110K Domains Targeted in 'Sophisticated' AWS Cloud Extortion Campaign

A sophisticated extortion campaign has targeted 110,000 domains by exploiting misconfigured AWS environment files, security firm Cyble reports. The attackers scanned for exposed .env files containing cloud access keys and other sensitive data. Organizations that failed to secure their AWS environments found their S3-stored data replaced with ransom notes.

The attackers used a series of API calls to verify data, enumerate IAM users, and locate S3 buckets. Though initial access lacked admin privileges, they created new IAM roles to escalate permissions. Cyble researchers noted the attackers' use of AWS Lambda functions for automated scanning operations.

Is "unsecured" the default state?

[Narcocide]

Unsecured AWS environments seems to be a persistent problem. Certainly the real problem is something systemic, like defaults that are even stupider than their customers. Kinda makes you wonder if Amazon gets their beak wet on these extortions...

Re:Is "unsecured" the default state?

[mukundajohnson]

The default is no public access. You need to turn it on. I'm imagining that these victims were hosting app pages on S3, and stupidly had their .env file with API keys in plain view

Re:Is "unsecured" the default state?

[gweihir]

Indeed. It is _really_ easy to make mistakes when working on externally-facing services when you do not know what you are doing and do not understand what exactly will be visible. I guess there are a few organizations more now that found out that clueless, cheap "engineers" can make things really expensive.

Cutting out the IT operations people caused it

[will4]

The skeleton crew, only need developers and 1 QA person of many cloud projects is one of the causes of the security problems.

The companies are expecting developers to do what was multiple persons full time jobs with extensive technical knowledge of each and every person's job.

A small development team needs to do these jobs in addition to full stack development:

- Network engineer, firewall engineer
- It security ops
- It hardware/software/config operations
- Database administrator
- Web administrator

And in addition, have extensive technical knowledge of the development tools, languages, frameworks, dev environment, cloud platform APIs, ....

Re:

[gweihir]

Yes, pretty much. There are people that can do it, but a) they ask for a lot of money and b) they are few enough that _you_ will not get one anyways.

As attackers get more competent, the damage from asking too much from the people you have will raise.

Re:

[guruevi]

These kinds of attacks are really the lowest hanging fruit of the lowest hanging fruit. These are people that publish their code using personal public GitHub repo and in the public repo also store their settings, usernames, keys and passwords.

This is the thing any junior developer gets yelled at for in their first week or month, this means these have been things that were developed and go in production from very junior developers without testing, reviews etc.

Re:

[coofercat]

Maybe - but in this case, the skeleton crew were idiots. No one *ever* needs a .env file to use AWS. You *do* need something like awsume to give you temporary credentials, but you never, ever *need* a .env file. For production deploys, the secrets should be coming from somewhere else (eg. AWS Secrets Manager), or via Instance Profiles or whatever - again, absolutely no need to ever use a .env file.

Further more, if ever you check secrets into any source code repository, you need to rotate those secrets. You

Re:

[Darinbob]

Which is why so many companies are desparately looking for the cheap engineers that know what they are doing. When they find it, it will eclipse even the AI hype to cause stocks to surge.

Wondering if the bad guys also used AWS

[thesjaakspoiler]

to store all that stolen data.
Amazon cashing in twice with this all this misery.

Re:

[geekmux]

to store all that stolen data.

Can you imagine the hacker who wrote ransom_note.txt getting back to the stolen data folder to find not_my_ransom_note.txt sitting there? Oh the hilarity..

Another 110K organizations that have learned ...

[flatulus]

.. the dark underbelly of putting your crown jewels in an Internet-accessible place.

Re:

[bloodhawk]

people that do this sort of shit with keys and secrets it doesn't matter where they store the date, it is just a matter of time before they fuck up monumentally and someone takes advantage of it.

don't commit .env files to version control

[ZipNada]

"the researchers suggested cloud users don't commit .env files to version control". Wow what a novel concept! Don't commit all your secret goodies along with all the source and build so everything can be scooped up in a breach.

And then we see that AWS utilities themselves were used "to enumerate the IAM users in the AWS account, and the ListBuckets API request to find all the S3 buckets". And "were able to create new AWS Lambda functions for their automated scanning operation".

Way to go AWS!

Re:

[gweihir]

"the researchers suggested cloud users don't commit .env files to version control". Wow what a novel concept! Don't commit all your secret goodies along with all the source and build so everything can be scooped up in a breach.

Indeed. A shorter version would be: "have a clue what you are doing when working on externally-visible stuff". But I guess that is too much to ask for these days.

Re:

[Luckyo]

To be fair, a lot of current "modern day" teaching of IT is so abstracted from actual things being done, it's not surprising that some people don't do their own research and trust in the teaching system to teach them everything important.

Re:

[gweihir]

Yes. And that is why we need to get rid of these semi-skilled people and require real qualifications. Any other engineering field has those. And liability, in many cases _personal_ liability, e.g. when you lie about your qualifications.

