Skip to content

ramimac/aws-customer-security-incidents

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 

Repository files navigation

Background

Security is an exercise in managing risk. Reviewing the common root causes of security incidents is an effective way to guide prioritized remediation efforts.

This repository seeks to index all publicly disclosed AWS customer security incidents with a known root cause. It will exclude incidents involving exposed data stores (e.g S3 bucket leaks, exposed managed or hosted databases). Those incidents are already well understood, and examples can be found cataloged in places like nagwww's s3-leaks repo, upguard's reports, hackmeggedon's annual rollup reports (2022) and Corey Quinn's LWIAWS S3 Bucket Negligence Award.

It also excludes incidents impacting individuals, such as the periodic reports of cryptomining due to compromised credentials. 1 2 3

A Note on Blameless Postmortems

This repository is in no way intended as a criticism of the listed companies. In the spirit of blameless postmortems 1, our goal is to learn from incidents without an atmosphere of blame.

Catalog of AWS Customer Security Incidents

A repository of breaches of AWS customers

Name Date Root Cause Escalation Vector(s) Impact Link to details
Uber 2014, May Github Gist (data analysis script) with AWS credentials N/A 50,000 records, including names and driver’s licenses from S3 hosted database prunes Exclusive: In lawsuit over hacking, Uber probes IP address assigned to Lyft exec - sources , A blameless post-mortem of USA v. Joseph Sullivan
Code Spaces 2014, June AWS Console Credentials (Phishing?) Attacker created additional accounts/access keys Wiped S3 buckets, EC2 instances, AMIs, EBS snapshots Hacker puts code spaces out of business
BrowserStack 2014, November Shellshock on exposed, outdated prototype machine Access keys on server, used to create IAM user, create EC2, and mount backup Steal user data and email users BrowserStack analysis
DNC Hack by the GRU 2016, June Unknown, test clusters breached EC2 Snapshots copied to attacker AWS accounts Tableau and Vertica Queries DEMOCRATIC NATIONAL COMMITTEE v. THE RUSSIAN FEDERATION
DataDog 2016, July CI/CD AWS access key and SSH private key leaked Attacker attempted to pivot with customer credentials 3 EC2 instances and subset of S3 buckets 2016-07-08 Security Notice
Uber 2016, October ~13 Hacked Uber credentials purchased for forum gave access to private Github Repo with AWS credentials N/A Names and driver’s license numbers of 600k drivers, PII of 57 million users in unencrypted manual backup Uber concealed cyberattack ..., A blameless post-mortem of USA v. Joseph Sullivan
Lynda.com 2016, December Private Github Repo with AWS credentials N/A User data for 9.5m users, attempted extortion 2 Plead Guilty in 2016 Uber and Lynda.com Hacks
OneLogin 2017, May AWS keys Created EC2 instances Accessed database tables (with encrypted data) May 31, 2017 Security Incident
Politifact 2017, October "Misconfigured cloud computing server" N/A Coinhive cryptojacking Hackers have turned Politifact’s website into a trap for your PC
Dataspline 2017, Unknown Monero miner in container base image dependency N/A Monero cryptojacking LinkedIn post from co-founder
DXC Technologies 2017, November Private AWS key exposed via Github 244 EC2 instance started Cryptomining DXC spills AWS private keys on public GitHub
Drizly 2018 AWS Credentials committed to public github repo N/A Cryptojacking FEDERAL TRADE COMMISSION - Drizly Complaint
LA Times 2018, February S3 global write access N/A Cryptojacking Coinhive cryptojacking added to homicide.latimes.com
Tesla 2018, February Globally exposed Kubernetes console, Pod with AWS credentials N/A Cryptojacking Hack Brief: Hackers Enlisted Tesla's Public Cloud to Mine Cryptocurrency
Chegg 2018, April Former contractor abuses broadly shared root credential Unknown 40 million users' data (from S3 bucket) FTC Complaint
imToken 2018, June Email account compromise Reset AWS account password Minimal customer device data Disclosure of Security Incidents on imToken
Voova 2019, March Stolen credentials by former employee N/A Deleted 23 servers Sacked IT guy annihilates 23 of his ex-employer’s AWS servers
Capital One 2019, April "Misconfigured WAF" that allowed for a SSRF attack Over-privileged EC2 Role 100 million credit applications A Technical Analysis of the Capital One Cloud Misconfiguration Breach
JW Player 2019, September Weave Scope (publicly exposed), RCE by design N/A Cryptojacking How A Cryptocurrency Miner Made Its Way onto Our Internal Kubernetes Clusters
Malindo Air 2019, September Former employee insider threat N/A 35 million PII records Malindo Air: Data Breach Was Inside Job
Imperva 2019, October “Internal compute instance” globally accessible, “Contained” AWS API key N/A RDS snapshot stolen Imperva Security Update
Cameo 2020, February Credentials in mobile app package N/A Access to backend infrastructure, including user data Celeb Shout-Out App Cameo Exposes Private Videos and User Data
Open Exchange Rates 2020, March Third-party compromise exposing access key N/A User database Exchange rate service’s customer details hacked via AWS
First Republic Bank 2020, March Fired employee incompletely offboarded N/A System interruption First Republic Bank
