Introduction

Palo Alto Unit 42 discovered a large-scale campaign siphoning API keys and access tokens from exposed .env files in Amazon Web Services (AWS) domains. The attacker seemed financially motivated and ultimately tried to ransom victims by deleting objects from their S3 buckets.

These attacks are becoming increasingly prevalent and prove once again that today stolen credentials are the most common attack vector for initial access.

Palo Alto wrote about the breach in detail, in this blog post we will focus on the identity component of the attack and how an identity protection framework can keep your data safe.

SlashID can help detect and remediate these attacks before the attacker has a chance to break out and cause damage.

Some Stats

Palo Alto discovered over 90,000 unique environment variables leaked through exposed files, which contained access keys or IAM credentials. Of these, the top cloud and SaaS platforms identified were:

• 1185 AWS access keys
• 333 Paypal Oauth 2.0 credentials
• 235 GitHub credentials
• 111 HubSpot API keys
• 39 Slack webhooks
• 27 Digital Ocean tokens

Identity Anatomy of the Attack

Step 1: Initial Recon and Target Discovery

The attacker used Tor to perform the initial large-scale .env file recon, relying on extensive automation techniques to probe over 230 million unique targets. Once the credentials were obtained, the threat actor relayed on virtual private networks (VPNs) and virtual private servers (VPSs) for lateral movement and further steps of the attack campaign.

After stealing variables and credentials from the .env files, the attacker exploited several well-known AWS APIs to learn more about the environment and to identify targets to exploit; in particular:

1. GetCallerIdentity
2. ListUsers
3. ListBuckets

Step 2: Privilege Escalation

After the target discovery phase, the attacker used the CreateRole API to create a new IAM role named lambda-ex. Then, they were able to attach to it the AWS-managed AdministratorAccess policy with an AttachRolePolicy API call, thus granting access to all resources within the AWS account.

Step 3: Code Execution

The attacker tried several methods to create the infrastructure stack needed to execute malicious code, failing with EC2 but ultimately succeeding in creating multiple lambda functions with AWS Lambda. The lambda functions, attached to the newly created lambda-ex IAM role, were then used to perform internet-wide scanning looking for more unprotected .env files.

Detection, Response, and Prevention

Detection

Writing detection queries is a tricky art because distinguishing signal from noise is often not trivial.

We believe that an identity-first approach is the easiest path to detection. In particular, the Unit 42 research showed that Tor was used to perform the initial recon and target discovery. While noisy, looking for GetCallerIdentity and ListUsers in combination with known-bad or suspicious IP addresses could have helped detect the attack early on.

The privilege escalation step in the chain is one of the higher signal operations that the attacker performed was the combination of CreateRole with AttachRolePolicy using AdministratorAccess as the selected policy. Coupled with appropriate identity posture management, this set of API calls makes for a solid, high-quality, detection.

Response

Prompt remediation is key to avoid attackers breaking out and, in this case, destroying the content of S3 buckets for ransom. In this case, the blast radius could have been reduced by:

1. Rotating credentials on detection of GetCallerIdentity or ListUsers API calls from known-bad or suspicious IP addresses;
2. Flagging or suspending the newly-created role based on the highly privileged policy requested.

Prevention

As Palo Alto highlighted in their article, good hygiene goes a long way to preventing these kinds of attacks. Organizations can deploy several countermeasures early on to reduce the risk of a breach and reduce the blast radius if a breach happens:

1. Avoid using long-lived credentials
2. Adopt least-privilege and limit the number of identities that can escalate privileges (e.g., that can call AttachRolePolicy)

How SlashID Helps

SlashID Identity Protection can detect and respond to these identity-based attacks by running automatic remediation workflows following a detection trigger. For instance, you can automatically rotate credentials if they are used by a malicious IP address or suspend and delete an identity if it is created with high privileges.

Last, SlashID can help enforce the least privilege by detecting over-privileged identities that can be exploited for privilege escalation attack techniques.

Contact us to schedule a free Identity Protection assessment and understand how SlashID can help secure your environment.