Security is an exercise in managing risk. Reviewing the common root causes of security incidents is an effective way to guide prioritized remediation efforts.
This repository seeks to index all publicly disclosed AWS customer security incidents with a known root cause. It will exclude incidents involving exposed data stores (e.g S3 bucket leaks, exposed managed or hosted databases). Those incidents are already well understood, and examples can be found cataloged in places like nagwww's s3-leaks repo, upguard's reports, hackmeggedon's annual rollup reports (2022) and Corey Quinn's LWIAWS S3 Bucket Negligence Award.
It also excludes incidents impacting individuals, such as the periodic reports of cryptomining due to compromised credentials. 1 2 3
This repository is in no way intended as a criticism of the listed companies. In the spirit of blameless postmortems 1, our goal is to learn from incidents without an atmosphere of blame.
A repository of breaches of AWS customers
Name | Date | Root Cause | Escalation Vector(s) | Impact | Link to details |
---|---|---|---|---|---|
Uber | 2014, May | Github Gist (data analysis script) with AWS credentials | N/A | 50,000 records, including names and driver’s licenses from S3 hosted database prunes | Exclusive: In lawsuit over hacking, Uber probes IP address assigned to Lyft exec - sources , A blameless post-mortem of USA v. Joseph Sullivan |
Code Spaces | 2014, June | AWS Console Credentials (Phishing?) | Attacker created additional accounts/access keys | Wiped S3 buckets, EC2 instances, AMIs, EBS snapshots | Hacker puts code spaces out of business |
BrowserStack | 2014, November | Shellshock on exposed, outdated prototype machine | Access keys on server, used to create IAM user, create EC2, and mount backup | Steal user data and email users | BrowserStack analysis |
DNC Hack by the GRU | 2016, June | Unknown, test clusters breached | EC2 Snapshots copied to attacker AWS accounts | Tableau and Vertica Queries | DEMOCRATIC NATIONAL COMMITTEE v. THE RUSSIAN FEDERATION |
DataDog | 2016, July | CI/CD AWS access key and SSH private key leaked | Attacker attempted to pivot with customer credentials | 3 EC2 instances and subset of S3 buckets | 2016-07-08 Security Notice |
Uber | 2016, October | ~13 Hacked Uber credentials purchased for forum gave access to private Github Repo with AWS credentials | N/A | Names and driver’s license numbers of 600k drivers, PII of 57 million users in unencrypted manual backup | Uber concealed cyberattack ..., A blameless post-mortem of USA v. Joseph Sullivan |
Lynda.com | 2016, December | Private Github Repo with AWS credentials | N/A | User data for 9.5m users, attempted extortion | 2 Plead Guilty in 2016 Uber and Lynda.com Hacks |
OneLogin | 2017, May | AWS keys | Created EC2 instances | Accessed database tables (with encrypted data) | May 31, 2017 Security Incident |
Politifact | 2017, October | "Misconfigured cloud computing server" | N/A | Coinhive cryptojacking | Hackers have turned Politifact’s website into a trap for your PC |
Dataspline | 2017, Unknown | Monero miner in container base image dependency | N/A | Monero cryptojacking | LinkedIn post from co-founder |
DXC Technologies | 2017, November | Private AWS key exposed via Github | 244 EC2 instance started | Cryptomining | DXC spills AWS private keys on public GitHub |
Drizly | 2018 | AWS Credentials committed to public github repo | N/A | Cryptojacking | FEDERAL TRADE COMMISSION - Drizly Complaint |
LA Times | 2018, February | S3 global write access | N/A | Cryptojacking | Coinhive cryptojacking added to homicide.latimes.com |
Tesla | 2018, February | Globally exposed Kubernetes console, Pod with AWS credentials | N/A | Cryptojacking | Hack Brief: Hackers Enlisted Tesla's Public Cloud to Mine Cryptocurrency |
Chegg | 2018, April | Former contractor abuses broadly shared root credential | Unknown | 40 million users' data (from S3 bucket) | FTC Complaint |
imToken | 2018, June | Email account compromise | Reset AWS account password | Minimal customer device data | Disclosure of Security Incidents on imToken |
Voova | 2019, March | Stolen credentials by former employee | N/A | Deleted 23 servers | Sacked IT guy annihilates 23 of his ex-employer’s AWS servers |
Capital One | 2019, April | "Misconfigured WAF" that allowed for a SSRF attack | Over-privileged EC2 Role | 100 million credit applications | A Technical Analysis of the Capital One Cloud Misconfiguration Breach |
JW Player | 2019, September | Weave Scope (publicly exposed), RCE by design | N/A | Cryptojacking | How A Cryptocurrency Miner Made Its Way onto Our Internal Kubernetes Clusters |
Malindo Air | 2019, September | Former employee insider threat | N/A | 35 million PII records | Malindo Air: Data Breach Was Inside Job |
Imperva | 2019, October | “Internal compute instance” globally accessible, “Contained” AWS API key | N/A | RDS snapshot stolen | Imperva Security Update |
Cameo | 2020, February | Credentials in mobile app package | N/A | Access to backend infrastructure, including user data | Celeb Shout-Out App Cameo Exposes Private Videos and User Data |