Live Auctioneers 2020, July Compromised third party software granting access to cloud environment N/A User database, including MD5 hashed credentials Washington State OAG - Live Auctioneers
Twilio 2020, July S3 global write access N/A Magecart2 Incident Report: TaskRouter JS SDK Security Incident
Natures Basket responsible disclosure 2020, July Hard-coded root keys in source code exposed via public S3 bucket N/A N/A GotRoot! AWS root Account Takeover
Drizly 2020, July Inactive Github account compromised via reused password, granting AWS credential access in source code N/A RDS Instance with 2.5 million users data exfiltrated FTC Takes Action Against Drizly and its CEO James Cory Rellas for Security Failures that Exposed Data of 2.5 Million Consumers
Cryptomining AMI 2020, August Windows 2008 Server Community AMI N/A Monero miner Cryptominer Found Embedded in AWS Community AMI
Animal Jam 2020, November Slack compromise exposes AWS credentials N/A User database Kids' gaming website Animal Jam breached
Cisco 2020, December Former employee with AWS access 5 months post-resignation N/A Deleted ~450 EC2 instances Former Cisco engineer sentenced to prison
Juspay 2021, January Compromised old, unrecycled Amazon Web Services (AWS) access key N/A Masked card data, email IDs and phone numbers Data from August Breach of Amazon Partner Juspay Dumped Online
20/20 Eye Care Network and Hearing Care Network 2021, January Compromised credential N/A S3 buckets accessed then deleted 20/20 Eye Care Network and Hearing Care Network notify 3,253,822 health plan members of breach that deleted contents of AWS buckets
Sendtech 2021, February (Current or former employee) Compromised credentials Created additional admin account Accessed customer data in S3 PERSONAL DATA PROTECTION COMMISSION Case No. DP-2102-B7884
LogicGate 2021, April Compromised credentials N/A Backup files in S3 stolen Risk startup LogicGate confirms data breach
Ubiquiti 2021, April Compromised credentials from IT employee Lastpass (alleged former employee insider threat) N/A root administrator access to all AWS accounts, extortion Ubiquiti All But Confirms Breach Response Iniquity
Uran Company 2021, July Compromised Drupal with API keys N/A Cryptomining Clear and Uncommon Story About Overcoming Issues With AWS
redoorz.com 2021, September Access Key leaked via APK N/A Customer database stolen PERSONAL DATA PROTECTION COMMISSION Case No. DP-2009-B7057
HPE Aruba 2021, October Unknown exposure of Access Key N/A Potential access to network telemetry and contact trace data Aruba Central Security Incident
Kaspersky 2021, November Compromised SES token from third party N/A Phishing attacks Kaspersky's stolen Amazon SES token used in Office 365 phishing
Eye Care Leaders 2021, December Unknown Unknown deleted databases and system configuration files, potential theft of 1.5M patient records Augusta University Health - Breach Disclosure [PDF]
Onus 2021, December Log4Shell vulnerability in Cyclos server AmazonS3FullAccess creds (and DB creds) in Cyclos config 2 million ONUS users’ information including EKYC data, personal information, and password hash was leaked. The attack on ONUS – A real-life case of the Log4Shell vulnerability
Flexbooker 2021, December Unknown Unknown 3.7M first and last names, email addresses, phone numbers, "encrypted" passwords Booking management platform FlexBooker leaks 3.7 million user records
npm 2022, April Third party OAuth token compromise granting private repository access, containing AWS keys Unknown 100k users data (from 2015) npm security update: Attack campaign using stolen OAuth tokens
Uber 2022, September Contractor account compromise leading to AWS credential discovery on a shared drive Unknown N/A Uber - Security update
Lastpass 2022, October Stole source code and accessed development environment via compromised developer account (an IAM User) Unknown pivot point into production environment. Later compromise of a privileged engineer's personal machine to gain access to decryption keys for stolen data Internal and customer data broadly compromised, including backups of MFA database Notice of Recent Security Incident,Incident 2 – Additional details of the attack
Sonder 2022, November Unknown Unknown Theft of customer information, attempted extortion Security Update, Breach Notification
Teqtivity (Uber Vendor) 2022, December Unknown Unknown "AWS backup server" with device and user information Breach Notification Statement, Uber suffers new data breach after attack on vendor, info leaked online
CommuteAir 2023, January Publicly Exposed Jenkins with hardcoded credentials N/A 2019 FAA No Fly List how to completely own an airline in 3 easy steps, U.S. airline accidentally exposes ‘No Fly List’ on unsecured server
Cloudflare 2023, November Pivot from Okta compromise due to un-rotated access token N/A N/A Cloudflare - Thanksgiving 2023 security incident
Sisense 2024, April Credentials stolen from Gitlab repository N/A Terabytes of customer data exfiltrated from S3 Why CISA is Warning CISOs About a Breach at Sisense
pcTattletale 2024, May Application vulnerability disclosed root AWS keys N/A Data published publicly Spyware app pcTattletale was hacked and its website defaced, defaced site

