Crooks exploit AWS misconfigurations to steal data

Crooks exploit AWS misconfigurations to steal data is profiled by BTW Media because public-source evidence links it to internet infrastructure, governance, operational dependencies, or market visibility.

• Cybercriminals exploited misconfigured websites to steal AWS credentials and sensitive data, using open S3 buckets for storage.
• The breach highlights the importance of proper cloud security configurations and adhering to the shared responsibility model between providers and customers.
• Attackers linked to ShinyHunters and Nemesis cybercrime groups utilized open-source tools to scan millions of AWS IP addresses for exposed credentials.

What happened: ShinyHunters-linked crooks store stolen AWS credentials and secrets in open S3 buckets

A large-scale cyber attack targeted AWS customers, where cybercriminals exploited misconfigurations in public websites to steal AWS credentials and other sensitive data. The attackers, linked to the ShinyHunters and Nemesis cybercrime groups, accessed over two TB of data, including source code, database credentials, and email service keys. The criminals used open S3 buckets, misconfigured by their victims, to store the stolen data. Researchers Noam Rotem and Ran Locar discovered the breach during scans for insecure cloud environments and reported it to AWS and the Israeli Cyber Directorate. This breach continued for several months, with attackers leveraging a variety of open-source tools and exploits to scan millions of AWS IP addresses for exposed credentials and secrets.

Also Read: AWS unveils next-gen AI chips and cloud instances
Also Read: AWS pledges $100M in cloud credits to boost education

Why it’s important

This breach highlights a critical vulnerability in cloud security: the shared responsibility model between cloud providers and their customers. Although AWS provides a secure infrastructure, customers are responsible for ensuring proper configuration and handling of sensitive data. The attackers exploited misconfigured public websites to steal credentials, keys, and secrets, emphasizing the risk of poor data management.

A key issue was the criminals’ use of open S3 buckets to store over two TB of stolen data. This exposed the attackers’ infrastructure and underscored the dangers of unsecured cloud storage. Furthermore, the involvement of major cybercrime groups like ShinyHunters illustrates the sophisticated nature of these attacks. This breach serves as a reminder of the importance of securing AWS credentials and using tools like AWS Secrets Manager to prevent exposure.

Cloud users need to adhere to security best practices, such as regularly auditing their cloud environments, securing sensitive data, and ensuring that credentials are not hardcoded in code or repositories. By following these precautions, the risks associated with cloud misconfigurations can be minimized, helping prevent breaches of this scale.