Open Exchange Rates | 2020, March | Third-party compromise exposing access key | N/A | User database | Exchange rate service’s customer details hacked via AWS |
First Republic Bank | 2020, March | Fired employee incompletely offboarded | N/A | System interruption | First Republic Bank |
Live Auctioneers | 2020, July | Compromised third party software granting access to cloud environment | N/A | User database, including MD5 hashed credentials | Washington State OAG - Live Auctioneers |
Twilio | 2020, July | S3 global write access | N/A | Magecart2 | Incident Report: TaskRouter JS SDK Security Incident |
Natures Basket responsible disclosure | 2020, July | Hard-coded root keys in source code exposed via public S3 bucket | N/A | N/A | GotRoot! AWS root Account Takeover |
Drizly | 2020, July | Inactive Github account compromised via reused password, granting AWS credential access in source code | N/A | RDS Instance with 2.5 million users data exfiltrated | FTC Takes Action Against Drizly and its CEO James Cory Rellas for Security Failures that Exposed Data of 2.5 Million Consumers |
Cryptomining AMI | 2020, August | Windows 2008 Server Community AMI | N/A | Monero miner | Cryptominer Found Embedded in AWS Community AMI |
Animal Jam | 2020, November | Slack compromise exposes AWS credentials | N/A | User database | Kids' gaming website Animal Jam breached |
Cisco | 2020, December | Former employee with AWS access 5 months post-resignation | N/A | Deleted ~450 EC2 instances | Former Cisco engineer sentenced to prison |
Juspay | 2021, January | Compromised old, unrecycled Amazon Web Services (AWS) access key | N/A | Masked card data, email IDs and phone numbers | Data from August Breach of Amazon Partner Juspay Dumped Online |
20/20 Eye Care Network and Hearing Care Network | 2021, January | Compromised credential | N/A | S3 buckets accessed then deleted | 20/20 Eye Care Network and Hearing Care Network notify 3,253,822 health plan members of breach that deleted contents of AWS buckets |
Sendtech | 2021, February | (Current or former employee) Compromised credentials | Created additional admin account | Accessed customer data in S3 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-2102-B7884 |
LogicGate | 2021, April | Compromised credentials | N/A | Backup files in S3 stolen | Risk startup LogicGate confirms data breach |
Ubiquiti | 2021, April | Compromised credentials from IT employee Lastpass (alleged former employee insider threat) | N/A | root administrator access to all AWS accounts, extortion | Ubiquiti All But Confirms Breach Response Iniquity |
Uran Company | 2021, July | Compromised Drupal with API keys | N/A | Cryptomining | Clear and Uncommon Story About Overcoming Issues With AWS |
redoorz.com | 2021, September | Access Key leaked via APK | N/A | Customer database stolen | PERSONAL DATA PROTECTION COMMISSION Case No. DP-2009-B7057 |
HPE Aruba | 2021, October | Unknown exposure of Access Key | N/A | Potential access to network telemetry and contact trace data | Aruba Central Security Incident |
Kaspersky | 2021, November | Compromised SES token from third party | N/A | Phishing attacks | Kaspersky's stolen Amazon SES token used in Office 365 phishing |
Eye Care Leaders | 2021, December | Unknown | Unknown | deleted databases and system configuration files, potential theft of 1.5M patient records | Augusta University Health - Breach Disclosure [PDF] |
Onus | 2021, December | Log4Shell vulnerability in Cyclos server | AmazonS3FullAccess creds (and DB creds) in Cyclos config | 2 million ONUS users’ information including EKYC data, personal information, and password hash was leaked. | The attack on ONUS – A real-life case of the Log4Shell vulnerability |
Flexbooker | 2021, December | Unknown | Unknown | 3.7M first and last names, email addresses, phone numbers, "encrypted" passwords | Booking management platform FlexBooker leaks 3.7 million user records |
npm | 2022, April | Third party OAuth token compromise granting private repository access, containing AWS keys | Unknown | 100k users data (from 2015) | npm security update: Attack campaign using stolen OAuth tokens |
Uber | 2022, September | Contractor account compromise leading to AWS credential discovery on a shared drive | Unknown | N/A | Uber - Security update |
Lastpass | 2022, October | Stole source code and accessed development environment via compromised developer account (an IAM User) | Unknown pivot point into production environment. Later compromise of a privileged engineer's personal machine to gain access to decryption keys for stolen data | Internal and customer data broadly compromised, including backups of MFA database | Notice of Recent Security Incident,Incident 2 – Additional details of the attack |
Sonder | 2022, November | Unknown | Unknown | Theft of customer information, attempted extortion | Security Update, Breach Notification |
Teqtivity (Uber Vendor) | 2022, December | Unknown | Unknown | "AWS backup server" with device and user information | Breach Notification Statement, Uber suffers new data breach after attack on vendor, info leaked online |
CommuteAir | 2023, January | Publicly Exposed Jenkins with hardcoded credentials | N/A | 2019 FAA No Fly List | how to completely own an airline in 3 easy steps, U.S. airline accidentally exposes ‘No Fly List’ on unsecured server |