Vendor-reported AWS Customer Security Incident Case Studies

Report Date Root Cause Escalation or Peristence Vector(s) Impact Link to details
Mandiant M-Trends 2020 2020, February Credentials stolen from GitHub repository commit history Takes snapshot of EBS volumes, creates EC2 instances, exfiltrates data over SSH Stolen EBS volumes M-Trends 2020
TeamTNT Worm 2020, April Misconfigured Docker & k8s platforms Steals AWS credentials from ~/.aws/* Cryptojacking for Monero Team TNT – The First Crypto-Mining Worm to Steal AWS Credentials, TeamTNT with new campaign aka “Chimaera”
Expel case study 1 2020, April 8 IAM access keys compromised Backdoored security groups Command line access to EC2 instances Finding evil in AWS: A key pair to remember
Expel case study 2 2020, July Root IAM user access keycompromised SSH keys generated for EC2 instances Cryptojacking Behind the scenes in the Expel SOC: Alert-to-fix in AWS
Mandiant: Insider Threat Scenario 2020, September Fired employee uses credentials Access CI/CD server, create a new user, steal credentials Deleted production databases Cloud Breaches: Case Studies, Best Practices, and Pitfalls
FireEye M-Trends 2021 case study 2021, April Use of SSH key by former employee Creates users and EC2 instances Deleted RDS backups M-Trends 2021
DarkLab case study 2021, July Jenkins RCE Create IAM users, use S3 Browser tool Use environment to launch scanning, nuked account Trouble in Paradise
Expel case study 3 2022, April Credentials in publicly available code repository AttachUserPolicy used for privesc Cryptojacking (prevented) Incident report: From CLI to console, chasing an attacker in AWS
Permiso case study 1 2022, June Gitlab vulnerability (CVE-2021-22205) Credentials on the system found, used to create a backup user Cryptojacking Anatomy of an Attack: Exposed keys to Crypto Mining
Clearvector case study 2022, August ADFS pivot into IAM Identity Center N/A N/A Auditing identity activity for NOBELIUM and MagicWeb in AWS
Positive Thinking Company case study 2022, June Unknown N/A Cryptojacking Mitigating a crypto jacking incident on an AWS machine from the earliest stages
Palo Alto Unit 42 2022, December Code execution in Lambda context Exfiltrate credentials from envvars SES abuse for phishing Compromised Cloud Compute Credentials: Case Studies From the Wild
Permiso case study 2 2022, December Exploit publicly facing software, mainly Jupyter notebooks or k8s N/A Credential Theft Cloud Cred Harvesting Campaign - Grinch Edition
Crowdstrike 2022, December Exploit known ForgeRock CVE aws_consoler used to obtain pivot to console sessions without MFA N/A Analysis of an Intrusion Campaign Targeting Telco and BPO Companies
Expel case study 4 2023, January Publicly exposed Postman server with access key credentials stored in the project’s variables N/A (likely) AWS SES abuse (prevented) Incident report: stolen AWS access keys
Cado Security and Invictus Incident Response 2023, January N/A Responding to an attack in AWS, Part 2
AWS 2023, February Key disclosure, or SSRF N/A N/A The anatomy of ransomware event targeting data residing in Amazon S3
Sysdig 2023, February Exploit public facing k8s service IAM creds in Lambda env vars and in S3 bucket Data exfiltration SCARLETEEL: Operation leveraging Terraform, Kubernetes, and AWS for data theft
Invictus IR 2023, April exposed long-term credentials CreateUser data exfiltration and deletion with ransom note Ransomware in the cloud
Unit 42 2023, April sim-swap grants access to 10 access keys in source code CreateUser with increased permissions data exfiltration and deletion with ransom note From SIM-Swap to Data Leak on the Dark Web
Unit 42 2023, April SSRF via known CVE and IMDSv1 Backdoored IAM role Cryptojacking, outbound DDOS From Misconfigured Firewall to Cryptojacking Botnet
Mitiga (RSAC) #1 2023, April Company repository w/ AWS keys merged to personal github N/A N/A It’s Getting Real & Hitting the Fan: 2023 Edition
Mitiga (RSAC) #2 2023, April Unknown root cause of access key compromise N/A Shared AMIs publicly for exfil It’s Getting Real & Hitting the Fan: 2023 Edition
Kroll #1 2023, April Third party compromised N/A Redirect DNS and Email Effective AWS Incident Response: Examples and Recommendations
Kroll #2 2023, April Internal network compromised Lateral movement into cloud, years of persistence Data Exfiltration Effective AWS Incident Response: Examples and Recommendations
S2W Talon "Donjuji" 2023, May Development server with exposed environment variables containing IAM user credentials N/A Stole data from S3 Detailed Analysis of CloudDon, Cloud Data Breach of Korea e-commerce company
