Incidentes de seguridad relacionados a AWS

Estos incidentes ilustran la importancia de una gestión de seguridad adecuada en la nube.

Capital One Data Breach (2019): Uno de los incidentes más notorios involucró a Capital One, donde un atacante logró acceder a más de 100 millones de registros de clientes almacenados en AWS. Este ataque se realizó explotando una configuración mal configurada de un Web Application Firewall (WAF) en AWS, lo que permitió al atacante obtener credenciales con amplios permisos. Este incidente subraya la importancia de una configuración segura y el principio de mínimo privilegio.
Imperva Data Breach (2019): Imperva, una empresa de ciberseguridad, experimentó una brecha de seguridad que expuso datos de clientes debido a una configuración incorrecta de AWS S3. La brecha afectó a los datos de los clientes de Cloud Web Application Firewall (WAF) de Imperva, anteriormente conocido como Incapsula. Este incidente destaca los riesgos de no seguir las prácticas recomendadas para la seguridad de los buckets de S3.
Verizon Data Exposure (2017): Un incidente de exposición de datos de Verizon ocurrió cuando un bucket S3 de AWS, mal configurado y accesible públicamente, expuso aproximadamente 6 millones de registros de clientes. Aunque los datos no fueron robados por ciberdelincuentes, el incidente mostró cómo la visibilidad y el control adecuados sobre las configuraciones de los servicios en la nube son cruciales para la seguridad de los datos.

Estos incidentes destacan diferentes aspectos de la seguridad en la nube y la importancia de seguir las mejores prácticas de seguridad, como asegurar adecuadamente las configuraciones, aplicar el principio de mínimo privilegio y realizar auditorías y revisiones de seguridad regularmente. AWS proporciona herramientas y documentación para ayudar en la gestión de la seguridad, pero las organizaciones también deben tomar medidas proactivas para proteger sus recursos en la nube.

Te recomendamos estar al dia con el siguiente recurso:

GitHub - ramimac/aws-customer-security-incidents: A repository of breaches of AWS customersGitHub

