the root cause lay within customer environments under the shared responsibility model.
## Incident Details
- **Discovery Date:** Not explicitly stated, but research revealing the activity was reported on December 10, 2024.
- **Incident Date:** Ongoing operation based on retrospective scanning and exploitation, likely occurring over a period leading up to the report date.
- **Affected Organization:** Undisclosed organizations utilizing AWS, leading to global scope.
- **Sector:** Technology/Any organization utilizing public cloud infrastructure (AWS).
- **Geography:** Worldwide (Targeting AWS IP ranges globally).
## Timeline of Events
### Initial Access
- **Date/Time:** Not specified, but part of an ongoing, large-scale operation.
- **Vector:** Large-scale internet scanning targeting improperly configured public websites and exposed endpoints within AWS IP ranges.
- **Details:** Attackers used tools like Shodan for reverse lookups on IP addresses linked to AWS to identify vulnerable endpoints. SSL certificate analysis was used to expand domain target lists.
### Lateral Movement
- **Details:** Exploits, such as remote shells, were used to gain deeper penetration into compromised systems once vulnerable endpoints were identified.
### Data Exfiltration/Impact
- **Details:** Over 2 TB of sensitive data was compromised, including thousands of credentials, infrastructure credentials (AWS keys), API keys (e.g., for GitHub, Twilio, cryptocurrency exchanges), and proprietary source code. Stolen credentials were sold on Telegram channels.
### Detection & Response
- **How it was discovered:** Independent cybersecurity researchers (Noam Rotem and Ran Locar) uncovered the operation.
- **Response actions taken:** AWS collaborated with researchers. AWS emphasized the customer's role in the shared responsibility model and issued preventative advice to users.
## Attack Methodology
- **Initial Access:** Internet scanning of public AWS IP ranges looking for application misconfigurations and vulnerable endpoints.
- **Persistence:** Not explicitly detailed, but the ability to sell credentials suggests successful harvesting of long-term secrets.
- **Privilege Escalation:** Exploits (like remote shells) used post-discovery to deepen access.
- **Defense Evasion:** Exploiting inherent misconfigurations rather than evading sophisticated security measures.
- **Credential Access:** Direct access to exposed secrets stored improperly, including database credentials and API keys.
- **Discovery:** Reverse lookups via Shodan and SSL certificate analysis to map targets.
- **Lateral Movement:** Use of remote shells for deeper penetration.
- **Collection:** Gathering credentials, API keys, and source code from exposed data repositories.
- **Exfiltration:** Implied transfer of collected data, later marketed for sale.
- **Impact:** Data theft and financial gain for the threat actors through the sale of stolen secrets.
## Impact Assessment
- **Financial:** Attackers generated profit by selling stolen data (hundreds of euros per breach). Costs to affected organizations not quantified but likely significant due to remediation and data loss.
- **Data Breach:** Over 2 TB of data; included customer information, infrastructure credentials, API keys, and proprietary source code.
- **Operational:** Potential operational disruption depending on the criticality of exposed infrastructure credentials.
- **Reputational:** High reputational risk due to the scale and nature of the exposed data, implicating poor cloud security posture.
## Indicators of Compromise
* **Network indicators (Defanged):** Scanning activity targeting open AWS IP ranges.
* **File indicators:** Potential remnants related to remote shells or data staging areas (Not detailed).
- **Behavioral indicators:** Use of Shodan for targeted reconnaissance; marketing of stolen secrets on Telegram.
## Response Actions
- **Containment measures:** Not detailed for individual victims, but the nature of the attack suggests containment relies on immediate private key/API key rotation by affected customers.
- **Eradication steps:** Customers must audit configurations, disable exposed endpoints, and remove hard-coded secrets.
- **Recovery actions:** Rotation of all compromised secrets (AWS keys, GitHub tokens, etc.).
## Lessons Learned
- **Key takeaways:** Misconfigurations in the cloud environment remain a leading cause of massive data breaches, emphasizing the customer side of the shared responsibility model. Attackers are highly effective at leveraging public scanning tools (Shodan) to find entry points.
- **What could have been done better:** Organizations failed to adequately secure secrets management within their AWS deployments.
## Recommendations
- **Prevention measures for similar incidents:**
1. Strictly avoid hard-coding credentials; utilize services like AWS Secrets Manager.
2. Implement regular and automated rotation schedules for all access keys and secrets.
3. Deploy Web Application Firewalls (WAFs) to protect public endpoints.
4. Deploy CanaryTokens or similar tripwires on sensitive data stores to detect unauthorized access attempts.
5. Conduct regular, comprehensive vulnerability assessments focused specifically on cloud configuration hygiene.