Checkmarx 2023, June S3 bucket serving npm package bignum hijacked N/A Credential theft Hijacking S3 Buckets: New Attack Technique Exploited in the Wild by Supply Chain Attackers
SentinelOne 2023, June CVE-2022-47986 N/A N/A Anatomy of a Cloud Incident | SentinelOne’s Vigilance vs. IceFire Ransomware
Sysdig 2023, July Exploit public facing Jupyter Notebook in k8s IAM creds, including via IMDSv2. Privilege escalation via IAM misconfiguration. Access key persistence Cryptojacking SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto
CrowdStrike 2023, August Exploiting RCE in a custom PHP web application IAM creds, including via IMDS. Lateral movement via SSM Unknown 2023 Threat Hunting Report
Unit42 2023, August Exploiting SugarCRM zero day Access keys on EC2 hosts, Pacu + Scoutsuite scanning DB data exfiltration When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability
AWS 2023, August Compromise of federated user via unknown means Access keys on EC2 hosts, Pacu + Scoutsuite scanning DB data exfiltration Two real-life examples of why limiting permissions works: Lessons from AWS CIRT - Story 1: On the hunt for credentials
AWS 2023, August RCE via unintentionally exposed port in ECS task definition N/A Cryptojacking Two real-life examples of why limiting permissions works: Lessons from AWS CIRT - Story 2: More instances for crypto mining
Security Joes 2023, Sep Exploited a vulnerable version of MinIO on an AWS EC2 instance via evil_minIO Network reconnaissance, create windows accounts Unknown New Attack Vector In The Cloud: Attackers caught exploiting Object Storage Services
Unit42 2023, Oct Credentials exposed on Github Create EC2 instances Monero Cryptojacking CloudKeys in the Air: Tracking Malicious Operations of Exposed IAM Keys
Reliaquest 2023, Nov Spearphishing Hijacked Citrix VDI Data theft (lastpass export in S3 bucket) Scattered Spider Attack Analysis
Datadog #1 2024, January Leaked IAM User Key created administrator IAM user S3 data exfiltration, attempted cryptomining Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining
Datadog #2 2024, January Leaked IAM User Key N/A Cryptomining (via ECS Fargate, XMRig) Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining
Invictus IR 2024, January Exposed IAM User (Administrator) Access Key created administrator IAM user, added access keys for existing users, created externally assumable role Cryptomining, SES spam/phishing, phishing infrastructure (domains) The curious case of [email protected]
Stephen Berger (InfoGuardAG) 2024, February Unknown N/A S3 Ransomware (deleted buckets) AWS Ransomware
Sysdig 2024, March Exploited vulnerable Laravel + Wordpress N/A Meson CDN cryptomining Cloud Threats deploying Crypto CDN
Datadog 2024, March Compromised Credentials N/A AWS SNS SMS Phishing Tales from the cloud trenches: Using malicious AWS activity to spot phishing campaigns
Mandiant 2024, April Phishing leads to compromise of credentials in former employee's personal Google Drive N/A S3 data exfiltration and "Ransomware" (deleted buckets) Cloud compromises: Lessons learned from Mandiant investigations in 2023 - Incident Response Case Study #4
Sysdig 2024, May Exploited known vulnerable Laravel (CVE-2021-3129) N/A LLMJacking LLMjacking: Stolen Cloud Credentials Used in New AI Attack
Lacework 2024, June Stolen or compromised credentials Create new console user LLMJacking Detecting AI resource-hijacking with Composite Alerts
Datadog 2024, June Stolen or compromised credentials N/A LLMJacking Tales from the cloud trenches: Raiding for AWS vaults, buckets and secrets
Yotam Meitar (Wiz) 2024, June Compromised vulnerable application (k8s Pod) Exploit overprivileged secrets access to retrieve IDP-related credentials S3 data exfiltration and "Ransomware" Responding to Sophisticated Ransom Attacks in the Cloud: A Real-World Case Study
Unit42 2024, August Exposed AWS credentials N/A S3 data exfiltration and extortion Bling Libra’s Tactical Evolution: The Threat Actor Group Behind ShinyHunters Ransomware
Permiso 2024, October Stolen or compromised credentials N/A LLMJacking When AI Gets Hijacked: Exploiting Hosted Models for Dark Roleplaying
Datadog 2024, December Stolen or compromised credentials Create new role assumable by attacker account Targeting SES Tales from the cloud trenches: Unwanted visitor
Wiz 2024, December Stolen or compromised credentials Create new users and access keys LLMJacking New Developments in LLM Hijacking Activity

