According to Unit42, a financial firm was attacked by an adversary that manipulated, and compromised it’s cloud workloads. The threat actor was able to drop storage components such as buckets and tables, threatened the firm to leak data if ransom will not paid and eventually the firm refused to pay the ransom and the data was exfiltrated and showed up on the dark web a few months later.
The initial foothold within the cloud environment was by a SIM-swap scam on one of the firm’s employees which led the adversary to gain access to the victim’s email and SCM (source code management) accounts that were linked to his phone number. Access to the SCM disclosed 10 access keys to cloud accounts. One of the access keys had the IAMFullAccess role which allowed the adversary to create more users and grant himself higher privileges. Using the newly privileged users the adversary could perform reconnaissance, move laterally in the environment and gather sensitive information.
Key Issues
- Overly permissive identity assigned to the victim end user
- Credential leak in source code repositories
- Insufficient logging