Name	Date	Root Cause	Escalation Vector(s)	Impact	Link to details
Uber	2014, May	Github Gist (data analysis script) with AWS credentials	N/A	50,000 records, including names and driver’s licenses from S3 hosted database prunes	Exclusive: In lawsuit over hacking, Uber probes IP address assigned to Lyft exec - sources , A blameless post-mortem of USA v. Joseph Sullivan
Code Spaces	2014, June	AWS Console Credentials (Phishing?)	Attacker created additional accounts/access keys	Wiped S3 buckets, EC2 instances, AMIs, EBS snapshots	Hacker puts code spaces out of business
BrowserStack	2014, November	Shellshock on exposed, outdated prototype machine	Access keys on server, used to create IAM user, create EC2, and mount backup	Steal user data and email users	BrowserStack analysis
DNC Hack by the GRU	2016, June	Unknown, test clusters breached	EC2 Snapshots copied to attacker AWS accounts	Tableau and Vertica Queries	DEMOCRATIC NATIONAL COMMITTEE v. THE RUSSIAN FEDERATION
DataDog	2016, July	CI/CD AWS access key and SSH private key leaked	Attacker attempted to pivot with customer credentials	3 EC2 instances and subset of S3 buckets	2016-07-08 Security Notice
Uber	2016, October	~13 Hacked Uber credentials purchased for forum gave access to private Github Repo with AWS credentials	N/A	Names and driver’s license numbers of 600k drivers, PII of 57 million users in unencrypted manual backup	Uber concealed cyberattack ..., A blameless post-mortem of USA v. Joseph Sullivan
Lynda.com	2016, December	Private Github Repo with AWS credentials	N/A	User data for 9.5m users, attempted extortion	2 Plead Guilty in 2016 Uber and Lynda.com Hacks
OneLogin	2017, May	AWS keys	Created EC2 instances	Accessed database tables (with encrypted data)	May 31, 2017 Security Incident
Politifact	2017, October	"Misconfigured cloud computing server"	N/A	Coinhive cryptojacking	Hackers have turned Politifact’s website into a trap for your PC
DXC Technologies	2017, November	Private AWS key exposed via Github	244 EC2 instance started	Cryptomining	DXC spills AWS private keys on public GitHub
Drizly	2018	AWS Credentials committed to public github repo	N/A	Cryptojacking	FEDERAL TRADE COMMISSION - Drizly Complaint
LA Times	2018, February	S3 global write access	N/A	Cryptojacking	Coinhive cryptojacking added to homicide.latimes.com
Tesla	2018, February	Globally exposed Kubernetes console, Pod with AWS credentials	N/A	Cryptojacking	Hack Brief: Hackers Enlisted Tesla's Public Cloud to Mine Cryptocurrency
Chegg	2018, April	Former contractor abuses broadly shared root credential	Unknown	40 million users' data (from S3 bucket)	FTC Complaint
imToken	2018, June	Email account compromise	Reset AWS account password	Minimal customer device data	Disclosure of Security Incidents on imToken
Voova	2019, March	Stolen credentials by former employee	N/A	Deleted 23 servers	Sacked IT guy annihilates 23 of his ex-employer’s AWS servers
Capital One	2019, April	"Misconfigured WAF" that allowed for a SSRF attack	Over-privileged EC2 Role	100 million credit applications	A Technical Analysis of the Capital One Cloud Misconfiguration Breach
JW Player	2019, September	Weave Scope (publicly exposed), RCE by design	N/A	Cryptojacking	How A Cryptocurrency Miner Made Its Way onto Our Internal Kubernetes Clusters
Malindo Air	2019, September	Former employee insider threat	N/A	35 million PII records	Malindo Air: Data Breach Was Inside Job
Imperva	2019, October	“Internal compute instance” globally accessible, “Contained” AWS API key	N/A	RDS snapshot stolen	Imperva Security Update
Cameo	2020, February	Credentials in mobile app package	N/A	Access to backend infrastructure, including user data	Celeb Shout-Out App Cameo Exposes Private Videos and User Data
Open Exchange Rates	2020, March	Third-party compromise exposing access key	N/A	User database	Exchange rate service’s customer details hacked via AWS
First Republic Bank	2020, March	Fired employee incompletely offboarded	N/A	System interruption	First Republic Bank
Live Auctioneers	2020, July	Compromised third party software granting access to cloud environment	N/A	User database, including MD5 hashed credentials	Washington State OAG - Live Auctioneers