Catalog of AWS Threat Actors and their Tools

More information on these actors is available on malpedia.

Name Vectors Reports
8220 Gang Exploit outdated and misconfigured software JupiterOne - 8220 Gang Cloud Botnet Targets Misconfigured Cloud Workloads
AlienFox Opportunistic exploitation of server side misconfigurations, AWS SES-centric functionality Sentinel Labs - Dissecting AlienFox | The Cloud Spammer’s Swiss Army Knife
AMBERSQUID Cryptomining, distributed on Docker Hub, using non-EC2 services AWS’s Hidden Threat: AMBERSQUID Cloud-Native Cryptojacking Operation
AndroxGh0st / Xcatze Exposed Laravel .env configs, use compromise for SES spam or malicious email Lacework Labs - AndroxGh0st: the python malware exploiting your AWS keys, CISA - Known Indicators of Compromise Associated with Androxgh0st Malware
Cloud Snooper Rootkit, AWS SSM for pivoting Sophos - Cloud Snooper Attack Bypasses AWS Security Measures, Pacific Rim: Inside the Counter-Offensive
Cosmic Wolf Credential compromise CrowdStrike - 2022 Global Threat Report
Demonia Lambda Malware Cado Discovers Denonia: The First Malware Specifically Targeting Lambda
FBot AWS SES Abuse SentinelOne - Exploring FBot, Ian Ahl (tweet)
Greenbot Unknown, use compromise for SES spam or malicious email Our Approach to Detection: AndroxGh0st and GreenBot Edition
GUI-Vil Credential compromise and known vulnerabilities Unmasking GUI-Vil: Financially Motivated Cloud Threat Actor
Kinsing Malware CyberArk - Kinsing: The Malware with Two Faces, Cloud Defense in Depth: Lessons from the Kinsing Malware, Looney Tunables Vulnerability Exploited by Kinsing, Kinsing Malware Hides Itself as a Manual Page and Targets Cloud Servers
LAPSUS$ / DEV-0537 phone-based social engineering; SIM-swapping to facilitate account takeover; accessing personal email accounts of employees at target organizations; paying employees, suppliers, or business partners of target organizations for access to credentials and multifactor authentication (MFA) approval Microsoft - DEV-0537 criminal actor targeting organizations for data exfiltration and destruction
Legion AWS SES Abuse Permiso - Legion: The Latest Threat in Mass Spam Attacks, Cado Security - Legion: an AWS Credential Harvester and SMTP Hijacker, Updates to Legion: A Cloud Credential Harvester and SMTP Hijacker
P2PInfect P2P Redis botnet (11.2% AWS IPs) Cado Security Labs Researchers Witness a 600X Increase in P2Pinfect Traffic
RBAC Buster Targeting k8s anonymous access, and use a ClusterRoleBinding and gain full access to the cluster with persistence First-Ever Attack Leveraging Kubernetes RBAC to Backdoor Clusters
Outlaw Targeting known CVEs or SSH bruteforce Outlaw Group Distributes Cryptocurrency-Mining Botnet
Predator AI Stealer and hacktool targets AWS SES ChatGPT-Powered Infostealer Takes Aim at Cloud Platforms
Rocke Targeting known CVEs Cisco Talos - Rocke: The Champion of Monero Miners
Silentbob (TeamTNT or copycat) Exploit misconfigured docker and k8s Aqua Security - Threat Alert: Anatomy of Silentbob’s Cloud Attack, Permiso - Agile Approach to Mass Cloud Credential Harvesting and Crypto Mining Sprints Ahead, SentinelOne - Cloudy With a Chance of Credentials | AWS-Targeting Cred Stealer Expands to Azure, GCP, Datadog - An analysis of a TeamTNT doppelgänger
SNS Sender AWS SNS SMS Phishing Kit SentinelOne - SNS Sender | Active Campaigns Unleash Messaging Spam Through the Cloud
Spoiled Scorpius (Distributors of RansomHub) "Delete backups from both on-premises and cloud storage" Unit 42: Ransomware Review: First Half of 2024
TeamTNT Exploit misconfigured docker and k8s MITRE ATT&CK - TeamTNT
Turla / Pensive Uras Stealer targets AWS credentials Appendix for "Over the Kazuar’s Nest: Cracking Down on a Freshly Hatched Backdoor Used by Pensive Ursa (aka Turla)"
UNC2903 SSRF (targeting known CVEs) Mandiant - Old Services, New Tricks: Cloud Metadata Abuse by UNC2903
UNC3944 / Scattered Spider / Starfraud / Scatter Swine / Muddled Libra / LUCR-3 Social engineering, Accidental credential leakage CISA - Joint Advisory Scattered Spider, Mandiant - Why Are You Texting Me? UNC3944 Leverages SMS Phishing Campaigns for SIM Swapping, Ransomware, Extortion, and Notoriety, Reliaquest - Scattered Spider Attack Analysis, Crowdstrike - Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies, Unit42 - Muddled Libra’s Evolution to the Cloud, LUCR-3: Scattered Spider Getting SaaS-y in the Cloud, Ransomware in the Cloud: Scattered Spider Targeting Insurance and Financial Industries
Watchdog Exploit misconfigured docker and k8s TeamTNT Returns – or Does It?

