Understanding the AWS Cyber Attack
Recently, a major cyber attack targeted Amazon Web Services (AWS), affecting over 230 million unique cloud environments. Security experts from Unit 42 uncovered that attackers used clever methods to exploit exposed environment variable (.env) files. These files contained sensitive data like access codes, which allowed hackers to infiltrate victims' systems.
How the Attack Was Carried Out
The attackers used automated tools to scan millions of domains for exposed .env files. These files often had critical information, making them a goldmine for attackers. Once these files were accessed, attackers performed detailed reconnaissance using AWS API calls, such as GetCallerIdentity, ListUsers, and ListBuckets. They further escalated their capabilities by creating new IAM roles with full administrative rights, demonstrating their deep understanding of AWS Identity and Access Management (IAM) components.
A key part of their strategy involved deploying malicious Lambda functions to search for more .env files across AWS regions. They focused especially on Mailgun credentials, enabling a large-scale phishing campaign.
In total, the attackers accessed .env files in more than 110,000 domains, affecting over 230 million unique endpoints. The attack concluded with data being transferred to S3 buckets controlled by the hackers.
Implications and Preventive Measures
This attack underscores the importance of robust IAM policies, vigilant cloud activity monitoring, and secure configuration file management. Attackers exploited S3 Browser to make API calls without triggering object-level logs. However, the exfiltration of data could still be identified through Cost and Usage Reports, which would show spikes in specific operations like GetObject and DeleteObject.
Post-attack, ransom notes were placed in emptied S3 buckets, demanding payment to prevent data leaks and potentially restore deleted information. These actions were part of a larger extortion strategy, sometimes reaching company shareholders via email.
Beyond cloud services, the attack also compromised social media logins and revealed infrastructure details. However, attackers' use of Tor nodes and VPNs inadvertently suggested locations in Ukraine and Morocco.
To defend against such sophisticated attacks, organizations should take steps like disabling unused AWS regions, maintaining comprehensive logs, and using Amazon GuardDuty. Implementing a multi-layered security approach with up-to-date monitoring and regular security audits is crucial. Using temporary credentials and enforcing the least privilege principle can significantly reduce vulnerability to these advanced threats.
