Ongoing widespread AWS customer credential theft exposed by open S3 bucket

Amazon Web Services customers had over 2 TB of credentials, source code, and other account secrets across several platforms exfiltrated as part of an ongoing attack campaign believed to be conducted by the ShinyHunters and Nemesis cybercrime operations, which has been exposed by a misconfigured S3 bucket, The Register reports.

Attacks conducted by the threat actors since March involved the exploitation of numerous open-source tools and scripts to discover AWS’s 26.8 million IP addresses, whose domain addresses were later obtained through a Shodan search, an analysis by cybersecurity researchers Noam Rotem and Ran Locar published on vpnMentor showed. Further SSL certificate analysis was then followed by exposed generic endpoint scanning, which facilitated the compromise of AWS customer credentials and other sensitive data. “During our investigation, we found not only the code and software tools used to run the operation, but also some of the stolen data itself, including thousands of keys and secrets. There were also files listing tens of thousands of vulnerable targets all over the world as well as all the necessary information to access their data or use their resources for other purposes,” said researchers. Despite the massive data exposure, AWS has not regarded the development to stem from an issue that requires fixing from its end.