Mandiant identified a new threat actor, UNC2903, attempting to harvest and abuse credentials using Amazon’s Instance Metadata Service (IMDS). Mandiant observed that UNC2903 scanned the internet for a particular vulnerability and utilized a relay box to carry out exploitation and related IMDSv1 abuse.
Welcome to Breaches.Cloud - the soon-to-be definitive source for analysis on cloud security-related breaches.
Why are we doing this?
As a cloud security practitioner, I often find myself trying to explain cloud security risks to my developer, operator, and builder constituency. Within the Cloud Security community, we know the potential risks of long-term access keys, publicly writable buckets, and insecure services exposed to the world.
In January of 2023, CommuteAir suffered a breach that exposed the US Department of Homeland Security’s “No Fly” and Selective Screening lists containing over 1.5 million records, along with CommuteAir employee information. The attacker found an exposed Jenkins server and was able to access different build workspaces containing repositories for the build jobs. On the Jenkins server, the attacker found access keys that offered access to the CommuteAir environment. After investigating the AWS Infrastructure, the attacker found the No Fly List among test data on the Jenkins server.
In June of 2014, The code hosting and project management provider known as CodeSpaces.com was forced to shut down after a series of events in which an Unknown threat actor performed a well-organized Denial of Service attack and attempted to demand payment. The threat actor accessed Codespaces Amazon Account when negotiations fell through, deleting data and backups.
In September 2018 a former engineer leveraged AWS credentials, left over from his time of employment, which resulted in the deletion of 456 virtual machines for Cisco’s WebEx Teams application. Cisco cited the outage as costing over $2.4M dollars.
In 2014 and again in 2016, Uber suffered a data breach where attackers gained access an unencrypted file containing sensitive user information. In both instances, the attackers used keys found in Uber’s GitHub repositories. In 2014, the attacker found an access key in a public repository. In 2016, the attackers used stolen GitHub credentials to access an AWS key in an engineer’s private repo.
Uber reported the 2014 incident to the Federal Trade Commission, which prompted an investigation into its security practices of Uber. As part of the 2016 incident, Uber’s Chief Information Security Officer paid the attackers $100,000, supposedly as a bug bounty, to delete and not disclose the data. This incident is notable because the CISO, Joey Sullivan, was later convicted for not promptly notifying the Federal Authorities when the breach occurred. Uber was fined $148 million for concealing the breach.
In April 2018, the educational platform Chegg Inc. suffered a breach leading to the exposure of sensitive data on over 40 million users. A former contractor used AWS root credentials to exfiltrate the data.
In July 2020, Drizly, an on-demand alcohol delivery service, suffered a data breach that exposed the personal information of over 2 million users data. The source of the breach was an executive’s GitHub account that was the victim of a credential-stuffing attack. With access to GitHub, the attacker could find AWS credentials, reconfigure AWS security settings, and access a customer database, leading to the leak of 2 million user records.
An unknown threat actor compromised an un-used EC2 Instance, accessed AWS API Keys, and used them to exfiltrate a Database Snapshot from security vendor Imperva.