Re:

[Luckyo]

You'd have to rehaul the entire Western education system for that, and then have at least one generational shift to generate new people who actually care about how things they do relate to observable reality. As detachment from reality started with social sciences in early 1980s, and this particular rot progressed from there to everything else to the point where we don't have enough people who care about observable reality rather than various utopian visions that only exist in their heads to replace utopian

Re:

[StormReaver]

And liability, in many cases _personal_ liability....

Everyone who brings this up keeps ignoring how IT people have little to no say in how or why things get done. Holding them responsible for failures in which they had no say is a great way to bring an entire industry to a screeching halt.

Re:

[stabiesoft]

I believe what they were suggesting is something like PE certifications required for civil. If it required a PE type cert to do AWS cloud access setup then it would happen. It would require congressional action in the US I believe. I'm not positive, but I thought someone with a PE was required to sign off on most construction of bridges, commercial and possibly residential buildings. As an example of the sort of legal liability of civil, the pedestrian bridge collapse in FL resulted in the bankruptcy of the

Re:

[gweihir]

As IT becomes necessary for day to day safety and operation of the world, I don't see it as a reach to require the same sorts of requirements that we place on other industries. The crowdstrike fiasco, the pipeline fiasco, the innumerable hospitals that have been breached, the water system breaches, ... I was actually surprised nothing happened after the pipeline breach. But I guess its going to take something like a whole town the size of Houston to be poisoned by a water system breach to have something happen. Its tech, break the rules/norms and ask forgiveness later.

Exactly. The cost of bad IT is raising and raising. Sure, most is paid for by society and not the perpetrators, but things are slowly becoming worse and worse and will be unsustainable in the not too distant future. As to disaster, the historic precedent seems to be that an engineering discipline gets a push for required qualification after 100...1000 people have died in a specific disaster. The damage bad IT does is mostly hidden, but thing of the total MS Outlook Online compromise last years (due to total

Re:

[stabiesoft]

What is particularly crazy to me is a license is required to cut hair or do nails. They may even require a written or performance test. Cutting hair for gods sake. And nothing for something that shutdown an airline for days and a pipeline for I think over a week. And only by luck a couple water treatment incidents that did not kill anyone because they caught it quick.

Re:

[gweihir]

Yep. IT is getting more and more insane.

Re:

[gweihir]

There is no way around it. Mess up your calculations as a construction engineer, people die when the building collapses and it turns out you did not have the specific qualifications needed? Go to prison. Guess how many construction engineers are willing o do calculations outside of their areas of expertise...

The IT field needs something similar. This is not about errors, everybody makes these. This is about being incompetent while doing expert work. And yes, it seems the IT industry will need to grind to a

Re:

[MooseTick]

Few understand before they start taking classes, but Computer Science degrees aren't very useful for day to day operations. This isn't new. Many disciplines are similar. Yes, many employers want employees to have educations that are at best indirectly useful.

Re:

[Luckyo]

That depends on the degree, and time you got it.

Physics degree from 1980s? Very useful for doing physics.

Social sciences degree with 2020s? Not worth the paper it's printed on.

Re:

[Darinbob]

Education and Experience are both necessary. If one is lacking, and there's no sufficient oversight, then it can lead to a lot of problems. This isn't just about IT, or computer science, or whatnot, but it's true in any field. You can always get more education and more experience though, so it shouldn't be a problem - except that modern companies want the cheapest labor possible, even for mission critical operations.

Re:

[Darinbob]

"But profits would plummet!" -- Monty Python
"Move fast and break things!" -- Mark Thingbreaker

Does not sound very sophisticated...

[gweihir]

More like people that screwed up massively try to make the attacker seem more sophisticated than they really are. It does sound pretty devastating though for those that have no clue how to secure their cloud account and that have no working BCM planning.

"The cloud, where you can be clueless and still be secure!" seems to be what too many people are thinking.

Re:

[StormReaver]

The cloud, where you can be clueless and still be secure!

That was the majority of the pitch for cloud services, with the myth of cheap, instant scaling being the rest. Anyone who uses someone else's infrastructure for critical operations should just save time and broadcast their business secrets to the world on day one.

Re:

[Darinbob]

"It's safe! Only Bob has the necessary 6 character password to change things, and he seems like a safe guy."

Re:Why doesn't the AWS system flag obvious errors?

[storagedude]

I've often wondered this too - AWS certainly has the capability to spot misconfigurations so why not help out customers? The "shared responsibility" model could use a little more sharing, just sayin'

Nelson says... haaa haaa.

[Big Hairy Gorilla]

God you people are dumb as stones trusting Amazon. and Microsoft. and Apple. Adobe.....[ your favourite company here ]
Check to see if your balls are still there. No?! Quel surprise.
Knock on your skull. Hear that hollow sound?
Turns out putting all your eggs in one basket ... ummm.. bucket... get it?... wasn't such a great idea after all.

In case Garbz is reading this, Yes, I have my own private datacentres.
Now go back to being chumpz.

Now, I'm going to read the post on how Microsoft is forcing Recall down your