Exclusive A massive online heist targeting AWS customers during which digital crooks abused misconfigurations in public websites and stole source code, thousands of credentials, and other secrets remains "ongoing to this day," according to security researchers.
Breach hunters Noam Rotem and Ran Locar identified and reported names and contact information of some of the miscreants involved to both the Israeli Cyber Directorate and AWS Fraud Team, according to Rotem, who spoke exclusively with The Register about their investigation.
In addition to stealing AWS customer keys and secrets, Rotem and Locar say the digital looters were looking to uncover database credentials, Git credentials and source code, SMTP info for sending emails, Twilio keys for SMS, CPanel, and SSH credentials, Cryptopay and CoinPayment keys, Sendgrid email credentials, plus Google, Facebook, and Binance account secrets.
They believe the data thieves are connected to the Nemesis and ShinyHunters cybercrime gangs based on some of the hacking tools used during the operation.
ShinyHunters, as readers may recall, is the crew that allegedly breached AT&T Wireless, Microsoft, and Ticketmaster. The researchers tell us the tools used were signed by "Sezyo Kaizen," an alias linked to ShinyHunters' phishing website developer Sebastien Raoult, who in January pleaded guilty to conspiracy to commit wire fraud and aggravated identity theft.
During their investigation, the duo also spotted a signature used by the operator of a darknet market called Nemesis Blackmarket.
They suspect the operation began as early as March, "and by monitoring the 'Nemesis' channel, we see it's still ongoing to this day," Rotem told The Register.
And the crooks would have gotten away with it, if it weren't for an ironic twist. The criminals stored the victims' data, more than 2 TB total, in an open S3 bucket misconfigured by its owner.
Crims left stolen data in open S3 bucket
"We found the open bucket during our own scans for misconfigured cloud environments," Rotem said. "Our goal was to have it closed so the customer data inside would remain safe; the perpetrators from Nemesis did the same for different intentions."
In addition to leading the threat researchers to the crooks' digital infrastructure, the misconfigured storage bucket also indicates that people – criminals included – still have a difficult time understanding the shared responsibility model between cloud providers and their customers.
As Rotem and Locar noted in a report published Monday and shared in advance with The Register, the misconfigurations that allowed attackers to steal at least 1,526 AWS customer credentials in August alone "are on the customer side of the shared responsibility model." Yes, they affected AWS customers. But they "could occur on any cloud service provider."
These misconfigs included "leaving the keys in publicly available files, leaving open code repositories, leaving unguarded databases, etc," Rotem said. "These things are in the hands of AWS's customers and AWS has no control over them."
AWS, for its part, told El Reg that all of its services "are operating as expected," and that the credential and data stealing campaign doesn't present a security hole that the cloud giant needs to plug.
There were also files listing tens of thousands of vulnerable targets all over the world as well as all the necessary information to access their data or use their resources for other purposes
"AWS credentials include secrets that must be handled securely. AWS provides capabilities which remove the need to ever store these credentials in source code," a spokesperson said, pointing to AWS Secrets Manager as one such tool that the cloud giant provides to help customers manage and rotate database credentials, API keys, and other secrets.
"Customers still sometimes inadvertently expose credentials in public code repositories," the spokesperson added.
"When AWS detects this exposure, we automatically apply a policy to quarantine the IAM user with the compromised credentials to drastically limit the actions available to that user, and we notify the customer," he continued. "If a customer's credentials are compromised, we recommend they revoke the credentials, check AWS CloudTrail logs for unwanted activity, and review their AWS account for any unwanted usage."
The duo uncovered the data theft operation in August after they found the crooks' open S3 bucket that was being used as a "shared drive" between gang members.
"During our investigation, we found not only the code and software tools used to run the operation, but also some of the stolen data itself, including thousands of keys and secrets," the researchers wrote. "There were also files listing tens of thousands of vulnerable targets all over the world as well as all the necessary information to access their data or use their resources for other purposes."
Massive scanning operation
Here's how the attack went down. It involved a series of pre-scanning activities to identify targets before the criminals scanned for secrets and other sensitive information to steal.
First, the attackers used a series of scripts and open source tools including Project Discovery's red-teaming software to scan 26.8 million IP addresses belonging to AWS. Then they used publicly available Shodan to perform reverse lookups on the IP addresses and get the domain names associated with each one.
The crooks also analyzed the SSL certificates served by each IP to further extend their list of domains.
After determining their targets, the criminals began the real scanning process looking for exposed generic endpoints such as environment (.env) files, configuration files, and exposed git repositories, and then categorizing by system or framework, such as Laravel, Wordpress, YII, etc.
"Once a system was categorized, a special set of tests was performed on it, attempting to extract database access information, keys, passwords, and more from product specific endpoints," according to the researchers.
In instances where they wanted more than just the exposed information, the criminals used known exploits to install remote shells and thus dig deeper for sensitive info.
After verifying the exposed AWS customer credentials, the crooks hunted for privileges on key AWS services including IAM, which is a jackpot for criminals because keys with IAM privileges can be exploited to create additional administrator users.
They also checked for privileges on Amazon's SES email and SNS notification services that can be abused to send fraudulent and phishing messages, as well as S3 buckets, which allow criminals to steal sensitive data belonging to organizations and their customers.
After reporting the crime to the Israeli Cyber Directorate in early September, the researchers notified AWS Security on September 26. The cloud giant completed its investigation last month.
Rotem and Locar's report includes an entire section on how orgs can protect themselves from similar attacks, and we highly recommend reading it in its entirety. But one key point we want to highlight, as the duo note in bold: "The first thing any system operator should do is make sure they NEVER have hard-coded credentials in their code or even in their file system." ®