According to Unit42, a medium-sized e-commerce company was attacked by a threat actor with cryptojacking attack which performed large-scale crypto-mining and botnet operations in the company’s cloud environment. The attacked discovered by the cloud provider which alerted the company of botnet activities. The company did not addressed this issue up until the time when the IT administrator noticed a spike in the monthly bill.
The initial access to the cloud environment gained by an exploitation of an SSRF vulnerability on a misconfigured public web server with a combination with the usage of IMDSv1 (Instance Metadata Service Version 1). The exploitation led to a temporary credentials exfiltration of the VM instance.
Using the obtained credentials, the threat actor used CloudFormation to deploy the necessary resources to perform his cryptojacking. In addition, the threat actor created a backdoor IAM role that allows future access.
In addition, the threat actor was able to enumerate and discover hardcoded GitHub credentials which allowed him to access the source code repositories for the entire company. This access then granted him with more credentials that were found in these repositories and eventually to privilege escalation.
The financial impact was the that the threat actor deployed resources that costed the company 12,000$ a day but not only that, the threat actor deployed botnet malware and launched DDOS attacks that originates from the company’s environment. This causes also a reputation damage and eventually could cause the provider to suspend the company’s account which leads to even larger disruption.
Key Issues:
- Overly permissive network access to the exploited web server
- Ineffective vulnerability management - as the SSRF was a known CVE
- Use of outdated cloud service - IMDSv1