aws-customer-security-incidents
aws-customer-security-incidents copied to clipboard
ramimac
A repository of breaches of AWS customers
Background
Security is an exercise in managing risk. Reviewing the common root causes of security incidents is an effective way to guide prioritized remediation efforts.
This repository seeks to index all publicly disclosed AWS customer security incidents with a known root cause. It will exclude incidents involving exposed data stores (e.g S3 bucket leaks, exposed managed or hosted databases). Those incidents are already well understood, and examples can be found cataloged in places like nagwww's s3-leaks repo, upguard's reports, hackmeggedon's annual rollup reports (2022) and Corey Quinn's LWIAWS S3 Bucket Negligence Award.
It also excludes incidents impacting individuals, such as the periodic reports of cryptomining due to compromised credentials. 1 2 3
Other Cloud Threat Trend Analysis
GCP's November 2021 Cloud Threat Intelligence report found that:
Of 50 recently compromised GCP instances, 86% of the compromised Google Cloud instances were used to perform cryptocurrency mining
Their July 2022 report also highlights that:
the most common attack vectors used across cloud providers was brute force of cloud services that are exposed to the internet and have a weak or default password ... close behind brute force attacks was the exploitation of vulnerable software
Rich Mogull's summary of a 2022 AWS re:Inforce session on ransomware highlight's that ransomware is a common problem for AWS customers, stemming from two common exploit vectors:
A traditional ransomware attack against instances in AWS. The attacker compromises an instance (often via phishing a user/admin, not always direct compromise), then installs their malware to encrypt the data and spread to other reachable instances. This is really no different than ransomware in a data center since it doesn’t involve anything cloud-specific.
The attacker copies data out of an S3 bucket and then deletes the original data. This is the most commonly seen cloud native ransomware on AWS.
Talks
The initial data was collected for a talk at BSidesCT 2020: Learning from AWS (Customer) Security Incidents slides here A follow up talk was given at OWASP DevSlop in May 2022. video, slides
A Note on Blameless Postmortems
This repository is in no way intended as a criticism of the listed companies. In the spirit of blameless postmortems 1, our goal is to learn from incidents without an atmosphere of blame.
Catalog of AWS Customer Security Incidents
A repository of breaches of AWS customers
| Name | Date | Root Cause | Escalation Vector(s) | Impact | Link to details |
|---|---|---|---|---|---|
| Code Spaces | 2014, June | AWS Console Credentials (Phishing?) | Attacker created additional accounts/access keys | Wiped S3 buckets, EC2 instances, AMIs, EBS snapshots | Hacker puts code spaces out of business |
| BrowserStack | 2014, November | Shellshock on exposed, outdated prototype machine | Access keys on server, used to create IAM user, create EC2, and mount backup | Steal user data and email users | BrowserStack analysis |
| DNC Hack by the GRU | 2016, June | Unknown, test clusters breached | EC2 Snapshots copied to attacker AWS accounts | Tableau and Vertica Queries | DEMOCRATIC NATIONAL COMMITTEE v. THE RUSSIAN FEDERATION |
| DataDog | 2016, July | CI/CD AWS access key and SSH private key leaked | Attacker attempted to pivot with customer credentials | 3 EC2 instances and subset of S3 buckets | 2016-07-08 Security Notice |
| Uber | 2016, October | Private Github Repo with AWS credentials | N/A | Names and driver’s license numbers of 600k drivers, PII of 57 million users | Uber concealed cyberattack ... |
| Lynda.com | 2016, December | Private Github Repo with AWS credentials | N/A | User data for 9.5m users, attempted extortion | 2 Plead Guilty in 2016 Uber and Lynda.com Hacks |
| OneLogin | 2017, May | AWS keys | Created EC2 instances | Accessed database tables (with encrypted data) | May 31, 2017 Security Incident |
| Politifact | 2017, October | "Misconfigured cloud computing server" | N/A | Coinhive cryptojacking | Hackers have turned Politifact’s website into a trap for your PC |