"State of the Cloud" Report Incident Takeaways

Report Takeaways
Palo Alto Unit 42: Cloud Threat Report H2 2020 Unit 42 research shows that cryptojacking affects at least 23% of organizations globally that maintain cloud infrastructure
Accenture: Cyber Threat Intelligence Report Volume 2 - 2021 Cloud environments were and continue to be attractive targets, perhaps due to lower monitoring levels than on-premise environments. ... cloud-related malware has evolved faster than more traditional malware in 2021 based on analysis of the rate of code changes between cryptominers (a primary malware malicious actors deploy in compromised cloud environments) compared to code changes in botnets and ransomware ... Accenture observed ransomware and extortion operators targeting cloud infrastructure and hosted backups in attempts to increase operational impact
Fugue: The State of Cloud Security 2021 N/A
IBM Security: 2021 X-Force Cloud Threat Landscape Report The three most commonly observed methods for threat actors to compromise cloud environments in cases studied by X-Force IR were password spraying, software vulnerability, and pivoting from an on-premise compromise to the cloud
IDC for Ermetic: State of Cloud Security 2021 Most organizations (63%) confirmed that their sensitive data has been exposed in the cloud
Snyk: State of Cloud Native Application Security 2021 Over 56% experienced a misconfiguration or known unpatched vulnerability incident involving their cloud native applications
GCP: November 2021 Cloud Threat Intelligence report Of 50 recently compromised GCP instances, 86% of the compromised Google Cloud instances were used to perform cryptocurrency mining
AWS: 2022 re:Inforce session on ransomware h/t Rich Mogull ransomware is a common problem for AWS customers, stemming from two common exploit vectors:
A traditional ransomware attack against instances in AWS. The attacker compromises an instance (often via phishing a user/admin, not always direct compromise), then installs their malware to encrypt the data and spread to other reachable instances. This is really no different than ransomware in a data center since it doesn’t involve anything cloud-specific.
The attacker copies data out of an S3 bucket and then deletes the original data. This is the most commonly seen cloud native ransomware on AWS.
AWS: AWS CIRT announces the release of five publicly available workshops Over the past year, AWS CIRT has responded to hundreds of such security events, including the unauthorized use of AWS Identity and Access Management (IAM) credentials, ransomware and data deletion in an AWS account, and billing increases due to the creation of unauthorized resources to mine cryptocurrency.
CheckPoint: Cyber Security Report 2022 Since late 2021, we have witnessed a wave of attacks leveraging flaws in the services of industry-leading cloud service providers
CrowdStrike: 2022 Global Threat Report Cloud-related threats are particularly likely to become more prevalent and to evolve, given that targeted intrusion adversaries are expected to continue prioritizing targets that provide direct access to large consolidated stores of high-value data
CrowdStrike: Protectors of the Cloud eBook CrowdStrike continues to see adversary activity in three particular areas concerning the cloud:
Neglected cloud infrastructure that is slated for retirement yet still contains sensitive data
A lack of outbound restrictions and workload protection to exfiltrate your data
Adversaries leveraging common cloud services to obfuscate malicious activity
Datadog: State of AWS Security 2022 N/A
ENISA Threat Landscape 2022 Cybercriminals target cloud services mostly in the following ways.
* Exploiting cloud vulnerabilities: virtualisation infrastructure has been increasingly targeted (e.g. VMWare vSphere and ESXi platforms) by cybercriminals and especially by ransomware groups.
• Using cloud services for hosting their infrastructure: cybercriminals take advantage of the highly scalable and reliable cloud infrastructure and use legitimate cloud services to bypass security controls by blending into normal network traffic.
• Targeting cloud credentials: cybercriminals use social engineering attacks to harvest credentials for cloud services (e.g. Microsoft Office 365, Okta, etc.).
• Exploiting misconfigured image containers cybercriminals increasingly target poorly configured Docker containers and Kubernetes clusters.
• Targeting cloud instances for cryptomining (e.g. TeamTNT group): security researchers have identified a cloud-focused toolset from the TeamTNT group.
• Targeting cloud infrastructure (e.g. Azure AD), cloud application programming interfaces (APIs), and cloud-hosted backups by ransomware groups to infiltrate cloud environments and increase impact.
Expel: Q1 2022 Threat Report Misconfigurations and exposed long-term credentials in Amazon Web Services (AWS) and Google Cloud Platform (GCP) accounted for 3% of incidents
These incidents break down into two categories:
1. Admins accidentally setting AWS S3 Buckets to Public
2. Threat actors gaining access to exposed long-lived credentials in AWS and GCP, which resulted in unauthorized access
Fidelis: 2022 AWS Cloud Security Report For the 31% of organizations that experienced a security incident in the cloud, misconfiguration was the leading cause (28%), followed by inappropriately shared data (17%) and account compromise (15%). Exploited vulnerabilities account for 13% of incidents
GCP: July 2022 Cloud Threat Intelligence report the most common attack vectors used across cloud providers was brute force of cloud services that are exposed to the internet and have a weak or default password ... close behind brute force attacks was the exploitation of vulnerable software
IBM: Cost of a Data Breach 2022 45% of Breaches Were Cloud-Based. Stolen or compromised credentials were the number one attack vector in the past two years. Following credentials, the next most common initial attack vectors were:
Second place: Phishing - 16% of breaches, $4.91M average costs
Third place: Cloud misconfigurations - 15% of breaches, $4.14M average costs
Fourth place: Third-party software vulnerability - 13% of breaches, $4.55M average costs
IBM Security X-Force: 2022 Cloud Threat Landscape Report Scanning for and exploiting vulnerable infrastructure was the most commonly observed initial access vector in cloud environments, based on X-Force responding to related cases. This vector represented the initial infection vector for 26% of cloud incidents. Stolen credential use was the second most observed at 9%.
(ISC)2: 2022 Cloud Security Report We asked cybersecurity professionals about the cloud security threats that most concern them. Misconfiguration of cloud security remains the biggest cloud security risk according to 62% of cybersecurity professionals in our survey. This is followed by insecure interfaces/APIs (54%), exfiltration of sensitive data (51%) and unauthorized access (50%).
