AWS customers were hit by a major cyberattack, with stolen credentials then stored in plain sight

Researchers find vulnerabilities in public sites that expose sensitive information
They later discovered a campaign that took advantage of the flaws to exfiltrate data from “millions of websites.”
The crooks sold the data on the dark web for ‘hundreds of euros’

Misconfigured cloud instances have once again been exploited to steal sensitive information such as credentials, API keys and more.

This time the victims were numerous Amazon Web Services (AWS) customers who don’t seem to understand the shared responsibility model of cloud infrastructure.

In August 2024, independent security researchers Noam Rotem and Ran Loncar discovered exposed vulnerabilities in public sites that can be exploited to gain access to sensitive customer data, infrastructure credentials, and proprietary source code.

Selling the data on Telegram

Further investigation revealed that French-speaking threat actors, possibly linked to the hacking groups Nemesis and ShinyHunters, scanned “millions of websites” and used the vulnerabilities to extract sensitive data.

The information retrieved this way included AWS customer keys and secrets, database data, Git data and source code, SMTP data (for sending email), API keys for services such as Twilio, Binance and SendGrid, SSH credentials, cryptocurrency-related keys and mnemonics. and other sensitive access credentials (e.g. for CPanel, Googling third party accounts and services). Some victims were identified for apparent security reasons but not named in the report.

The miscreants then sold the archives through a special Telegram channel and earned ‘hundreds of euros per breach’. Good, because they’ll probably need the money for legal advice once they’re arrested and tried.

“Our investigation has identified the names and contact information of several individuals behind this incident,” investigators said. “This could help in further actions against the perpetrators.”

Rotem and Loncar reported their findings first to Israel’s Cyber Directorate and later to AWS Security. The two “immediately began taking action” to mitigate the risk, although AWS emphasized that the vulnerability was not in the system, but rather in the way customers were using it:

“The AWS Security team emphasized that this operation does not pose a security issue for AWS, but rather is on the customer side of the shared responsibility model – a statement we fully agree with,” vpnMentor said in its report.

Cybersecurity professionals continually warn that cloud misconfigurations are one of the top reasons for breaches. Ironically, hackers don’t seem to heed these warnings either, as researchers found all the stolen files – in an unprotected AWS database.

“The data collected from the victims was stored in an S3 bucket, which was left open due to a misconfiguration by the owner,” it said. “The S3 bucket was used as a ‘shared disk’ between the members of the attack group, based on the source code of the tools they used.”

Finally, on November 9, AWS reported that it had “handled the issue.”