Twilio	2020, July	S3 global write access	N/A	Magecart2	Incident Report: TaskRouter JS SDK Security Incident
Natures Basket responsible disclosure	2020, July	Hard-coded root keys in source code exposed via public S3 bucket	N/A	N/A	GotRoot! AWS root Account Takeover
Drizly	2020, July	Inactive Github account compromised via reused password, granting AWS credential access in source code	N/A	RDS Instance with 2.5 million users data exfiltrated	FTC Takes Action Against Drizly and its CEO James Cory Rellas for Security Failures that Exposed Data of 2.5 Million Consumers
Cryptomining AMI	2020, August	Windows 2008 Server Community AMI	N/A	Monero miner	Cryptominer Found Embedded in AWS Community AMI
Animal Jam	2020, November	Slack compromise exposes AWS credentials	N/A	User database	Kids' gaming website Animal Jam breached
Cisco	2020, December	Former employee with AWS access 5 months post-resignation	N/A	Deleted ~450 EC2 instances	Former Cisco engineer sentenced to prison
Juspay	2021, January	Compromised old, unrecycled Amazon Web Services (AWS) access key	N/A	Masked card data, email IDs and phone numbers	Data from August Breach of Amazon Partner Juspay Dumped Online
20/20 Eye Care Network and Hearing Care Network	2021, January	Compromised credential	N/A	S3 buckets accessed then deleted	20/20 Eye Care Network and Hearing Care Network notify 3,253,822 health plan members of breach that deleted contents of AWS buckets
Sendtech	2021, February	(Current or former employee) Compromised credentials	Created additional admin account	Accessed customer data in S3	PERSONAL DATA PROTECTION COMMISSION Case No. DP-2102-B7884
LogicGate	2021, April	Compromised credentials	N/A	Backup files in S3 stolen	Risk startup LogicGate confirms data breach
Ubiquiti	2021, April	Compromised credentials from IT employee Lastpass (alleged former employee insider threat)	N/A	root administrator access to all AWS accounts, extortion	Ubiquiti All But Confirms Breach Response Iniquity
Uran Company	2021, July	Compromised Drupal with API keys	N/A	Cryptomining	Clear and Uncommon Story About Overcoming Issues With AWS
redoorz.com	2021, September	Access Key leaked via APK	N/A	Customer database stolen	PERSONAL DATA PROTECTION COMMISSION Case No. DP-2009-B7057
HPE Aruba	2021, October	Unknown exposure of Access Key	N/A	Potential access to network telemetry and contact trace data	Aruba Central Security Incident
Kaspersky	2021, November	Compromised SES token from third party	N/A	Phishing attacks	Kaspersky's stolen Amazon SES token used in Office 365 phishing
Onus	2021, December	Log4Shell vulnerability in Cyclos server	AmazonS3FullAccess creds (and DB creds) in Cyclos config	2 million ONUS users’ information including EKYC data, personal information, and password hash was leaked.	The attack on ONUS – A real-life case of the Log4Shell vulnerability
Flexbooker	2021, December	Unknown	Unknown	3.7M first and last names, email addresses, phone numbers, "encrypted" passwords	Booking management platform FlexBooker leaks 3.7 million user records
npm	2022, April	Third party OAuth token compromise granting private repository access, containing AWS keys	Unknown	100k users data (from 2015)	npm security update: Attack campaign using stolen OAuth tokens
Uber	2022, September	Contractor account compromise leading to AWS credential discovery on a shared drive	Unknown	N/A	Uber - Security update
Lastpass	2022, October	Stole source code and accessed development environment via compromised developer account (an IAM User)	Unknown pivot point into production environment. Later compromise of a privileged engineer's personal machine to gain access to decryption keys for stolen data	Internal and customer data broadly compromised, including backups of MFA database	Notice of Recent Security Incident,Incident 2 – Additional details of the attack
Teqtivity (Uber Vendor)	2022, December	Unknown	Unknown	"AWS backup server" with device and user information	Breach Notification Statement, Uber suffers new data breach after attack on vendor, info leaked online
CommuteAir	2023, January	Publicly Exposed Jenkins with hardcoded credentials	N/A	2019 FAA No Fly List	how to completely own an airline in 3 easy steps, U.S. airline accidentally exposes ‘No Fly List’ on unsecured server

