An unknown threat actor compromised an un-used EC2 Instance, accessed AWS API Keys, and used them to exfiltrate a Database Snapshot from security vendor Imperva.
Details of the Incident
In October 2018, an unknown attacker compromised an exposed EC2 instance and gained access to AWS API keys. These keys were subsequently used to access an RDS Snapshot in one of Imperva’s production AWS Accounts. The database snapshot from a year prior was related to their Incapsula WAF product and contained customer email addresses, hashed passwords, API keys, and some customer-provided SSL Certificates.
|September 15, 2017
||Database (RDS) Snapshot made
||Unauthorized use of an administrative API key in production AWS accounts
|August 20, 2019
||Imperva received a data set from a third party requesting a bug bounty
|August 27, 2019
||Imperva announced a security incident that affected a subset of its Cloud WAF customers
Summary of Coverage
Cloud Security Implications of this Incident
- The EC2 Instance was part of a scaling test and was no longer needed. It should have been terminated.
- The EC2 Instance was accessible via the public internet when not required.
- The instance used a long-term access key on an EC2 Instance instead of short-term keys from an EC2 Instance Profile.