Cloudflare | 2023, November | Pivot from Okta compromise due to un-rotated access token | N/A | N/A | Cloudflare - Thanksgiving 2023 security incident |
Sisense | 2024, April | Credentials stolen from Gitlab repository | N/A | Terabytes of customer data exfiltrated from S3 | Why CISA is Warning CISOs About a Breach at Sisense |
pcTattletale | 2024, May | Application vulnerability disclosed root AWS keys |
N/A | Data published publicly | Spyware app pcTattletale was hacked and its website defaced, defaced site |
Report | Date | Root Cause | Escalation or Peristence Vector(s) | Impact | Link to details |
---|---|---|---|---|---|
Mandiant M-Trends 2020 | 2020, February | Credentials stolen from GitHub repository commit history | Takes snapshot of EBS volumes, creates EC2 instances, exfiltrates data over SSH | Stolen EBS volumes | M-Trends 2020 |
TeamTNT Worm | 2020, April | Misconfigured Docker & k8s platforms | Steals AWS credentials from ~/.aws/* | Cryptojacking for Monero | Team TNT – The First Crypto-Mining Worm to Steal AWS Credentials, TeamTNT with new campaign aka “Chimaera” |
Expel case study 1 | 2020, April | 8 IAM access keys compromised | Backdoored security groups | Command line access to EC2 instances | Finding evil in AWS: A key pair to remember |
Expel case study 2 | 2020, July | Root IAM user access keycompromised | SSH keys generated for EC2 instances | Cryptojacking | Behind the scenes in the Expel SOC: Alert-to-fix in AWS |
Mandiant: Insider Threat Scenario | 2020, September | Fired employee uses credentials | Access CI/CD server, create a new user, steal credentials | Deleted production databases | Cloud Breaches: Case Studies, Best Practices, and Pitfalls |
FireEye M-Trends 2021 case study | 2021, April | Use of SSH key by former employee | Creates users and EC2 instances | Deleted RDS backups | M-Trends 2021 |
DarkLab case study | 2021, July | Jenkins RCE | Create IAM users, use S3 Browser tool | Use environment to launch scanning, nuked account | Trouble in Paradise |
Expel case study 3 | 2022, April | Credentials in publicly available code repository | AttachUserPolicy used for privesc | Cryptojacking (prevented) | Incident report: From CLI to console, chasing an attacker in AWS |
Permiso case study 1 | 2022, June | Gitlab vulnerability (CVE-2021-22205) | Credentials on the system found, used to create a backup user | Cryptojacking | Anatomy of an Attack: Exposed keys to Crypto Mining |
Clearvector case study | 2022, August | ADFS pivot into IAM Identity Center | N/A | N/A | Auditing identity activity for NOBELIUM and MagicWeb in AWS |
Positive Thinking Company case study | 2022, June | Unknown | N/A | Cryptojacking | Mitigating a crypto jacking incident on an AWS machine from the earliest stages |
Palo Alto Unit 42 | 2022, December | Code execution in Lambda context | Exfiltrate credentials from envvars | SES abuse for phishing | Compromised Cloud Compute Credentials: Case Studies From the Wild |
Permiso case study 2 | 2022, December | Exploit publicly facing software, mainly Jupyter notebooks or k8s | N/A | Credential Theft | Cloud Cred Harvesting Campaign - Grinch Edition |
Crowdstrike | 2022, December | Exploit known ForgeRock CVE | aws_consoler used to obtain pivot to console sessions without MFA | N/A | Analysis of an Intrusion Campaign Targeting Telco and BPO Companies |
Expel case study 4 | 2023, January | Publicly exposed Postman server with access key credentials stored in the project’s variables | N/A | (likely) AWS SES abuse (prevented) | Incident report: stolen AWS access keys |
Cado Security and Invictus Incident Response | 2023, January | N/A | Responding to an attack in AWS, Part 2 | ||
AWS | 2023, February | Key disclosure, or SSRF | N/A | N/A | The anatomy of ransomware event targeting data residing in Amazon S3 |
Sysdig | 2023, February | Exploit public facing k8s service | IAM creds in Lambda env vars and in S3 bucket | Data exfiltration | SCARLETEEL: Operation leveraging Terraform, Kubernetes, and AWS for data theft |
Invictus IR | 2023, April | exposed long-term credentials | CreateUser | data exfiltration and deletion with ransom note | Ransomware in the cloud |
Unit 42 | 2023, April | sim-swap grants access to 10 access keys in source code | CreateUser with increased permissions | data exfiltration and deletion with ransom note | From SIM-Swap to Data Leak on the Dark Web |
Unit 42 | 2023, April | SSRF via known CVE and IMDSv1 | Backdoored IAM role | Cryptojacking, outbound DDOS | From Misconfigured Firewall to Cryptojacking Botnet |
Mitiga (RSAC) #1 | 2023, April | Company repository w/ AWS keys merged to personal github | N/A | N/A | It’s Getting Real & Hitting the Fan: 2023 Edition |
Mitiga (RSAC) #2 | 2023, April | Unknown root cause of access key compromise | N/A | Shared AMIs publicly for exfil | It’s Getting Real & Hitting the Fan: 2023 Edition |
Kroll #1 | 2023, April | Third party compromised | N/A | Redirect DNS and Email | Effective AWS Incident Response: Examples and Recommendations |
