Bling Libra's Tactical Evolution: The Threat Actor Group Behind ShinyHunters Ransomware

Summary:
Unit 42’s recent investigation uncovered a shift in strategy by the Bling Libra group, which is known for its ShinyHunters ransomware. Instead of just selling stolen data as they have in the past, they’ve now turned to extorting their victims. This new approach involves using legitimate credentials they found in public repositories to break into and compromise Amazon Web Services (AWS) environments.

Even though the stolen credentials had limited access, Bling Libra was able to get into the AWS environment, carry out some reconnaissance, and use tools like Amazon S3 Browser and WinSCP to examine S3 bucket settings, access data, and delete it. By analyzing the logs from these tools, we can better understand which activities were performed by the attackers and which were just automated actions from the tools themselves.

Security Officer Comments:
As more businesses move to the cloud, the threat posed by groups like Bling Libra highlights the urgent need for robust cybersecurity practices. Using AWS’s security tools, such as Amazon GuardDuty, AWS Config, and AWS Service Control Policies, is essential for protecting cloud resources.

Incident Details

  • Initial Access: Bling Libra obtained AWS credentials from a publicly exposed file, allowing them to interact with S3 buckets.
  • Discovery: The attackers used CloudTrail logs to explore the permissions and contents of the AWS environment.
  • Data Access and Impact: After a delay, the attackers accessed and deleted S3 buckets. Due to inadequate logging, data exfiltration was not recorded, but the ransom note confirmed their actions.
  • Execution: The attackers created new S3 buckets as part of their extortion strategy.
  • Extortion: Bling Libra sent an extortion email demanding payment from the victim organization.

Tool Analysis

  • S3 Browser: Generates numerous API calls in CloudTrail logs based on user interactions, which helps differentiate between automated and manual actions.
  • WinSCP: Also generates API calls but is less comprehensive in its AWS management compared to S3 Browser.

Suggested Corrections:
To secure AWS environments and mitigate risks, organizations should adopt the principle of least privilege by ensuring that IAM users and roles have only the permissions necessary for their tasks, while regularly reviewing and adjusting permissions.

Link(s):
https://unit42.paloaltonetworks.com/shinyhunters-ransomware-extortion/

Contact Us for Threat Assistance Back to Current Threats

Just Starting?



Contact LACyber for More Info



Current Active Cyber Threats