Full Report
According to Unit42, a financial firm was attacked by an adversary that manipulated, and compromised it’s cloud workloads. The threat actor was able to drop storage components such as buckets and tables, threatened the firm to leak data if ransom will not paid and eventually t...
Analysis Summary
# Incident Report: Cloud Workload Compromise and Data Exfiltration at Financial Firm
## Executive Summary
A financial firm experienced a significant security incident initiated by a SIM-swap attack targeting an employee, leading to the compromise of cloud workloads. The threat actor leveraged compromised credentials to establish persistence, escalate privileges (obtaining `IAMFullAccess`), drop cloud storage components (buckets/tables), and engaged in extortion by threatening data leakage. After the firm refused to pay the ransom, the exfiltrated data appeared on dark web marketplaces months later.
## Incident Details
- Discovery Date: **Not explicitly stated** (Data appeared on dark web 'a few months later')
- Incident Date: **Prior to April 18, 2023** (Date of publication)
- Affected Organization: **Financial Firm**
- Sector: **Financial**
- Geography: **Not disclosed**
## Timeline of Events
### Initial Access
- **Date/Time:** **Unknown** (Precursor activities via SIM swap)
- **Vector:** **SIM-Swap Scam** targeting an employee's phone number.
- **Details:** The SIM swap allowed the adversary to access the victim’s email and Source Code Management (SCM) accounts linked to that number.
### Lateral Movement
- **Date/Time:** **Following Initial Access**
- **Vector:** Credential Harvesting and Privilege Escalation.
- **Details:** Accessing the SCM account resulted in the disclosure of 10 access keys to cloud accounts. One key possessed the `IAMFullAccess` role, which the adversary immediately used to create new users and grant greater privileges, enabling reconnaissance and lateral movement.
### Data Exfiltration/Impact
- **Date/Time:** **After Ransom Demand/Refusal**
- **Vector:** Exploitation of escalated privileges within cloud workloads.
- **Details:** The adversary manipulated and compromised cloud workloads, specifically **dropping storage components (buckets and tables)**. They demanded a ransom, threatening to leak data. Upon refusal, significant sensitive data was **exfiltrated**, later surfacing on the dark web.
### Detection & Response
- **Date/Time:** **Unknown** (Response actions initiated post-initial compromise)
- **Details:** The public report does not detail the initial detection method, only that the firm refused to pay the ransom, leading to the eventual public leak of data. Response likely involved containment, eradication of newly created users/resources, and remediation based on the key issues identified.
## Attack Methodology
- **Initial Access:** SIM Swap scam leading to credential harvesting from end-user communication/SCM.
- **Persistence:** Creating new cloud users with elevated roles.
- **Privilege Escalation:** Utilizing a harvested access key with the **`IAMFullAccess`** role to gain administrative capabilities.
- **Defense Evasion:** Not explicitly detailed, but likely involved operating under the guise of legitimate new users.
- **Credential Access:** Credential harvesting directly from **code repository (SCM)**.
- **Discovery:** Using newly privileged users to perform cloud reconnaissance.
- **Lateral Movement:** Moving across the cloud environment using escalated privileges.
- **Collection:** Gathering sensitive information stored in cloud environments.
- **Exfiltration:** Transferring collected data off-premises (leading to dark web listing).
- **Impact:** Data exfiltration, data destruction (dropping buckets/tables), and extortion attempt.
## Impact Assessment
- **Financial:** Unknown (Likely significant due to ransom demand and data leak remediation).
- **Data Breach:** **Sensitive data exfiltrated** (nature/volume unspecified), which was later demonstrated on the dark web.
- **Operational:** Disruption due to manipulation of critical storage components (buckets/tables).
- **Reputational:** Significant damage confirmed by the data appearing on the dark web months later.
## Indicators of Compromise
- *No specific IPs, URLs, or hashes provided in the context.*
- **Behavioral indicators:**
- SIM-Swap activity correlating with cloud login attempts.
- Creation of new, unauthorized cloud users.
- Usage of existing access keys to gain `IAMFullAccess`.
- Dropping/deletion of cloud storage components (buckets/tables).
## Response Actions
- **Containment:** (Inferred) Revoking compromised access keys and disabling the newly created administrative users immediately upon discovery.
- **Eradication:** (Inferred) Auditing and removing any backdoors or rogue configurations made via the compromised administrative users.
- **Recovery:** (Inferred) Restoring data from affected storage components. Not paying the ransom.
## Lessons Learned
- **Overly permissive identity:** The end-user possessed an identity/role assignment that granted excessive privileges (`IAMFullAccess`), which was disproportionate to their standard role.
- **Credential Leak in SCM:** Access keys were hardcoded or stored unsecured in source code repositories, leading to direct cloud compromise.
- **Insufficient Logging:** Lack of robust logging likely hindered rapid detection and investigation of the privilege escalation chain.
## Recommendations
- **Implement Least Privilege:** Review all user and service accounts to ensure roles are scoped strictly to necessary permissions, specifically removing high-privilege roles like `IAMFullAccess` from standard personnel or keys checked into code repositories.
- **Secure Secrets Management:** Enforce mandatory use of secrets management vaults (e.g., AWS Secrets Manager, Azure Key Vault) and implement strict policies (e.g., GitGuardian scanning) to prevent credentials, API keys, or access tokens from being checked into SCM.
- **Enhance MFA & Endpoint Security:** Deploy stronger Multi-Factor Authentication (MFA) resistant to SIM-swapping (e.g., hardware tokens or FIDO2 keys) for all critical accounts, starting with high-risk employees like those with access to sensitive SCM or email.