| DXC Technologies | 2017, November | Private AWS key exposed via Github | 244 EC2 instance started | Cryptomining | DXC spills AWS private keys on public GitHub |
| LA Times | 2018, February | S3 global write access | N/A | Cryptojacking | Coinhive cryptojacking added to homicide.latimes.com |
| Tesla | 2018, February | Globally exposed Kubernetes console, Pod with AWS credentials | N/A | Cryptojacking | Hack Brief: Hackers Enlisted Tesla's Public Cloud to Mine Cryptocurrency |
| imToken | 2018, June | Email account compromise | Reset AWS account password | Minimal customer device data | Disclosure of Security Incidents on imToken |
| Voova | 2019, March | Stolen credentials by former employee | N/A | Deleted 23 servers | Sacked IT guy annihilates 23 of his ex-employer’s AWS servers |
| Capital One | 2019, April | "Misconfigured WAF" that allowed for a SSRF attack | Over-privileged EC2 Role | 100 million credit applications | A Technical Analysis of the Capital One Cloud Misconfiguration Breach |
| JW Player | 2019, September | Weave Scope (publicly exposed), RCE by design | N/A | Cryptojacking | How A Cryptocurrency Miner Made Its Way onto Our Internal Kubernetes Clusters |
| Malindo Air | 2019, September | Former employee insider threat | N/A | 35 million PII records | Malindo Air: Data Breach Was Inside Job |
| Imperva | 2019, October | “Internal compute instance” globally accessible, “Contained” AWS API key | N/A | RDS snapshot stolen | Imperva Security Update |
| Cameo | 2020, February | Credentials in mobile app package | N/A | Access to backend infrastructure, including user data | Celeb Shout-Out App Cameo Exposes Private Videos and User Data |
| Open Exchange Rates | 2020, March | Third-party compromise exposing access key | N/A | User database | Exchange rate service’s customer details hacked via AWS |
| Live Auctioneers | 2020, July | Compromised third party software granting access to cloud environment | N/A | User database, including MD5 hashed credentials | Washington State OAG - Live Auctioneers |
| Twilio | 2020, July | S3 global write access | N/A | Magecart2 | Incident Report: TaskRouter JS SDK Security Incident |
| Natures Basket responsible disclosure | 2020, July | Hard-coded root keys in source code exposed via public S3 bucket | N/A | N/A | GotRoot! AWS root Account Takeover |
| Cryptomining AMI | 2020, August | Windows 2008 Server Community AMI | N/A | Monero miner | Cryptominer Found Embedded in AWS Community AMI |
| Animal Jam | 2020, November | Slack compromise exposes AWS credentials | N/A | User database | Kids' gaming website Animal Jam breached |
| Cisco | 2020, December | Former employee with AWS access 5 months post-resignation | N/A | Deleted ~450 EC2 instances | Former Cisco engineer sentenced to prison |
| Juspay | 2021, January | Compromised old, unrecycled Amazon Web Services (AWS) access key | N/A | Masked card data, email IDs and phone numbers | Data from August Breach of Amazon Partner Juspay Dumped Online |
| 20/20 Eye Care Network and Hearing Care Network | 2021, January | Compromised credential | N/A | S3 buckets accessed then deleted | 20/20 Eye Care Network and Hearing Care Network notify 3,253,822 health plan members of breach that deleted contents of AWS buckets |
| Sendtech | 2021, February | (Current or former employee) Compromised credentials | Created additional admin account | Accessed customer data in S3 | [PERSONAL DATA PROTECTION COMMISSION Case No. DP-2102-B7884]https://web.archive.org/web/20220923025502/https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Sendtech-Pte-Ltd---220721.ashx?la=en) |
| LogicGate | 2021, April | Compromised credentials | N/A | Backup files in S3 stolen | Risk startup LogicGate confirms data breach |
| Ubiquiti | 2021, April | Compromised credentials from IT employee Lastpass (alleged former employee insider threat) | N/A | root administrator access to all AWS accounts, extortion | Ubiquiti All But Confirms Breach Response Iniquity |
| Uran Company | 2021, July | Compromised Drupal with API keys | N/A | Cryptomining | Clear and Uncommon Story About Overcoming Issues With AWS |