Orca: 2022 State of Public Cloud Security N/A
Palo Alto Unit 42: Incident Response Threat Report 2022 Nearly 65% of known cloud security incidents were due to misconfigurations. The main culprit? IAM configuration.
riskrecon: Cloud Risk Surface Report N/A
Snyk: State of cloud security 2022 80% of organizations experienced a serious cloud security incident during the last year - 33% breach, 26% leak, 27% intrusion, 23% cryptomining
Trend Micro: 2022 Midyear Cybersecurity Report 62% of the respondents admitted to having blind spots that weaken their security posture. 37% of the organizations also claimed to have the least insight into cloud assets. 35% said the same of their insights into networks, while 32% responded that they have the least insight into their end-user assets.
Wiz: 2022 cloud security threats report Effectively, unintentionally exposed databases are one of the most common sources of data breaches
GCP: GCAT Threat Horizons January 2023 The most common cloud compromise factors from Q3 2022 include Weak or No Credentials (41.1%), API Compromise (19.6%), Software issue (17.9%), and Misconfiguration (16.1%)
Wiz: State of the Cloud 2023 In experiments we ran where we created S3 buckets ... we spotted attempts to list the contents of the S3 buckets in as little as 13 hours
Permiso: 2022 - End of Year Observations All of the incidents we detected and responded to were a result of a compromised credential ... GitHub is still one of the primary sources ... The majority of exposed keys live in three main file types: APKs, Windows Biaries, Plain Text Files
GCP: GCAT Threat Horizons April 2023 The most common cloud compromise factors from Q4 2022 include Weak or No Credentials (47.8%), API Compromise (19.6%), Software issue (13.0%), and Misconfiguration (10.9%)
Orca: 2023 Honeypotting in the Cloud Report SSH honeypot within 4 minutes, but no attempts to use planted key. S3 bucket within 1 hour, key within 8 hours. Docker image never downloaded. ECR public registry accessed after four months. Elasticsearch scanned, but no attempts to use planted key. Public EBS backup never downloaded. Redis accessed after 2.5 hours, but no attempts to use planted key
Laminar: State of Public Cloud Data Security Report 2023 More than three-fourths (77 percent) of respondents said their organization’s public cloud data has been accessed by an adversary in the last 12 months
GCP: GCAT Threat Horizons August 2023 The most common cloud compromise factors from Q1 2023 include Weak or No Credentials (54.8%), Misconfiguration (19%), Sensitive UI or API exposure (11.9%)
CrowdStrike: 2023 Threat Hunting Report 160% increase in attempts to abuse cloud instance metadata APIs. 95% increase in cloud exploitation in 2022. 3X increase in cases involving cloud-concious threat actors in 2022.
Dig Security: The State of Cloud Data Security 2023 More than 7% of storage services containing sensitive data are public. More than 60% of storage services are not encrypted at rest, and almost 70% lack comprehensive logging.
Wiz: I know what you mined last summer Six cases via Open Jupyter Notebook, two via Unpatched Apache Solr. XMRig, CCminer, and XMR-Stak-RX deployed.
GCP: GCAT Threat Horizons October 2023 The most common cloud compromise factors from Q2 2023 include Weak or No Credentials (54.3%), Misconfiguration (15.2%), Sensitive UI or API exposure (15.2%), Vulnerable Software (10.9%). ~70% of attacks are intended to facilitate coin mining.
GCP: GCAT Threat Horizons H1 2024 The most common cloud compromise factors from 2023 include Weak or No Credentials (51.1%), Misconfiguration (17.3%), Sensitive UI or API exposure (13.7%), Vulnerable Software (11.5%). ~66% of attacks are intended to facilitate coin mining. ~25% of attacks are intended to then target third parties.
Palo Alto Unit 42: Incident Response Threat Report 2024 "we’ve seen an increase in incident responses involving cloud cases, from 6% in 2021 to 16.6% in 2023." "Visibility gaps also led to unnecessary resource exposure, such as internet-exposed remote desktops or inadequately secured cloud workloads. These exposures contributed to 9.6% of cases."
CrowdStrike: 2024 Global Threat Report Cloud environment intrusions increased by 75% YoY. 84% of adversary-attributed cloud-conscious intrusions were focused on eCrime.
Cado: H2 2023 Cloud Threat Findings Report Attackers are getting more sophisticated around Docker, Jupyter, etc. Docker is ~90% of non-SSH honeypot traffic. Diversifying (non-cryptojacking) objectives.
AWS, Ben Fletcher: Security Lessons Learnt From The Cloud Frontline Leaked credentials are the initial vector in 66% of incidents, 33% of these credentials are root. 13% of incidents are public EC2 instances. The goals are resource hijacking, ransom (delete + extort), and scorched earth
Red Canary: 2024 Threat Detection Report Cloud Accounts was the fourth most prevalent ATT&CK technique we detected this year, increasing 16-fold in detection volume and affecting three times as many customers as last year ... expanded use of phishing kits and infostealers to collect credentials and/or MFA-signed access tokens
GCP: GCAT Threat Horizons H2 2024 The most common initial vectors in H1 2024 include Weak or No Credentials (47.2%) and Misconfiguration (30.3%). ~59% of attacks are intended to facilitate coin mining. ~23.5% of attacks are intended to then target third parties.
Orca: 2024 State of Public Cloud Security "87% of cloud malware attacks are via known Trojans."
Crowdstrike, Sebastian Walla: Cloud-Conscious Tactics, Techniques, and Procedures (TTPs) ~250 cloud cases in 2023, 1/3 of which involve "cloud-conscious" threat actors, Initial access: Valid Accounts (28%), Exploit Public-Facing Application (16 %)
Sysdig: 2024 Global Threat Report " Many of the attacks Sysdig TRT captured this year were motivated by income generation and free access to otherwise expensive resources". LLMJacking "can run victims over $100,000 daily"
Expel: Quarterly Threat Report (QTR) for Q3 2024 "Incidents in cloud infrastructures (AWS, GCP, Azure, and Kubernetes) made up only 2% of the total incident volume. This has stayed consistent over the last few quarters"
Cowbell Insurance: Cyber Roundup Report 2024 "Analysis relating to cloud provider usage found that businesses using Google Cloud report a 28% lower frequency of cyber incidents relative to other cloud users. In addition to a reduced frequency of incidents, Google Cloud exhibits the lowest severity of cyber incidents, while Microsoft Azure shows the highest."
Tenable: Cloud Risk Report 2024 "38% of organizations have at least one cloud workload that is publicly exposed, critically vulnerable and highly privileged. 84.2% possess unused or longstanding access keys with critical or high severity excessive permissions."

