AWS customers hit by major cyberattack which then stored stolen credentials in plain sight

Data leak
(Image credit: Shutterstock)

  • Researchers find vulnerabilities in public sites that exposed sensitive information
  • They later discovered a campaign using the flaws to exfiltrate data from "millions of websites"
  • The crooks were selling the data on the dark web for "hundreds of euros"

Misconfigured cloud instances have once again been abused to steal sensitive information such as login credentials, API keys, and more.

This time around, the victims were countless Amazon Web Services (AWS) customers who don’t seem to understand the shared responsibility model of cloud infrastructure.

In August 2024, independent security researchers Noam Rotem and Ran Loncar uncovered vulnerabilities in public sites that could be abused to access sensitive customer data, infrastructure credentials, and proprietary source code.

Selling the data on Telegram

Further investigation determined French-speaking threat actors, possibly linked to Nemesis and ShinyHunters hacking groups, were scanning “millions of websites” and using the vulnerabilities to extract sensitive data.

The information pulled this way included AWS customer keys and secrets, database credentials, Git credentials and source code, SMTP credentials (for email sending), API keys for services like Twilio, Binance, and SendGrid, SSH credentials, cryptocurrency-related keys and mnemonics, and other sensitive access credentials (e.g., for CPanel, Google accounts, and third-party services). Some victims were identified, but not named in the report, for obvious security reasons.

The miscreants were then selling the archives in a dedicated Telegram channel, earning “hundreds of euros per breach.” Good, since they will probably need the money for legal counsel, once they’re arrested and tried.

“Our investigation has identified the names and contact information of some of the individuals behind this incident,” the researchers said. “This may assist in further actions against the perpetrators.”

Rotem and Loncar reported their findings, first to the Israeli Cyber Directorate, and later to AWS Security. The two “began to take immediate actions” to mitigate the risk, although AWS stressed that the vulnerability was not in the system, but rather in the way customers were using it:

“The AWS Security team emphasized that this operation does not present a security concern to AWS, rather, it is on the customer side of the shared responsibility model — a statement that we fully agree with,” vpnMentor said in its report.

Cybersecurity pros are constantly warning about cloud misconfigurations being one of the key reasons for breaches. Ironically enough, hackers don’t seem to be heeding these warnings, either, since the researchers found all of the stolen files - in an unprotected AWS database.

“Data harvested from the victims was stored in an S3 bucket, which was left open due to a misconfiguration by its owner,” it was said. “The S3 bucket was being used as a "shared drive" between the attack group members, based on the source code of the tools used by them.”

Ultimately, AWS reported “handling the issue” on November 9.

You might also like

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.