Data breach exposes credentials of AWS customers

Hackers exploited misconfigured systems to extract sensitive information

A major data breach impacting Amazon Web Services (AWS) customers has been discovered, with hackers exploiting misconfigured cloud instances to exfiltrate sensitive data from millions of websites.

The operation, linked to the infamous Nemesis and ShinyHunters hacking groups, compromised over 2 terabytes of data, including customer information, infrastructure credentials, and proprietary source code.

The breach was uncovered by independent cybersecurity researchers Noam Rotem and Ran Locar in August, who found that the attackers orchestrated an extensive internet scan targeting AWS IP ranges.

Using a sophisticated two-phase strategy, the hackers identified vulnerabilities and exploited misconfigured systems to extract sensitive information.

The attackers first scanned AWS IP ranges to identify misconfigured endpoints using tools like Shodan for reverse lookups on IP addresses. They correlated these findings with SSL certificates to expand their list of target domains.

The group then exploited exposed endpoints to access sensitive credentials such as database login details, API keys, and AWS secrets. In some cases, remote shell access enabled further penetration into compromised systems.

The breach exposed thousands of security credentials and secrets, including AWS access keys, API keys for platforms like GitHub, Twilio, and cryptocurrency exchanges, database credentials, SMTP credentials for email services, and proprietary source code.

The stolen data was reportedly sold via a dedicated Telegram channel, with proceeds funding the hackers' continued operations.

The operation uncovered connections to Sebastien Raoult, a figure associated with the now-defunct ShinyHunters group. Additional links tied the campaign to the Nemesis Blackmarket, notorious for selling stolen credentials.

In an unusual turn of events, the attackers themselves fell victim to poor cloud security practices. The researchers found that the exfiltrated data was stored in an unprotected AWS S3 bucket, accessible to anyone with the link.

The researchers reported their findings to the Israeli Cyber Directorate and later to AWS Security.

While AWS took action to mitigate the risks, they highlight that the issue stemmed from customer misconfigurations rather than a vulnerability in their systems.

"AWS credentials include secrets that must be handled securely. AWS provides capabilities which removes the need to ever store these credentials in source code," a spokesperson told The Register.

"Customers still sometimes inadvertently expose credentials in public code repositories. When AWS detects this exposure, we automatically apply a policy to quarantine the IAM user with the compromised credentials to drastically limit the actions available to that user, and we notify the customer."

"If a customer's credentials are compromised, we recommend they revoke the credentials, check AWS CloudTrail logs for unwanted activity, and review their AWS account for any unwanted usage," the spokesperson added.

While AWS took steps to address the breach, experts warn that such campaigns are likely to persist.

Commenting on the data breach, Ev Kontsevoy, Teleport CEO, said: "The AWS credentials breach illustrates that large repositories of customer credentials are a goldmine for malicious actors. What is surprising is that so many customers continue to use static credentials in cloud environments that remain targets for hackers to gain privileged access to their infrastructure."

"Outdated password strategies need to be eliminated from today's highly complex DevOps and cloud environments. As long as access is governed by standing credentials, these 'secrets' can be exposed through human error. In this case, the affected AWS customers exposed credentials in public source code. Hackers were then able to leverage standing permissions to create additional administrator users."

"To counter these threats, organizations should eliminate static credentials in favor of cryptographic identity and replace standing privileges with ephemeral authorization that expires once tasks are complete. This approach will significantly reduce the attack surface, thwart breaches, and reduce the blast radius if identities are compromised."

"Pairing these measures with robust policy governance that can instantly show who has access to what and where vulnerabilities lie will further empower companies to continually remove risk from infrastructure access paths and respond effectively to attacks."