Massive NHI Attack: 230 Million Cloud Environments Were Compromised
Published 09/27/2024
Originally published by Astrix.
Massive NHI Attack: Insecure AWS Stored Credentials Lead to Compromise of 230 Million Cloud Environments. Researchers from Unit 42 have uncovered a sophisticated and large-scale cyberattack targeting over 230 million AWS, cloud and SaaS environments. The attack exploited exposed environment variable files (.env) commonly stored insecurely on web servers. These files contained sensitive credentials, including AWS keys, database passwords, and API tokens, which the attackers used to gain unauthorized access to numerous cloud environments.
Read more to learn about the exact flow of the attack and get 4 practical tips on minimizing your attack surface.
Campaign Rundown
Discovery and Tactics
The campaign was initially uncovered during an investigation into a compromised AWS environment being used to scan other domains. The attackers were found to have collected .env files from approximately 110,000 domains, exposing over 90,000 unique environment variables. Among these were 1,185 AWS access keys, OAuth tokens for PayPal, GitHub, and HubSpot, and webhooks for Slack and other services.
Exploiting Misconfigurations
The attackers used a combination of automated tools and deep AWS knowledge to compromise the targeted environments. They began by running AWS API calls such as GetCallerIdentity, ListUsers, and ListBuckets to identify the capabilities of the stolen credentials. Although the initial IAM roles they acquired lacked full administrative privileges, they escalated their privileges by creating new IAM roles with administrator rights.
The attackers then deployed AWS Lambda functions to automate the scanning of additional domains for exposed .env files. This recursive scanning allowed them to access even more credentials and deepen their infiltration across multiple AWS regions. Notably, their primary target was Mailgun credentials, likely intended for use in a large-scale phishing campaign.
Data Exfiltration and Ransom
Once they accessed S3 buckets, the attackers used the S3 Browser tool to exfiltrate data. After downloading the data, they deleted it and left ransom notes, demanding payment to prevent the release or sale of the stolen information. The ransom notes were sometimes sent directly to company shareholders, adding extra pressure.
Despite efforts to conceal their operations through Tor nodes and VPNs, the attackers occasionally connected directly from IP addresses in Ukraine and Morocco, leaving a digital trail.
Stay Safe, Keep Your NHIs Secure
To reduce the risk of exploitation and minimize the impact of attacks, organizations should build an NHI security program that focuses on the following initiatives:
1. Reduce NHI exploit opportunities:
- Least-privileged NHIs: Apply the principle of least privilege to all non-human identities (NHIs) in your environment to reduce the potential blast radius if an attacker takes over an NHI.
- Minimize attack Surface: Regularly decommission unused NHIs to eliminate unnecessary access points that attackers could exploit.
- Automate remediation of the above: Implement ongoing automated processes to continuously identify and remediate misconfigured, over-privileged and unused NHIs, taking the burden off you security staff.
2. Prevent attacker lateral movement by removing exposed secrets:
Attackers move laterally by taking over NHIs found in a compromised environment. Make their life hard.
3. Scan for Exposed Secrets:
Conduct routine scans to detect exposed NHIs that could facilitate lateral movement within your AWS environment or across to other environments. Remediate by addressing leaks and rotating exposed secrets.
4. Detect active threats and mitigate them:
Even if you’ve taken protective measures, always assume that a breach might still happen. To effectively detect and respond to breaches in real-time, organizations should implement the following strategies:
- Anomaly detection: Leverage advanced anomaly detection systems to identify unusual activity that may indicate attacker abuse of credentials. This is particularly critical for detecting misuse of secrets found in AWS.
- Revoke or rotate compromised credentials: Act quickly to revoke or rotate any credentials that have been exposed or show signs of anomalous behavior.
Related Articles:
A Vulnerability Management Crisis: The Issues with CVE
Published: 11/21/2024
The Lost Art of Visibility, in the World of Clouds
Published: 11/20/2024
Why Application-Specific Passwords are a Security Risk in Google Workspace
Published: 11/19/2024
Group-Based Permissions and IGA Shortcomings in the Cloud
Published: 11/18/2024