| redoorz.com | 2021, September | Access Key leaked via APK | N/A | Customer database stolen | PERSONAL DATA PROTECTION COMMISSION Case No. DP-2009-B7057 |
| HPE Aruba | 2021, October | Unknown exposure of Access Key | N/A | Potential access to network telemetry and contact trace data | Aruba Central Security Incident |
| Kaspersky | 2021, November | Compromised SES token from third party | N/A | Phishing attacks | Kaspersky's stolen Amazon SES token used in Office 365 phishing |
| Onus | 2021, December | Log4Shell vulnerability in Cyclos server | AmazonS3FullAccess creds (and DB creds) in Cyclos config | 2 million ONUS users’ information including EKYC data, personal information, and password hash was leaked. | The attack on ONUS – A real-life case of the Log4Shell vulnerability |
| Flexbooker | 2021, December | Unknown | Unknown | 3.7M first and last names, email addresses, phone numbers, "encrypted" passwords | Booking management platform FlexBooker leaks 3.7 million user records |
| Uber | 2022, September | Contractor account compromise leading to AWS credential discovery on a shared drive | Unknown | N/A | Uber - Security update |
Catalog of Vendor Reports on AWS Customer Security Incidents
| Report | Date | Root Cause | Escalation Vector(s) | Impact | Link to details |
|---|---|---|---|---|---|
| TeamTNT Worm | 2020, April | Misconfigured Docker & k8s platforms | Steals AWS credentials from ~/.aws/* | Cryptojacking for Monero | Team TNT – The First Crypto-Mining Worm to Steal AWS Credentials, TeamTNT with new campaign aka “Chimaera” |
| Expel case study 1 | 2020, April | 8 IAM access keys compromised | Backdoored security groups | Command line access to EC2 instances | Finding evil in AWS: A key pair to remember |
| Expel case study 2 | 2020, July | Root IAM user access keycompromised | SSH keys generated for EC2 instances | Cryptojacking | Behind the scenes in the Expel SOC: Alert-to-fix in AWS |
| Mandiant: Insider Threat Scenario | 2020, September | Fired employee uses credentials | Access CI/CD server, create a new user, steal credentials | Deleted production databases | Cloud Breaches: Case Studies, Best Practices, and Pitfalls |
| Expel case study 3 | 2022, April | Credentials in publicly available code repository | AttachUserPolicy used for privesc | Cryptomining (prevented) | Incident report: From CLI to console, chasing an attacker in AWS |
| Permiso case study 1 | 2022, June | Gitlab vulnerability (CVE-2021-22205) | Credentials on the system found, used to create a backupuser | Cryptomining | Anatomy of an Attack: Exposed keys to Crypto Mining |
Catalog of AWS Exploits via SSRF
Server-side request forgery is a class of attack that is not cloud or AWS specific. However, the existence of cloud metadata services, such as IMDS in AWS, have historically allowed for a substantial straightforward impact when SSRF is achieved on a cloud hosted application. For that reason, we include this list of SSRF attacks against AWS environments.
- Bypassing SSRF Protection to Exfiltrate AWS Metadata from LarkSuite
- ESEA Server-Side Request Forgery and Querying AWS Meta Data
- A pair of Plotly bugs: Stored XSS and AWS Metadata SSRF
- Dropbox - Full Response SSRF via Google Drive
- Mandiant - Old Services, New Tricks: Cloud Metadata Abuse by UNC2903
- SSRF leads to access AWS metadata.
- Escalating SSRF to RCE
- SSRF Leads To AWS Metadata Exposure
- How I discovered an SSRF leading to AWS Metadata Leakage
- Exploitation of an SSRF vulnerability against EC2 IMDSv2
- Mozilla - AWS SSRF to Pull AWS Metadata and Keys
For more about this attack, please see Hacking the Cloud - Steal EC2 Metadata Credentials via SSRF
Catalog of AWS Threat Actors
| Name | Vectors | Reports |
|---|---|---|
| UNC2903 | SSRF (targeting known CVEs) | Mandiant - Old Services, New Tricks: Cloud Metadata Abuse by UNC2903 |
| 8220 Gang | Exploit outdated and misconfigured software | JupiterOne - 8220 Gang Cloud Botnet Targets Misconfigured Cloud Workloads |
Postmortem Culture: Learning from Failure
Note: There have been numerous identified incidents of Magecart exploiting S3 Global Write - in one review targeting "well over 17,000 domains"
ramimac