The threat actor group Bling Libra (behind ShinyHunters ransomware) has been observed infiltrating an organization's Amazon Web Services (AWS) environment, focusing on extortion rather than selling stolen data. Using legitimate credentials sourced from public repositories, the group accessed the AWS environment and conducted reconnaissance operations using tools like S3 Browser and WinSCP. Though limited in permissions, Bling Libra accessed S3 buckets, deleted data, and sent a ransom demand.
Bling Libra gained initial access to the AWS environment by exploiting a sensitive file exposed online containing credentials, including an AWS access key with S3FullAccess permissions. Once inside, the group used AWS API calls to identify accessible S3 buckets and their configurations through tools like S3 Browser and WinSCP. These tools generated specific API events in CloudTrail logs, such as ListBuckets and GetObject, aiding in reconnaissance and file access.
The group’s actions included discovery attempts on AWS Identity and Access Management (IAM) and S3 services. However, due to limited permissions, they could not access IAM data. After a period of dormancy, the attackers returned, used WinSCP to view S3 buckets, and deleted a selection of them. Without proper logging configurations, it was impossible to determine the full extent of data exfiltration. Additionally, Bling Libra used automated scripts to create new S3 buckets with mock names.