Massive NHI attack: 230 Million cloud environments were compromised

Dana Katz August 22, 2024
Massive NHI Attack

Massive NHI Attack: Insecure AWS Stored Credentials Lead to Compromise of 230 Million Cloud Environments. Researchers from Unit 42 have uncovered a sophisticated and large-scale cyberattack targeting over 230 million AWS, cloud and SaaS environments. The attack exploited exposed environment variable files (.env) commonly stored insecurely on web servers. These files contained sensitive credentials, including AWS keys, database passwords, and API tokens, which the attackers used to gain unauthorized access to numerous cloud environments.

Read more to learn about the exact flow of the attack and get 4 practical tips on minimizing your attack surface. 

Campaign Rundown

Discovery and Tactics

The campaign was initially uncovered during an investigation into a compromised AWS environment being used to scan other domains. The attackers were found to have collected .env files from approximately 110,000 domains, exposing over 90,000 unique environment variables. Among these were 1,185 AWS access keys, OAuth tokens for PayPal, GitHub, and HubSpot, and webhooks for Slack and other services.

Exploiting Misconfigurations

The attackers used a combination of automated tools and deep AWS knowledge to compromise the targeted environments. They began by running AWS API calls such as GetCallerIdentity, ListUsers, and ListBuckets to identify the capabilities of the stolen credentials. Although the initial IAM roles they acquired lacked full administrative privileges, they escalated their privileges by creating new IAM roles with administrator rights.

The attackers then deployed AWS Lambda functions to automate the scanning of additional domains for exposed .env files. This recursive scanning allowed them to access even more credentials and deepen their infiltration across multiple AWS regions. Notably, their primary target was Mailgun credentials, likely intended for use in a large-scale phishing campaign.

Data Exfiltration and Ransom

Once they accessed S3 buckets, the attackers used the S3 Browser tool to exfiltrate data. After downloading the data, they deleted it and left ransom notes, demanding payment to prevent the release or sale of the stolen information. The ransom notes were sometimes sent directly to company shareholders, adding extra pressure.

Despite efforts to conceal their operations through Tor nodes and VPNs, the attackers occasionally connected directly from IP addresses in Ukraine and Morocco, leaving a digital trail.

Stay Safe, Keep Your NHIs Secure

To reduce the risk of exploitation and minimize the impact of attacks, organizations should build an NHI security program that focuses on the following initiatives:

  1. Reduce NHI exploit opportunities:
  • Least-privileged NHIs Apply the principle of least privilege to all non-human identities (NHIs) in your environment to reduce the potential blast radius if an attacker takes over an NHI.
  • Minimize attack Surface Regularly decommission unused NHIs to eliminate unnecessary access points that attackers could exploit.
  • Automate remediation of the above Implement ongoing automated processes to continuously identify and remediate misconfigured, over-privileged and unused NHIs, taking the burden off you security staff.
  1. Prevent attacker lateral movement by removing exposed secrets Attackers move laterally by taking over NHIs found in a compromised environment. Make their life hard.
  2. Scan for Exposed Secrets Conduct routine scans to detect exposed NHIs that could facilitate lateral movement within your AWS environment or across to other environments. Remediate by addressing leaks and rotating exposed secrets.
  3. Detect active threats and mitigate them Even if you’ve taken protective measures, always assume that a breach might still happen. To effectively detect and respond to breaches in real-time, organizations should implement the following strategies:
  • Anomaly detection Leverage advanced anomaly detection systems to identify unusual activity that may indicate attacker abuse of credentials. This is particularly critical for detecting misuse of secrets found in AWS.
  • Revoke or rotate compromised credentials Act quickly to revoke or rotate any credentials that have been exposed or show signs of anomalous behavior. Solutions like Astrix allow for surgical credential management, minimizing the impact on services while maintaining security.

How Astrix can help 

Non-human identities (NHIs) such as IAM users, roles, service accounts, external keys, and secrets are crucial for accessing resources within AWS environments. However, managing and securing these identities presents unique challenges. Astrix helps you with the toughest questions of identity security: what permissions NHIs have, to which resources, who is behind them, and the risks they pose in real time. Learn more in this blog

To learn more about securing non-human identities in AWS environments with Astrix, read the full solution brief, or schedule a demo

Learn more

The Service Accounts Guide Part 2: Challenges, Compliance and Best Practices

The Service Accounts Guide Part 2: Challenges, Compliance and Best Practices

The Service Accounts Guide Part 1: Origin, Types, Pitfalls and Fixes

The Service Accounts Guide Part 1: Origin, Types, Pitfalls and Fixes

Detect and Rotate Exposed Secrets with Astrix

Detect and Rotate Exposed Secrets with Astrix