Name

Date

Root Cause

Escalation Vector(s)

Impact

Link to details

Uber

2014, May

Github Gist (data analysis script) with AWS credentials

N/A

50,000 records, including names and driver’s licenses from S3 hosted database prunes

Exclusive: In lawsuit over hacking, Uber probes IP address assigned to Lyft exec - sources , A blameless post-mortem of USA v. Joseph Sullivan

Code Spaces

2014, June

AWS Console Credentials (Phishing?)

Attacker created additional accounts/access keys

Wiped S3 buckets, EC2 instances, AMIs, EBS snapshots

Hacker puts code spaces out of business

BrowserStack

2014, November

Shellshock on exposed, outdated prototype machine

Access keys on server, used to create IAM user, create EC2, and mount backup

Steal user data and email users

BrowserStack analysis

DNC Hack by the GRU

2016, June

Unknown, test clusters breached

EC2 Snapshots copied to attacker AWS accounts

Tableau and Vertica Queries

DEMOCRATIC NATIONAL COMMITTEE v. THE RUSSIAN FEDERATION

DataDog

2016, July

CI/CD AWS access key and SSH private key leaked

Attacker attempted to pivot with customer credentials

3 EC2 instances and subset of S3 buckets

2016-07-08 Security Notice

Uber

2016, October

~13 Hacked Uber credentials purchased for forum gave access to private Github Repo with AWS credentials

N/A

Names and driver’s license numbers of 600k drivers, PII of 57 million users in unencrypted manual backup

Uber concealed cyberattack ..., A blameless post-mortem of USA v. Joseph Sullivan

Lynda.com

2016, December

Private Github Repo with AWS credentials

N/A

User data for 9.5m users, attempted extortion

2 Plead Guilty in 2016 Uber and Lynda.com Hacks

OneLogin

2017, May

AWS keys

Created EC2 instances

Accessed database tables (with encrypted data)

May 31, 2017 Security Incident

Politifact

2017, October

"Misconfigured cloud computing server"

N/A

Coinhive cryptojacking

Hackers have turned Politifact’s website into a trap for your PC

DXC Technologies

2017, November

Private AWS key exposed via Github

244 EC2 instance started

Cryptomining

DXC spills AWS private keys on public GitHub

Drizly

2018

AWS Credentials committed to public github repo

N/A

Cryptojacking

FEDERAL TRADE COMMISSION - Drizly Complaint

LA Times

2018, February

S3 global write access

N/A

Cryptojacking

Coinhive cryptojacking added to homicide.latimes.com

Tesla

2018, February

Globally exposed Kubernetes console, Pod with AWS credentials

N/A

Cryptojacking

Hack Brief: Hackers Enlisted Tesla's Public Cloud to Mine Cryptocurrency

Chegg

2018, April

Former contractor abuses broadly shared root credential

Unknown

40 million users' data (from S3 bucket)

FTC Complaint

imToken

2018, June

Email account compromise

Reset AWS account password

Minimal customer device data

Disclosure of Security Incidents on imToken

Voova

2019, March

Stolen credentials by former employee

N/A

Deleted 23 servers

Sacked IT guy annihilates 23 of his ex-employer’s AWS servers

Capital One

2019, April

"Misconfigured WAF" that allowed for a SSRF attack

Over-privileged EC2 Role

100 million credit applications

A Technical Analysis of the Capital One Cloud Misconfiguration Breach

JW Player

2019, September

Weave Scope (publicly exposed), RCE by design

N/A

Cryptojacking

How A Cryptocurrency Miner Made Its Way onto Our Internal Kubernetes Clusters

Malindo Air

2019, September

Former employee insider threat

N/A

35 million PII records

Malindo Air: Data Breach Was Inside Job

Imperva

2019, October

“Internal compute instance” globally accessible, “Contained” AWS API key

N/A

RDS snapshot stolen

Imperva Security Update

Cameo

2020, February

Credentials in mobile app package

N/A

Access to backend infrastructure, including user data

Celeb Shout-Out App Cameo Exposes Private Videos and User Data

Open Exchange Rates

2020, March

Third-party compromise exposing access key

N/A

User database

Exchange rate service’s customer details hacked via AWS

First Republic Bank

2020, March

Fired employee incompletely offboarded

N/A

System interruption

First Republic Bank

Live Auctioneers

2020, July

Compromised third party software granting access to cloud environment

N/A

User database, including MD5 hashed credentials

Washington State OAG - Live Auctioneers

Twilio

2020, July

S3 global write access

N/A

Magecart2

Incident Report: TaskRouter JS SDK Security Incident

Natures Basket responsible disclosure

2020, July

Hard-coded root keys in source code exposed via public S3 bucket

N/A

GotRoot! AWS root Account Takeover

Drizly

2020, July

Inactive Github account compromised via reused password, granting AWS credential access in source code

