Full Report
Summary Cybersecurity researchers have identified a large-scale hacking operation linked to notorious ShinyHunters and Nemesis hacking groups. In…
Analysis Summary
# Incident Report: Large-Scale Exploitation and Data Theft by ShinyHunters/Nemesis
## Executive Summary
A large-scale, automated hacking operation, attributed to the ShinyHunters and Nemesis groups, exploited vulnerabilities across millions of websites, resulting in the exfiltration of over 2 terabytes of sensitive data, including cloud credentials, source code, and cryptocurrency wallet details. The operation was automated using Python/PHP scripts and reconnaissance tools like Shodan, with a critical operational error—leaving an S3 bucket misconfigured and open—ultimately aiding researchers in uncovering the scope and methodology of the attack.
## Incident Details
- **Discovery Date:** Not explicitly stated, but implied to be recent based on the publication surrounding the researchers' report.
- **Incident Date:** Ongoing/Historical operation utilizing known techniques; specific start date unknown.
- **Affected Organization:** Millions of websites globally utilizing various platforms (implied across sectors).
- **Sector:** Technology, Finance, E-commerce (based on data types stolen).
- **Geography:** Global reach, with attack infrastructure traced back to a French-speaking country.
## Timeline of Events
### Initial Access
- **Date/Time:** Ongoing/Automated campaign.
- **Vector:** Exploitation of vulnerabilities across millions of websites, compounded by taking advantage of misconfigurations.
- **Details:** Attackers used automated tools running Python/PHP scripts against AWS IP ranges, identified via Shodan reverse lookups, to discover exploitable endpoints.
### Lateral Movement
- **Details:** Attackers used stolen critical keys and secrets (e.g., AWS customer keys/secrets, Git credentials) to gain access to various AWS services, application databases, and internal network resources for further data collection.
### Data Exfiltration/Impact
- **Details:** Over 2 TB of sensitive data was stolen, including AWS service credentials, database/Git credentials (exposing source code), SMTP/SMS credentials, and cryptocurrency platform/wallet credentials.
### Detection & Response
- **Detection:** Independent researchers (Noam Rotem and Ran Locar) discovered the operations, notably by finding the attackers' misconfigured, open AWS S3 bucket used for storing harvested data.
- **Response Actions:** Researchers collaborated with the AWS Fraud Team to notify affected users and implement mitigation measures upon discovery.
## Attack Methodology
- **Initial Access:** Automated web scanning targeting vulnerable endpoints and misconfigurations.
- **Persistence:** Not explicitly detailed, but access was maintained via stolen long-term credentials (AWS keys, Git credentials).
- **Privilege Escalation:** Achieved through the exploitation of secrets that granted access to application databases and AWS service roles.
- **Defense Evasion:** Use of automated, distributed scanning infrastructure leveraging legitimate AWS IP ranges.
- **Credential Access:** Harvesting of infrastructure credentials, database passwords, and cryptocurrency wallet access.
- **Discovery:** Use of Shodan for reverse DNS lookups against discovered IPs to map out attack surfaces.
- **Lateral Movement:** Utilized stolen AWS credentials/keys to move between compromised cloud environments and internal repositories.
- **Collection:** Gathering of customer data, source code, infrastructure secrets, and financial access data.
- **Exfiltration:** Data stored momentarily in an attacker-controlled, misconfigured S3 bucket before potential sale.
- **Impact:** Direct financial loss potential via cryptocurrency theft and large-scale identity/infrastructure compromise.
## Impact Assessment
- **Financial:** Individuals and organizations face risk of financial loss through compromised cryptocurrency wallets and unauthorized use of cloud services. Stolen data was being sold for hundreds of Euros per breach on Telegram.
- **Data Breach:** Over 2 TB of data stolen, including customer data, proprietary source code, Git credentials, AWS service secrets, SMTP/SMS credentials, and cryptocurrency trade/wallet access.
- **Operational:** Disruption possible due to compromised infrastructure credentials and source code exposure.
- **Reputational:** Significant damage due to the massive scale of the data theft, linked to notorious groups like ShinyHunters.
## Indicators of Compromise
- **Network Indicators (Defanged):** Use of automated tools probing IP ranges associated with AWS public ranges.
- **File Indicators:** Python and PHP scripts associated with exploitation, documented in French and signed by "Sezyo Kaizen."
- **Behavioral Indicators:** High-volume, automated scanning using tools like `ffuf` and `httpx` targeting internet-exposed services.
## Response Actions
- **Containment:** Researchers collaborated with the AWS Fraud Team to implement mitigation measures for affected AWS users.
- **Eradication:** Efforts included identifying the individuals involved in selling the data across Telegram channels.
- **Recovery:** Notification of affected customers via AWS to reset compromised credentials and secure cloud environments.
## Lessons Learned
- The operation demonstrated the danger of highly organized cybercriminal syndicates exploiting complex cloud environments.
- The critical security failure was the attackers' internal control: leaving their own operational AWS S3 bucket misconfigured and open, which allowed researchers to gain insight into the entire operation.
- The incident underscores the necessity of proper cloud configuration and security controls, even for threat actors.
## Recommendations
- Conduct immediate audits of all cloud storage buckets (e.g., S3) to ensure strict access controls (deny-all by default).
- Implement stronger credential management, especially for highly privileged access keys (AWS secrets, Git access).
- Enhance network monitoring to detect large-scale, automated scanning traffic originating from unusual patterns or IP ranges, even if leveraging cloud provider ranges.