Welcome to the first breaches.cloud monthly update since going live in May. Not much has happened in the way of new breaches, but we did learn more from the FTC about public S3 buckets at Vitagene. I was busy organizing the fourth annual fwd:cloudsec conference in Anaheim, then attending AWS re:Inforce.

So far in June, we learned the following:

  • Nickolas Sharp was sentenced to six years in prison for his role in the 2020 Ubiquti hack.
  • After conducting a thorough inspection of their cloud environment after discovering a “cloud misconfiguration”, Toyota, disclosed a second incident (Write up from TechCrunch).
  • Security Researcher Anurag Sen found an “online database” with a large amount of PII from Shell’s EV charging stations. Zack Whittaker at TechCrunch has the write-up.
  • While not a breach, Microsoft suffered a serious DDOS attack against O365 and Azure.
  • The FTC issued a decision and order against Vitagene for having a public bucket (among other bad business practices).
  • The developers of the npm package bignum hosted some pre-compiled binaries in S3, and hard-coded the buckets in specific versions of their code. When they subsequently deleted the buckets, hilarity ensued. From the Checkmarx writeup:

    An NPM package, named “bignum” was found to leverage “node-gyp” for downloading a binary file during installation. The binary file was initially hosted on an Amazon AWS S3 bucket, which, if inaccessible, would prompt the package to look for the binary locally.

    However, an unidentified attacker noticed the sudden abandonment of a once-active AWS bucket. Recognizing an opportunity, the attacker seized the abandoned bucket. Consequently, whenever bignum was downloaded or re-installed, the users unknowingly downloaded the malicious binary file, placed by the attacker.

  • Permiso has an excellent write up of an [alledged] Indonesian Threat Actor (dubbed GUI-vil) that applies an artisanal touch to cryptomining. Rather than rely on scripts and the AWS CLI, they operate mostly in S3 Browser and the AWS Console.

    In their typical attack lifecycle, GUI-vil initially performs reconnaissance by monitoring public sources for exposed AWS keys (GitHub, Pastebin) and scanning for vulnerable GitLab instances. Initial compromises are predominantly achieved via exploiting known vulnerabilities such as CVE-2021-22205, or via using publicly exposed credentials.

  • In a lesson on how not to manage password resets, a High School in Illinois accidently wiped tier student passwords, and then reset all of them to Ch@ngeme!.