Disclosure (responsible, coordinated, public)

Date Vulnerability Reference
2014, Dec Credentials leaked in Github My AWS Account Got Compromised
2016, Dec Credentials leaked in npm package Security Incident - AWS S3 Access Key Exposure
2019, Feb 4,648 unique AWS Access Key IDs in Github How Bad Can It Git? Characterizing Secret Leakage in Public GitHub Repositories
2019, May Credentials leaked in exposed GitLab instance Samsung spilled SmartThings app source code and secret keys
2019, May Credentials leaked in Github AWS secret key and NPM token leaked in MEW GitHub repos
2020, Feb Credentials leaked in repository Access to Glassdoor's Infra (AWS) and BitBucket account through leaked repo
2020, Sep ~25,000 AWS Access Keys exposed via Github Reliaquest - Access Keys Exposed: More Than 40% Are For Database Stores
2021, Jan AWS Access Tokens in Public AMI Images Hunting for Sensitive Data in Public Amazon Images (AMI)
2021, Apr Subdomain takeover, deleted EC2 instance Subdomain takeover of www2.growasyouplan.com
2021, Oct AWS Creds hardcoded in MSI Hardcoded AWS credentials in ███████.msi
2021, Nov Potential subdomain takeover, dangling CNAME Possible Domain Takeover on AWS Instance
2021, Nov Subdomain takeover, deleted S3 bucket Subdomain takeover of images.crossinstall.com
2021, Dec Account takeover via Cognito user email change Flickr Account Takeover using AWS Cognito API
2022, May Malicious update to ctx Python library Malicious Python library CTX removed from PyPI repo
2022, Sep 1,859 Android and iOS apps with AWS credentials Mobile App Supply Chain Vulnerabilities Could Endanger Sensitive Business Information
2022, Oct Subdomain takeover, deleted S3 bucket Subdomain takeover at http://test.www.midigator.com
2022, Nov AWS credentials in string constant in public python package Infosys leaked FullAdminAccess AWS keys on PyPi for over a year
2022, Jan NoSQL-Injection discloses discloses S3 File Upload URLs NoSQL-Injection discloses S3 File Upload URLs
2022, Sep AWS credentials leaked in code repository Shiba Inu cloud credentials leaked on a public repository!
2022, Dec Lack of forced verification on email update in AWS Cognito Account Takeover Due to Cognito Misconfiguration Earns Me €xxxx
2023, Jan AWS credentials found in 57 PyPi packages I scanned every package on PyPi and found 57 live AWS keys
2023, Jan AWS credentials disclosed in client-side source Owning half of a government assets through AWS
2023, Feb RCE in Lambda function with access to AWS credentials via /proc/*/environ Facebook bug: A Journey from Code Execution to S3 Data Leak
2023, Mar Staging environment file leaked, revealing AWS Access Keys and Secrets Saudi social media app leaks user info and pictures
2023, Mar Passive subdomain takeover Passive Takeover - uncovering (and emulating) an expensive subdomain takeover campaign
2023, Mar 550 IPs vulnerable to SSRF via Host header, likely due to a vulnerable Lightsail image Finding Hundreds of SSRF Vulnerabilities on AWS
2023, Jun Credentials in node env file in public S3 bucket TripValet.com Leaks Passwords and Stripe Credentials
2023, Jul 1,213 AWS Secrets in Docker images Secrets Revealed in Container Images: An Internet-wide Study on Occurrence and Impact
2023, Jul 650 publicly exposed RDS snapshots Oops, I Leaked It Again — How Mitiga Found PII in Exposed Amazon RDS Snapshots
2023, Aug Over-privileged cloud credentials in 1,667 mobile applications Credit Karma: Understanding Security Implications of Exposed Cloud Services through Automated Capability Inference
2023, Aug librsvg memory leakage exposes Basecamp AWS keys AWS keys and user cookie leakage via uninitialized memory leak in outdated librsvg version in Basecamp
2023, Sep 11-12 AWS credentials in .git of Alexa Top 1M 4,500 of the Top 1 Million Websites Leaked Source Code, Secrets
2023, Oct over 140 unique active, plaintext credentials to third-party services like OpenAI, AWS, GitHub, and others in Kaggle data Analyzing the Security of Machine Learning Research Code
2023, Nov 2,897 AWS Access Tokens in StackExchange dataset I analyzed stackoverflow
2024, Feb Access Key exposed in HTML Football Australia leak exposes players’ details
2024, Mar Write permissions to S3 bucket, upload JS that steals credentials From S3 bucket to internal network operation
2024, Apr AWS credentials leaked on Postman’s Public API Network (The) Postman Carries Lots of Secrets
2024, Apr 3 AWS Credentials leaked in public Gists in a seven day period Do Secrets Leak on Public GitHub Gists in 2024?
2024, May over 200 valid AWS credentials in Public AMI Images AWS CloudQuarry: Digging for Secrets in Public AMIs
2024, May Bitbucket secured variables leak AWS keys in plain text through artifact objects Holes in Your Bitbucket: Why Your CI/CD Pipeline Is Leaking Secrets
2024, May Publicly traded company exposed 8m+ PII records in DocumentDB Snapshot Publicly Exposed AWS Document DB Snapshots
2024, July Kubernetes escape in SAP AI Core allowed access to Loki config, leaking AWS credentials with access to S3 SAPwned: SAP AI vulnerabilities expose customers’ cloud environments and private AI artifacts
2024, July Leaked Secrets in Public Jenkins Logs, including 6 AWS keys Leaked Secrets in Public Jenkins Logs
2024, July Hard-coded AWS credential in JS how to pwn a billion dollar vc firm using inspect element
2024, August Leaked secrets via Virustotal's Retrohunt, Passive DNS "more than 78,000 dangling cloud resources linked to 66,000 apex domains" Thousands of Corporate Secrets Were Left Exposed. This Guy Found Them All, Secrets and Shadows: Leveraging Big Data for Vulnerability Discovery at Scale
2024, August 1,185 leaked AWS Access Keys in exposed .env Leaked Environment Variables Allow Large-Scale Extortion Operation of Cloud Environments
2024, October Hardcoded AWS Access Keys in mobile apps Exposing the Danger Within: Hardcoded Cloud Credentials in Popular Mobile Apps
2024, October Numerous leaked credentials scraped from exposed .git configurations EMERALDWHALE: 15k Cloud Credentials Stolen in Operation Targeting Exposed Git Config Files
2024, December 1,526 leaked AWS credentials via environment files (.env), configuration files, exposed git repositories (.git), etc. From Vulnerabilities to Breaches: The Shiny Nemesis Cyber Operation

Catalog of AWS Exploits via SSRF

Server-side request forgery is a class of attack that is not cloud or AWS specific. However, the existence of cloud metadata services, such as IMDS in AWS, have historically allowed for a substantial straightforward impact when SSRF is achieved on a cloud hosted application. For that reason, we include this list of SSRF attacks against AWS environments.

For more about this attack, please see Hacking the Cloud - Steal EC2 Metadata Credentials via SSRF

Talks

The initial data was collected for a talk at BSidesCT 2020: Learning from AWS (Customer) Security Incidents slides here A follow up talk was given at OWASP DevSlop in May 2022. video, slides

Postmortem Culture: Learning from Failure

Note: There have been numerous identified incidents of Magecart exploiting S3 Global Write - in one review targeting "well over 17,000 domains"

About

A repository of breaches of AWS customers

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Contributors 4

  •  
  •  
  •  
  •