Kroll #2 | 2023, April | Internal network compromised | Lateral movement into cloud, years of persistence | Data Exfiltration | Effective AWS Incident Response: Examples and Recommendations |
S2W Talon "Donjuji" | 2023, May | Development server with exposed environment variables containing IAM user credentials | N/A | Stole data from S3 | Detailed Analysis of CloudDon, Cloud Data Breach of Korea e-commerce company |
Checkmarx | 2023, June | S3 bucket serving npm package bignum hijacked | N/A | Credential theft | Hijacking S3 Buckets: New Attack Technique Exploited in the Wild by Supply Chain Attackers |
SentinelOne | 2023, June | CVE-2022-47986 | N/A | N/A | Anatomy of a Cloud Incident | SentinelOne’s Vigilance vs. IceFire Ransomware |
Sysdig | 2023, July | Exploit public facing Jupyter Notebook in k8s | IAM creds, including via IMDSv2. Privilege escalation via IAM misconfiguration. Access key persistence | Cryptojacking | SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto |
CrowdStrike | 2023, August | Exploiting RCE in a custom PHP web application | IAM creds, including via IMDS. Lateral movement via SSM | Unknown | 2023 Threat Hunting Report |
Unit42 | 2023, August | Exploiting SugarCRM zero day | Access keys on EC2 hosts, Pacu + Scoutsuite scanning | DB data exfiltration | When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability |
AWS | 2023, August | Compromise of federated user via unknown means | Access keys on EC2 hosts, Pacu + Scoutsuite scanning | DB data exfiltration | Two real-life examples of why limiting permissions works: Lessons from AWS CIRT - Story 1: On the hunt for credentials |
AWS | 2023, August | RCE via unintentionally exposed port in ECS task definition | N/A | Cryptojacking | Two real-life examples of why limiting permissions works: Lessons from AWS CIRT - Story 2: More instances for crypto mining |
Security Joes | 2023, Sep | Exploited a vulnerable version of MinIO on an AWS EC2 instance via evil_minIO | Network reconnaissance, create windows accounts | Unknown | New Attack Vector In The Cloud: Attackers caught exploiting Object Storage Services |
Unit42 | 2023, Oct | Credentials exposed on Github | Create EC2 instances | Monero Cryptojacking | CloudKeys in the Air: Tracking Malicious Operations of Exposed IAM Keys |
Reliaquest | 2023, Nov | Spearphishing | Hijacked Citrix VDI | Data theft (lastpass export in S3 bucket) | Scattered Spider Attack Analysis |
Datadog #1 | 2024, January | Leaked IAM User Key | created administrator IAM user | S3 data exfiltration, attempted cryptomining | Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining |
Datadog #2 | 2024, January | Leaked IAM User Key | N/A | Cryptomining (via ECS Fargate, XMRig) | Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining |
Invictus IR | 2024, January | Exposed IAM User (Administrator) Access Key | created administrator IAM user, added access keys for existing users, created externally assumable role | Cryptomining, SES spam/phishing, phishing infrastructure (domains) | The curious case of [email protected] |
Stephen Berger (InfoGuardAG) | 2024, February | Unknown | N/A | S3 Ransomware (deleted buckets) | AWS Ransomware |
Sysdig | 2024, March | Exploited vulnerable Laravel + Wordpress | N/A | Meson CDN cryptomining | Cloud Threats deploying Crypto CDN |
Datadog | 2024, March | Compromised Credentials | N/A | AWS SNS SMS Phishing | Tales from the cloud trenches: Using malicious AWS activity to spot phishing campaigns |
Mandiant | 2024, April | Phishing leads to compromise of credentials in former employee's personal Google Drive | N/A | S3 data exfiltration and "Ransomware" (deleted buckets) | Cloud compromises: Lessons learned from Mandiant investigations in 2023 - Incident Response Case Study #4 |
Sysdig | 2024, May | Exploited known vulnerable Laravel (CVE-2021-3129) | N/A | LLMJacking | LLMjacking: Stolen Cloud Credentials Used in New AI Attack |
Lacework | 2024, June | Stolen or compromised credentials | Create new console user | LLMJacking | Detecting AI resource-hijacking with Composite Alerts |
Datadog | 2024, June | Stolen or compromised credentials | N/A | LLMJacking | Tales from the cloud trenches: Raiding for AWS vaults, buckets and secrets |
Yotam Meitar (Wiz) | 2024, June | Compromised vulnerable application (k8s Pod) | Exploit overprivileged secrets access to retrieve IDP-related credentials | S3 data exfiltration and "Ransomware" | Responding to Sophisticated Ransom Attacks in the Cloud: A Real-World Case Study |
Unit42 | 2024, August | Exposed AWS credentials | N/A | S3 data exfiltration and extortion | Bling Libra’s Tactical Evolution: The Threat Actor Group Behind ShinyHunters Ransomware |
Permiso | 2024, October | Stolen or compromised credentials | N/A | LLMJacking | When AI Gets Hijacked: Exploiting Hosted Models for Dark Roleplaying |
Datadog | 2024, December | Stolen or compromised credentials | Create new role assumable by attacker account | Targeting SES | Tales from the cloud trenches: Unwanted visitor |
Wiz | 2024, December | Stolen or compromised credentials | Create new users and access keys | LLMJacking | New Developments in LLM Hijacking Activity |
More information on these actors is available on malpedia.
