Incident Details
| Victimized Company: | Unknown | 
| Incident Dates: | 2021-06-21 to 2021-06-21 | 
| Disclosure Date: | 2022-05-04 | 
| Current Status: | Victim Unknown | 
| Victimized Company: | Unknown | 
| Incident Dates: | 2021-06-21 to 2021-06-21 | 
| Disclosure Date: | 2022-05-04 | 
| Current Status: | Victim Unknown | 
Mandiant identified a new threat actor, UNC2903, attempting to harvest and abuse credentials using Amazon’s Instance Metadata Service (IMDS). Mandiant observed that UNC2903 scanned the internet for a particular vulnerability and utilized a relay box to carry out exploitation and related IMDSv1 abuse.
Mandiant studies the common tactics used by various threat actors. In June 2021, Mandiant identified UNC2903 attempting to harvest and abuse credentials using Amazon Instance Metadata Service (IMDS). This uncategorized threat actor began by scanning externally facing AWS infrastructure hosting Adminer, an open-source database management tool written in PHP. Adminer versions 4.0-4.7.9 are vulnerable to CVE-2021-21311, a server-side request forgery.
Once the vulnerable infrastructure was identified, UNC2903 performed further reconnaissance and exploited the web server. After further reconnaissance, UNC2903 would also identify and attempt to exploit other vulnerabilities on the system if there were any.
UNC2903 hosted a pre-configured web server on a relay box with a 301 redirect script back to the http://169.254.169.254/latest/meta-data/iam/security-credentials/ URL. From the exposed Adminer interface, The attacker entered the address of the relay box hosting the redirect script and then pressed the login button. This fooled the victim’s server into following the 301 redirect. The victim’s server returned an error, including the redirect output, which contained AWS API credentials. The attacker can then use the access keys provided to access the victim’s AWS account.
| Date | Event | 
|---|---|
| February 2021 | CVE-2021-21311 was published for the vulnerable version of adminer. | 
| June 2021 | Mandiant observed that UNC2903 infrastructure was used to scan over 2100 IP addresses, focusing on web services such as port 80 or 443. Eighteen minutes after the CVE-2021-21311, vulnerable adminer.php was discovered by the threat actor through scanning. An automated session from a free VPN service also scanned the adminer.php. | 
This attack has been attributed to UNC2903 by Mandiant. However, no other activity has been attributed to his group.
The victim is currently unknown.
As part of Mandiant’s write-up, they highlighted a number of failures of the un-identified victim: