Cybercrime Gangs Abscond With Thousands of AWS Credentials

Summary:
The Shiny Nemesis Cyber Operation highlights a highly sophisticated campaign targeting misconfigured public websites, predominantly hosted on AWS, to exploit vulnerabilities and gain unauthorized access to sensitive data, credentials, and proprietary resources. The operation, linked to the French-speaking "Nemesis" group and remnants of the infamous "ShinyHunters," scanned millions of websites for exploitable endpoints. Using AWS CIDRs, the attackers mapped IP addresses to domain names via SSL certificates and Shodan reverse lookups, building an extensive database of potential targets. They leveraged tools like MultiGrabber, Project Discovery's ffuf and httpx, and custom scripts in Python, PHP, NodeJS, and Bash to extract sensitive information. For specific platforms like Laravel and WordPress, they employed tailored exploits and, in some cases, deployed remote shells like "EmperorsTools" for deeper access.

The attackers harvested a wide range of credentials, including AWS keys, database logins, Git credentials, and third-party service access for platforms like Twilio, Binance, and SendGrid. They also captured cryptocurrency wallet keys, application secrets, and credentials for push notification and customer experience platforms. Each credential was verified and stored for later use. Active AWS credentials were tested for access to key services like IAM, S3, and SES, allowing attackers to create admin accounts, exfiltrate data, and exploit email quotas for phishing or spam campaigns. The stolen data, totaling over 2 TB, was stored in an S3 bucket misconfigured by the attackers themselves. This bucket contained logs, tools, and detailed lists of vulnerable targets worldwide.


Security Officer Comments:
Attribution analysis linked the attackers to the "Nemesis" black market and remnants of "ShinyHunters," known for breaching companies like Microsoft and AT&T. Metadata in the tools and embedded identifiers pointed to French-speaking individuals, including Sebastien Raoult, who pleaded guilty to related crimes earlier in 2024. The group monetized the stolen data by selling credentials and access on Telegram channels and darknet markets for hundreds of Euros per breach. The operation was discovered in August 2024 by researchers Noam Rotem and Ran Locar, who reported it to the Israeli Cyber Directorate and AWS Security. AWS mitigated the impact by notifying affected customers, emphasizing that the breaches resulted from customer-side


Suggested Corrections:
There are a few simple steps that anyone can take to avoid falling victim to these attacks:

  • The first thing any system operator should do is make sure they NEVER have hard-coded credentials in their code or even in their filesystem. AWS provides excellent services (such as the "AWS Secrets Manager") to store sensitive credentials, and with proper CI/CD processes in place, there is absolutely no need to have passwords and keys in places that might be accessed by unauthorized parties.
  • It is also advisable to run simple web-scans using open source tools like "dirsearch" or even "nikto", which are often used by lazy attackers to identify common vulnerabilities — that way, if something was left exposed, you have a chance at finding it before malicious actors do.
  • In addition, using a WAF (Web Application Firewall) is a relatively low-cost solution that can filter out malicious attempts to get sensitive information.
  • As a precaution against leakage of keys, passwords, or other secrets, it is advisable to roll them periodically. That way, even if a malicious actor has obtained access to your keys, they will be rendered useless after the roll period (See AWS documentation).
  • **CanaryTokens are tripwires for your secrets.** They are easily created and can be sprinkled around your code in places nobody should access. If a canary gets triggered, it means someone is attempting to access secrets they shouldn't.


Link(s):
https://www.darkreading.com/endpoint-security/cybercrime-gangs-steal-thousands-aws-credentials


https://www.vpnmentor.com/news/shiny-nemesis-report/