Report | Takeaways |
---|---|
Palo Alto Unit 42: Cloud Threat Report H2 2020 | Unit 42 research shows that cryptojacking affects at least 23% of organizations globally that maintain cloud infrastructure |
Accenture: Cyber Threat Intelligence Report Volume 2 - 2021 | Cloud environments were and continue to be attractive targets, perhaps due to lower monitoring levels than on-premise environments. ... cloud-related malware has evolved faster than more traditional malware in 2021 based on analysis of the rate of code changes between cryptominers (a primary malware malicious actors deploy in compromised cloud environments) compared to code changes in botnets and ransomware ... Accenture observed ransomware and extortion operators targeting cloud infrastructure and hosted backups in attempts to increase operational impact |
Fugue: The State of Cloud Security 2021 | N/A |
IBM Security: 2021 X-Force Cloud Threat Landscape Report | The three most commonly observed methods for threat actors to compromise cloud environments in cases studied by X-Force IR were password spraying, software vulnerability, and pivoting from an on-premise compromise to the cloud |
IDC for Ermetic: State of Cloud Security 2021 | Most organizations (63%) confirmed that their sensitive data has been exposed in the cloud |
Snyk: State of Cloud Native Application Security 2021 | Over 56% experienced a misconfiguration or known unpatched vulnerability incident involving their cloud native applications |
GCP: November 2021 Cloud Threat Intelligence report | Of 50 recently compromised GCP instances, 86% of the compromised Google Cloud instances were used to perform cryptocurrency mining |
AWS: 2022 re:Inforce session on ransomware h/t Rich Mogull | ransomware is a common problem for AWS customers, stemming from two common exploit vectors: A traditional ransomware attack against instances in AWS. The attacker compromises an instance (often via phishing a user/admin, not always direct compromise), then installs their malware to encrypt the data and spread to other reachable instances. This is really no different than ransomware in a data center since it doesn’t involve anything cloud-specific. The attacker copies data out of an S3 bucket and then deletes the original data. This is the most commonly seen cloud native ransomware on AWS. |
AWS: AWS CIRT announces the release of five publicly available workshops | Over the past year, AWS CIRT has responded to hundreds of such security events, including the unauthorized use of AWS Identity and Access Management (IAM) credentials, ransomware and data deletion in an AWS account, and billing increases due to the creation of unauthorized resources to mine cryptocurrency. |
CheckPoint: Cyber Security Report 2022 | Since late 2021, we have witnessed a wave of attacks leveraging flaws in the services of industry-leading cloud service providers |
CrowdStrike: 2022 Global Threat Report | Cloud-related threats are particularly likely to become more prevalent and to evolve, given that targeted intrusion adversaries are expected to continue prioritizing targets that provide direct access to large consolidated stores of high-value data |
CrowdStrike: Protectors of the Cloud eBook | CrowdStrike continues to see adversary activity in three particular areas concerning the cloud: Neglected cloud infrastructure that is slated for retirement yet still contains sensitive data A lack of outbound restrictions and workload protection to exfiltrate your data Adversaries leveraging common cloud services to obfuscate malicious activity |
Datadog: State of AWS Security 2022 | N/A |
ENISA Threat Landscape 2022 | Cybercriminals target cloud services mostly in the following ways. * Exploiting cloud vulnerabilities: virtualisation infrastructure has been increasingly targeted (e.g. VMWare vSphere and ESXi platforms) by cybercriminals and especially by ransomware groups. • Using cloud services for hosting their infrastructure: cybercriminals take advantage of the highly scalable and reliable cloud infrastructure and use legitimate cloud services to bypass security controls by blending into normal network traffic. • Targeting cloud credentials: cybercriminals use social engineering attacks to harvest credentials for cloud services (e.g. Microsoft Office 365, Okta, etc.). • Exploiting misconfigured image containers cybercriminals increasingly target poorly configured Docker containers and Kubernetes clusters. • Targeting cloud instances for cryptomining (e.g. TeamTNT group): security researchers have identified a cloud-focused toolset from the TeamTNT group. • Targeting cloud infrastructure (e.g. Azure AD), cloud application programming interfaces (APIs), and cloud-hosted backups by ransomware groups to infiltrate cloud environments and increase impact. |
Expel: Q1 2022 Threat Report | Misconfigurations and exposed long-term credentials in Amazon Web Services (AWS) and Google Cloud Platform (GCP) accounted for 3% of incidents These incidents break down into two categories: 1. Admins accidentally setting AWS S3 Buckets to Public 2. Threat actors gaining access to exposed long-lived credentials in AWS and GCP, which resulted in unauthorized access |
Fidelis: 2022 AWS Cloud Security Report | For the 31% of organizations that experienced a security incident in the cloud, misconfiguration was the leading cause (28%), followed by inappropriately shared data (17%) and account compromise (15%). Exploited vulnerabilities account for 13% of incidents |
GCP: July 2022 Cloud Threat Intelligence report | the most common attack vectors used across cloud providers was brute force of cloud services that are exposed to the internet and have a weak or default password ... close behind brute force attacks was the exploitation of vulnerable software |
