Hackers Exploit AWS Misconfigurations in Massive Data Breach

by admin 0 Comments

Security
Share on Facebook
Share on Twitter
Share on Pinterest
Share on LinkedIn
Share on Facebook
Share on Twitter
Share on Pinterest
Share on LinkedIn

A significant cyber operation exploiting vulnerabilities in improperly configured public websites has been linked to the Nemesis and ShinyHunters hacking groups, exposing sensitive data, including customer information, infrastructure credentials and proprietary source code.

According to independent cybersecurity researchers Noam Rotem and Ran Locar, the attackers orchestrated a large-scale internet scan targeting vulnerable endpoints within Amazon Web Services (AWS) IP ranges.

They accessed sensitive information through misconfigured systems, resulting in over 2 TB of compromised data. This data included thousands of credentials and secrets alongside detailed lists of exploitable targets worldwide.

How the Operation Worked

The cybercriminals implemented a two-phase attack strategy:

  • Discovery: Using publicly available AWS IP ranges, attackers identified potential targets by scanning for application vulnerabilities or misconfigurations. They employed tools like Shodan to perform reverse lookups on IP addresses and extract associated domain names. SSL certificate analysis further expanded their domain target lists.

  • Exploitation: The group scanned exposed endpoints for sensitive data, including database access credentials, API keys and other security secrets. Exploits such as remote shells enabled deeper penetration into compromised systems.

The stolen information ranged from AWS keys to credentials for popular platforms like GitHub, Twilio and cryptocurrency exchanges. Verified credentials were later marketed on Telegram channels for hundreds of euros per breach.

Read more on attacks targeting cloud infrastructures: Ransomware Groups Use Cloud Services For Data Exfiltration

The research uncovered links between the operation and Sebastien Raoult, associated with the defunct ShinyHunters group. Other connections tied the attackers to the Nemesis Blackmarket, known for selling stolen credentials.

“Both of these ‘gangs’ represent a technically sophisticated cybercriminal syndicate that operates at scale for profit,” said Jim Routh, chief trust officer at Saviynt.

“They use their technical skills to identify weaknesses in controls from enterprises migrating to cloud computing without fully understanding the complexity of services nor the controls offered in cloud computing. The diversity in targeted information […] sought is significant, and the scale of operations for the criminals is significant.”

Mitigation and Prevention

AWS collaborated with the researchers and emphasized that the breaches stemmed from customer-side misconfigurations under the shared responsibility model.

Customers were advised to:

  • Avoid hard-coded credentials by using services like AWS Secrets Manager

  • Periodically rotate keys and secrets

  • Deploy Web Application Firewalls (WAFs)

  • Use CanaryTokens as tripwires for sensitive information

While AWS took steps to mitigate the attack’s impact, experts warn that such operations persist. Proactive measures, including regular vulnerability assessments, remain crucial to safeguarding digital assets.

This article was originally published by Infosecurity-magazine.com. Read the original article here.
Share on Facebook
Share on Twitter
Share on Pinterest
Share on LinkedIn

Products You May Like

Articles You May Like

Federal Appeals Court Upholds Law Threatening US TikTok Ban
Romania Exposes TikTok Propaganda Campaign Supporting Pro-Russian Candidate
This $3,000 Android Trojan Targeting Banks and Cryptocurrency Exchanges
New Malware Technique Could Exploit Windows UI Framework to Evade EDR Tools
FSB Uses Trojan App to Monitor Russian Programmer Accused of Supporting Ukraine

Leave a Reply

Your email address will not be published. Required fields are marked *