Get in touch
Log in

Use Cases

User onboarding

User data protection and residency

API and Workload identity

Identity Threat Detection and Response

Non-human identity management

Credential Rotation and Secretless Access

Protect non-federated applications

Pricing

Developers

Blog

Careers

1
Log in
Deep Dives

A deep dive in the AWS credential leaks reported by Palo Alto Networks

Thousands of credentials were exfiltrated from exposed .env files in the latest large-scale attack uncovered by Palo Alto.

Protecting cloud services and non-human identities spread across many vendors and environments is now table-stakes: SlashID can help.

Vincenzo Iozzo
Vincenzo Iozzo 22 Aug, 2024

Introduction

Palo Alto Unit 42 discovered a large-scale campaign siphoning API keys and access tokens from exposed .env files in Amazon Web Services (AWS) domains. The attacker seemed financially motivated and ultimately tried to ransom victims by deleting objects from their S3 buckets.

These attacks are becoming increasingly prevalent and prove once again that today stolen credentials are the most common attack vector for initial access.

Palo Alto wrote about the breach in detail, in this blog post we will focus on the identity component of the attack and how an identity protection framework can keep your data safe.

SlashID can help detect and remediate these attacks before the attacker has a chance to break out and cause damage.

Some Stats

Palo Alto discovered over 90,000 unique environment variables leaked through exposed files, which contained access keys or IAM credentials. Of these, the top cloud and SaaS platforms identified were:

  • 1185 AWS access keys
  • 333 Paypal Oauth 2.0 credentials
  • 235 GitHub credentials
  • 111 HubSpot API keys
  • 39 Slack webhooks
  • 27 Digital Ocean tokens

Identity Anatomy of the Attack

Step 1: Initial Recon and Target Discovery

The attacker used Tor to perform the initial large-scale .env file recon, relying on extensive automation techniques to probe over 230 million unique targets. Once the credentials were obtained, the threat actor relayed on virtual private networks (VPNs) and virtual private servers (VPSs) for lateral movement and further steps of the attack campaign.

After stealing variables and credentials from the .env files, the attacker exploited several well-known AWS APIs to learn more about the environment and to identify targets to exploit; in particular:

  1. GetCallerIdentity
  2. ListUsers
  3. ListBuckets

Step 2: Privilege Escalation

After the target discovery phase, the attacker used the CreateRole API to create a new IAM role named lambda-ex. Then, they were able to attach to it the AWS-managed AdministratorAccess policy with an AttachRolePolicy API call, thus granting access to all resources within the AWS account.

Step 3: Code Execution

The attacker tried several methods to create the infrastructure stack needed to execute malicious code, failing with EC2 but ultimately succeeding in creating multiple lambda functions with AWS Lambda. The lambda functions, attached to the newly created lambda-ex IAM role, were then used to perform internet-wide scanning looking for more unprotected .env files.

Detection, Response, and Prevention

Detection

Writing detection queries is a tricky art because distinguishing signal from noise is often not trivial.

We believe that an identity-first approach is the easiest path to detection. In particular, the Unit 42 research showed that Tor was used to perform the initial recon and target discovery. While noisy, looking for GetCallerIdentity and ListUsers in combination with known-bad or suspicious IP addresses could have helped detect the attack early on.

The privilege escalation step in the chain is one of the higher signal operations that the attacker performed was the combination of CreateRole with AttachRolePolicy using AdministratorAccess as the selected policy. Coupled with appropriate identity posture management, this set of API calls makes for a solid, high-quality, detection.

Response

Prompt remediation is key to avoid attackers breaking out and, in this case, destroying the content of S3 buckets for ransom. In this case, the blast radius could have been reduced by:

  1. Rotating credentials on detection of GetCallerIdentity or ListUsers API calls from known-bad or suspicious IP addresses;
  2. Flagging or suspending the newly-created role based on the highly privileged policy requested.

Prevention

As Palo Alto highlighted in their article, good hygiene goes a long way to preventing these kinds of attacks. Organizations can deploy several countermeasures early on to reduce the risk of a breach and reduce the blast radius if a breach happens:

  1. Avoid using long-lived credentials
  2. Adopt least-privilege and limit the number of identities that can escalate privileges (e.g., that can call AttachRolePolicy)

How SlashID Helps

SlashID Identity Protection can detect and respond to these identity-based attacks by running automatic remediation workflows following a detection trigger. For instance, you can automatically rotate credentials if they are used by a malicious IP address or suspend and delete an identity if it is created with high privileges.

Last, SlashID can help enforce the least privilege by detecting over-privileged identities that can be exploited for privilege escalation attack techniques.

Contact us to schedule a free Identity Protection assessment and understand how SlashID can help secure your environment.

Found this article useful to your project?

Let's chat about it.

Get in touch

Related articles

Adding custom claims to identity tokens
Deep Dives

Adding custom claims to identity tokens

Adding custom claims to JWTs allows you to share identity information without repeated queries to external data sources.

Vincenzo Iozzo
Vincenzo Iozzo
· 6 Mar, 2024
Passkeys Adoption Trends: Survey from Large Deployments
Deep Dives

Passkeys Adoption Trends: Survey from Large Deployments

In this comprehensive blog post, we delve into the publicly available data on large-scale passkeys rollouts, examining results, conversion rates, and implementation challenges as documented in engineering blogs by companies like Kayak and Yahoo Japan.

Vincenzo Iozzo
Vincenzo Iozzo
· 31 Jan, 2024
Backend Authentication and Authorization Patterns: Benefits and Pitfalls of Each
Deep Dives

Backend Authentication and Authorization Patterns: Benefits and Pitfalls of Each

Identity in distributed applications is hard. In large and complex environments with multiple services, a number of patterns have emerged to authenticate and authorize traffic.

Vincenzo Iozzo
Vincenzo Iozzo
· 28 Sep, 2023
SlashID /Identity at scale
••••••••••••••••••••••

Secure your identities

The identity stack to protect users and non-human identities.

Get in touch