IBM: Cost of a Data Breach 2022 | 45% of Breaches Were Cloud-Based. Stolen or compromised credentials were the number one attack vector in the past two years. Following credentials, the next most common initial attack vectors were: Second place: Phishing - 16% of breaches, $4.91M average costs Third place: Cloud misconfigurations - 15% of breaches, $4.14M average costs Fourth place: Third-party software vulnerability - 13% of breaches, $4.55M average costs |
IBM Security X-Force: 2022 Cloud Threat Landscape Report | Scanning for and exploiting vulnerable infrastructure was the most commonly observed initial access vector in cloud environments, based on X-Force responding to related cases. This vector represented the initial infection vector for 26% of cloud incidents. Stolen credential use was the second most observed at 9%. |
(ISC)2: 2022 Cloud Security Report | We asked cybersecurity professionals about the cloud security threats that most concern them. Misconfiguration of cloud security remains the biggest cloud security risk according to 62% of cybersecurity professionals in our survey. This is followed by insecure interfaces/APIs (54%), exfiltration of sensitive data (51%) and unauthorized access (50%). |
Orca: 2022 State of Public Cloud Security | N/A |
Palo Alto Unit 42: Incident Response Threat Report 2022 | Nearly 65% of known cloud security incidents were due to misconfigurations. The main culprit? IAM configuration. |
riskrecon: Cloud Risk Surface Report | N/A |
Snyk: State of cloud security 2022 | 80% of organizations experienced a serious cloud security incident during the last year - 33% breach, 26% leak, 27% intrusion, 23% cryptomining |
Trend Micro: 2022 Midyear Cybersecurity Report | 62% of the respondents admitted to having blind spots that weaken their security posture. 37% of the organizations also claimed to have the least insight into cloud assets. 35% said the same of their insights into networks, while 32% responded that they have the least insight into their end-user assets. |
Wiz: 2022 cloud security threats report | Effectively, unintentionally exposed databases are one of the most common sources of data breaches |
GCP: GCAT Threat Horizons January 2023 | The most common cloud compromise factors from Q3 2022 include Weak or No Credentials (41.1%), API Compromise (19.6%), Software issue (17.9%), and Misconfiguration (16.1%) |
Wiz: State of the Cloud 2023 | In experiments we ran where we created S3 buckets ... we spotted attempts to list the contents of the S3 buckets in as little as 13 hours |
Permiso: 2022 - End of Year Observations | All of the incidents we detected and responded to were a result of a compromised credential ... GitHub is still one of the primary sources ... The majority of exposed keys live in three main file types: APKs, Windows Biaries, Plain Text Files |
GCP: GCAT Threat Horizons April 2023 | The most common cloud compromise factors from Q4 2022 include Weak or No Credentials (47.8%), API Compromise (19.6%), Software issue (13.0%), and Misconfiguration (10.9%) |
Orca: 2023 Honeypotting in the Cloud Report | SSH honeypot within 4 minutes, but no attempts to use planted key. S3 bucket within 1 hour, key within 8 hours. Docker image never downloaded. ECR public registry accessed after four months. Elasticsearch scanned, but no attempts to use planted key. Public EBS backup never downloaded. Redis accessed after 2.5 hours, but no attempts to use planted key |
Laminar: State of Public Cloud Data Security Report 2023 | More than three-fourths (77 percent) of respondents said their organization’s public cloud data has been accessed by an adversary in the last 12 months |
GCP: GCAT Threat Horizons August 2023 | The most common cloud compromise factors from Q1 2023 include Weak or No Credentials (54.8%), Misconfiguration (19%), Sensitive UI or API exposure (11.9%) |
CrowdStrike: 2023 Threat Hunting Report | 160% increase in attempts to abuse cloud instance metadata APIs. 95% increase in cloud exploitation in 2022. 3X increase in cases involving cloud-concious threat actors in 2022. |
Dig Security: The State of Cloud Data Security 2023 | More than 7% of storage services containing sensitive data are public. More than 60% of storage services are not encrypted at rest, and almost 70% lack comprehensive logging. |
Wiz: I know what you mined last summer | Six cases via Open Jupyter Notebook, two via Unpatched Apache Solr. XMRig, CCminer, and XMR-Stak-RX deployed. |
GCP: GCAT Threat Horizons October 2023 | The most common cloud compromise factors from Q2 2023 include Weak or No Credentials (54.3%), Misconfiguration (15.2%), Sensitive UI or API exposure (15.2%), Vulnerable Software (10.9%). ~70% of attacks are intended to facilitate coin mining. |
GCP: GCAT Threat Horizons H1 2024 | The most common cloud compromise factors from 2023 include Weak or No Credentials (51.1%), Misconfiguration (17.3%), Sensitive UI or API exposure (13.7%), Vulnerable Software (11.5%). ~66% of attacks are intended to facilitate coin mining. ~25% of attacks are intended to then target third parties. |
Palo Alto Unit 42: Incident Response Threat Report 2024 | "we’ve seen an increase in incident responses involving cloud cases, from 6% in 2021 to 16.6% in 2023." "Visibility gaps also led to unnecessary resource exposure, such as internet-exposed remote desktops or inadequately secured cloud workloads. These exposures contributed to 9.6% of cases." |
CrowdStrike: 2024 Global Threat Report | Cloud environment intrusions increased by 75% YoY. 84% of adversary-attributed cloud-conscious intrusions were focused on eCrime. |