N/A

RDS Instance with 2.5 million users data exfiltrated

FTC Takes Action Against Drizly and its CEO James Cory Rellas for Security Failures that Exposed Data of 2.5 Million Consumers

Cryptomining AMI

2020, August

Windows 2008 Server Community AMI

N/A

Monero miner

Cryptominer Found Embedded in AWS Community AMI

Animal Jam

2020, November

Slack compromise exposes AWS credentials

N/A

User database

Kids' gaming website Animal Jam breached

Cisco

2020, December

Former employee with AWS access 5 months post-resignation

N/A

Deleted ~450 EC2 instances

Former Cisco engineer sentenced to prison

Juspay

2021, January

Compromised old, unrecycled Amazon Web Services (AWS) access key

N/A

Masked card data, email IDs and phone numbers

Data from August Breach of Amazon Partner Juspay Dumped Online

20/20 Eye Care Network and Hearing Care Network

2021, January

Compromised credential

N/A

S3 buckets accessed then deleted

20/20 Eye Care Network and Hearing Care Network notify 3,253,822 health plan members of breach that deleted contents of AWS buckets

Sendtech

2021, February

(Current or former employee) Compromised credentials

Created additional admin account

Accessed customer data in S3

PERSONAL DATA PROTECTION COMMISSION Case No. DP-2102-B7884

LogicGate

2021, April

Compromised credentials

N/A

Backup files in S3 stolen

Risk startup LogicGate confirms data breach

Ubiquiti

2021, April

Compromised credentials from IT employee Lastpass (alleged former employee insider threat)

N/A

root administrator access to all AWS accounts, extortion

Ubiquiti All But Confirms Breach Response Iniquity

Uran Company

2021, July

Compromised Drupal with API keys

N/A

Cryptomining

Clear and Uncommon Story About Overcoming Issues With AWS

redoorz.com

2021, September

Access Key leaked via APK

N/A

Customer database stolen

PERSONAL DATA PROTECTION COMMISSION Case No. DP-2009-B7057

HPE Aruba

2021, October

Unknown exposure of Access Key

N/A

Potential access to network telemetry and contact trace data

Aruba Central Security Incident

Kaspersky

2021, November

Compromised SES token from third party

N/A

Phishing attacks

Kaspersky's stolen Amazon SES token used in Office 365 phishing

Onus

2021, December

Log4Shell vulnerability in Cyclos server

AmazonS3FullAccess creds (and DB creds) in Cyclos config

2 million ONUS users’ information including EKYC data, personal information, and password hash was leaked.

The attack on ONUS – A real-life case of the Log4Shell vulnerability

Flexbooker

2021, December

Unknown

3.7M first and last names, email addresses, phone numbers, "encrypted" passwords

Booking management platform FlexBooker leaks 3.7 million user records

npm

2022, April

Third party OAuth token compromise granting private repository access, containing AWS keys

Unknown

100k users data (from 2015)

npm security update: Attack campaign using stolen OAuth tokens

Uber

2022, September

Contractor account compromise leading to AWS credential discovery on a shared drive

Unknown

N/A

Uber - Security update

Lastpass

2022, October

Stole source code and accessed development environment via compromised developer account (an IAM User)

Unknown pivot point into production environment. Later compromise of a privileged engineer's personal machine to gain access to decryption keys for stolen data

Internal and customer data broadly compromised, including backups of MFA database

Notice of Recent Security Incident,Incident 2 – Additional details of the attack

Teqtivity (Uber Vendor)

2022, December

Unknown

"AWS backup server" with device and user information

Breach Notification Statement, Uber suffers new data breach after attack on vendor, info leaked online

CommuteAir

2023, January

Publicly Exposed Jenkins with hardcoded credentials

N/A

2019 FAA No Fly List