Cado: H2 2023 Cloud Threat Findings Report | Attackers are getting more sophisticated around Docker, Jupyter, etc. Docker is ~90% of non-SSH honeypot traffic. Diversifying (non-cryptojacking) objectives. |
AWS, Ben Fletcher: Security Lessons Learnt From The Cloud Frontline | Leaked credentials are the initial vector in 66% of incidents, 33% of these credentials are root . 13% of incidents are public EC2 instances. The goals are resource hijacking, ransom (delete + extort), and scorched earth |
Red Canary: 2024 Threat Detection Report | Cloud Accounts was the fourth most prevalent ATT&CK technique we detected this year, increasing 16-fold in detection volume and affecting three times as many customers as last year ... expanded use of phishing kits and infostealers to collect credentials and/or MFA-signed access tokens |
GCP: GCAT Threat Horizons H2 2024 | The most common initial vectors in H1 2024 include Weak or No Credentials (47.2%) and Misconfiguration (30.3%). ~59% of attacks are intended to facilitate coin mining. ~23.5% of attacks are intended to then target third parties. |
Orca: 2024 State of Public Cloud Security | "87% of cloud malware attacks are via known Trojans." |
Crowdstrike, Sebastian Walla: Cloud-Conscious Tactics, Techniques, and Procedures (TTPs) | ~250 cloud cases in 2023, 1/3 of which involve "cloud-conscious" threat actors, Initial access: Valid Accounts (28%), Exploit Public-Facing Application (16 %) |
Sysdig: 2024 Global Threat Report | " Many of the attacks Sysdig TRT captured this year were motivated by income generation and free access to otherwise expensive resources". LLMJacking "can run victims over $100,000 daily" |
Expel: Quarterly Threat Report (QTR) for Q3 2024 | "Incidents in cloud infrastructures (AWS, GCP, Azure, and Kubernetes) made up only 2% of the total incident volume. This has stayed consistent over the last few quarters" |
Cowbell Insurance: Cyber Roundup Report 2024 | "Analysis relating to cloud provider usage found that businesses using Google Cloud report a 28% lower frequency of cyber incidents relative to other cloud users. In addition to a reduced frequency of incidents, Google Cloud exhibits the lowest severity of cyber incidents, while Microsoft Azure shows the highest." |
Tenable: Cloud Risk Report 2024 | "38% of organizations have at least one cloud workload that is publicly exposed, critically vulnerable and highly privileged. 84.2% possess unused or longstanding access keys with critical or high severity excessive permissions." |
Date | Vulnerability | Reference |
---|---|---|
2014, Dec | Credentials leaked in Github | My AWS Account Got Compromised |
2016, Dec | Credentials leaked in npm package | Security Incident - AWS S3 Access Key Exposure |
2019, Feb | 4,648 unique AWS Access Key IDs in Github | How Bad Can It Git? Characterizing Secret Leakage in Public GitHub Repositories |
2019, May | Credentials leaked in exposed GitLab instance | Samsung spilled SmartThings app source code and secret keys |
2019, May | Credentials leaked in Github | AWS secret key and NPM token leaked in MEW GitHub repos |
2020, Feb | Credentials leaked in repository | Access to Glassdoor's Infra (AWS) and BitBucket account through leaked repo |
2020, Sep | ~25,000 AWS Access Keys exposed via Github | Reliaquest - Access Keys Exposed: More Than 40% Are For Database Stores |
2021, Jan | AWS Access Tokens in Public AMI Images | Hunting for Sensitive Data in Public Amazon Images (AMI) |
2021, Apr | Subdomain takeover, deleted EC2 instance | Subdomain takeover of www2.growasyouplan.com |
2021, Oct | AWS Creds hardcoded in MSI | Hardcoded AWS credentials in ███████.msi |
2021, Nov | Potential subdomain takeover, dangling CNAME | Possible Domain Takeover on AWS Instance |
2021, Nov | Subdomain takeover, deleted S3 bucket | Subdomain takeover of images.crossinstall.com |
2021, Dec | Account takeover via Cognito user email change | Flickr Account Takeover using AWS Cognito API |
2022, May | Malicious update to ctx Python library |
Malicious Python library CTX removed from PyPI repo |
2022, Sep | 1,859 Android and iOS apps with AWS credentials | Mobile App Supply Chain Vulnerabilities Could Endanger Sensitive Business Information |
2022, Oct | Subdomain takeover, deleted S3 bucket | Subdomain takeover at http://test.www.midigator.com |
2022, Nov | AWS credentials in string constant in public python package | Infosys leaked FullAdminAccess AWS keys on PyPi for over a year |
2022, Jan | NoSQL-Injection discloses discloses S3 File Upload URLs | NoSQL-Injection discloses S3 File Upload URLs |
2022, Sep | AWS credentials leaked in code repository | Shiba Inu cloud credentials leaked on a public repository! |
2022, Dec | Lack of forced verification on email update in AWS Cognito | Account Takeover Due to Cognito Misconfiguration Earns Me €xxxx |
2023, Jan | AWS credentials found in 57 PyPi packages | I scanned every package on PyPi and found 57 live AWS keys |
2023, Jan | AWS credentials disclosed in client-side source | Owning half of a government assets through AWS |
2023, Feb | RCE in Lambda function with access to AWS credentials via /proc/*/environ | Facebook bug: A Journey from Code Execution to S3 Data Leak |
2023, Mar | Staging environment file leaked, revealing AWS Access Keys and Secrets | Saudi social media app leaks user info and pictures |
2023, Mar | Passive subdomain takeover | Passive Takeover - uncovering (and emulating) an expensive subdomain takeover campaign |
2023, Mar | 550 IPs vulnerable to SSRF via Host header, likely due to a vulnerable Lightsail image | Finding Hundreds of SSRF Vulnerabilities on AWS |
2023, Jun | Credentials in node env file in public S3 bucket | TripValet.com Leaks Passwords and Stripe Credentials |
2023, Jul | 1,213 AWS Secrets in Docker images | Secrets Revealed in Container Images: An Internet-wide Study on Occurrence and Impact |
2023, Jul | 650 publicly exposed RDS snapshots | Oops, I Leaked It Again — How Mitiga Found PII in Exposed Amazon RDS Snapshots |
2023, Aug | Over-privileged cloud credentials in 1,667 mobile applications | Credit Karma: Understanding Security Implications of Exposed Cloud Services through Automated Capability Inference |
2023, Aug | librsvg memory leakage exposes Basecamp AWS keys | AWS keys and user cookie leakage via uninitialized memory leak in outdated librsvg version in Basecamp |
2023, Sep | 11-12 AWS credentials in .git of Alexa Top 1M |
4,500 of the Top 1 Million Websites Leaked Source Code, Secrets |
2023, Oct | over 140 unique active, plaintext credentials to third-party services like OpenAI, AWS, GitHub, and others in Kaggle data | Analyzing the Security of Machine Learning Research Code |
2023, Nov | 2,897 AWS Access Tokens in StackExchange dataset | I analyzed stackoverflow |
2024, Feb | Access Key exposed in HTML | Football Australia leak exposes players’ details |
2024, Mar | Write permissions to S3 bucket, upload JS that steals credentials | From S3 bucket to internal network operation |
2024, Apr | AWS credentials leaked on Postman’s Public API Network | (The) Postman Carries Lots of Secrets |
2024, Apr | 3 AWS Credentials leaked in public Gists in a seven day period | Do Secrets Leak on Public GitHub Gists in 2024? |
2024, May | over 200 valid AWS credentials in Public AMI Images | AWS CloudQuarry: Digging for Secrets in Public AMIs |
2024, May | Bitbucket secured variables leak AWS keys in plain text through artifact objects | Holes in Your Bitbucket: Why Your CI/CD Pipeline Is Leaking Secrets |
2024, May | Publicly traded company exposed 8m+ PII records in DocumentDB Snapshot | Publicly Exposed AWS Document DB Snapshots |
2024, July | Kubernetes escape in SAP AI Core allowed access to Loki config, leaking AWS credentials with access to S3 | SAPwned: SAP AI vulnerabilities expose customers’ cloud environments and private AI artifacts |
2024, July | Leaked Secrets in Public Jenkins Logs, including 6 AWS keys | Leaked Secrets in Public Jenkins Logs |
2024, July | Hard-coded AWS credential in JS | how to pwn a billion dollar vc firm using inspect element |
2024, August | Leaked secrets via Virustotal's Retrohunt, Passive DNS "more than 78,000 dangling cloud resources linked to 66,000 apex domains" | Thousands of Corporate Secrets Were Left Exposed. This Guy Found Them All, Secrets and Shadows: Leveraging Big Data for Vulnerability Discovery at Scale |
2024, August | 1,185 leaked AWS Access Keys in exposed .env |
Leaked Environment Variables Allow Large-Scale Extortion Operation of Cloud Environments |
2024, October | Hardcoded AWS Access Keys in mobile apps | Exposing the Danger Within: Hardcoded Cloud Credentials in Popular Mobile Apps |
2024, October | Numerous leaked credentials scraped from exposed .git configurations |
EMERALDWHALE: 15k Cloud Credentials Stolen in Operation Targeting Exposed Git Config Files |
2024, December | 1,526 leaked AWS credentials via environment files (.env), configuration files, exposed git repositories (.git), etc. | From Vulnerabilities to Breaches: The Shiny Nemesis Cyber Operation |
Server-side request forgery is a class of attack that is not cloud or AWS specific. However, the existence of cloud metadata services, such as IMDS in AWS, have historically allowed for a substantial straightforward impact when SSRF is achieved on a cloud hosted application. For that reason, we include this list of SSRF attacks against AWS environments.
- October 2014 - Prezi Got Pwned: A Tale of Responsible Disclosure
- Bypassing SSRF Protection to Exfiltrate AWS Metadata from LarkSuite
- ESEA Server-Side Request Forgery and Querying AWS Meta Data
- A pair of Plotly bugs: Stored XSS and AWS Metadata SSRF
- Dropbox - Full Response SSRF via Google Drive
- Mandiant - Old Services, New Tricks: Cloud Metadata Abuse by UNC2903
- SSRF leads to access AWS metadata.
- Escalating SSRF to RCE
- SSRF Leads To AWS Metadata Exposure
- How I discovered an SSRF leading to AWS Metadata Leakage
- Exploitation of an SSRF vulnerability against EC2 IMDSv2
- Mozilla - AWS SSRF to Pull AWS Metadata and Keys
- Full read SSRF in www.evernote.com that can leak aws metadata and local file inclusion |
- SSRF allows reading AWS EC2 metadata using "readapi" variable in Streamlabs Cloudbot
- Server Side Request Forgery (SSRF) at app.hellosign.com leads to AWS private keys disclosure
- SSRF via Office file thumbnails
- Getting AWS creds via SSRF on rss.app
- AWS takeover through SSRF in JavaScript
- Yahoo Small Business (Luminate) and the Not-So-Secret Keys
- Bug Bounty Story: Escalating SSRF to RCE on AWS
- A Nifty SSRF Bug Bounty Write Up
- Mozilla Hubs Cloud: cloud api credentials exposure
- Lacework Labs: New surge in AWS credential compromises tied to Grafana SSRF attacks
- EC2 User-data to RCE
- Server Side Request Forgery (SSRF) via Analytics Reports
- SSRF to read AWS metaData at https://█████/ [HtUS]
- SSRF on █████████ Allowing internal server data access
- The Unusual Case of Status code- 301 Redirection to AWS Security Credentials Compromise
For more about this attack, please see Hacking the Cloud - Steal EC2 Metadata Credentials via SSRF
The initial data was collected for a talk at BSidesCT 2020: Learning from AWS (Customer) Security Incidents slides here A follow up talk was given at OWASP DevSlop in May 2022. video, slides
Postmortem Culture: Learning from Failure
Note: There have been numerous identified incidents of Magecart exploiting S3 Global Write - in one review targeting "well over 17,000 domains"