Incidentes de seguridad relacionados a AWS

Estos incidentes ilustran la importancia de una gestión de seguridad adecuada en la nube.

Capital One Data Breach (2019): Uno de los incidentes más notorios involucró a Capital One, donde un atacante logró acceder a más de 100 millones de registros de clientes almacenados en AWS. Este ataque se realizó explotando una configuración mal configurada de un Web Application Firewall (WAF) en AWS, lo que permitió al atacante obtener credenciales con amplios permisos. Este incidente subraya la importancia de una configuración segura y el principio de mínimo privilegio.
Imperva Data Breach (2019): Imperva, una empresa de ciberseguridad, experimentó una brecha de seguridad que expuso datos de clientes debido a una configuración incorrecta de AWS S3. La brecha afectó a los datos de los clientes de Cloud Web Application Firewall (WAF) de Imperva, anteriormente conocido como Incapsula. Este incidente destaca los riesgos de no seguir las prácticas recomendadas para la seguridad de los buckets de S3.
Verizon Data Exposure (2017): Un incidente de exposición de datos de Verizon ocurrió cuando un bucket S3 de AWS, mal configurado y accesible públicamente, expuso aproximadamente 6 millones de registros de clientes. Aunque los datos no fueron robados por ciberdelincuentes, el incidente mostró cómo la visibilidad y el control adecuados sobre las configuraciones de los servicios en la nube son cruciales para la seguridad de los datos.

Estos incidentes destacan diferentes aspectos de la seguridad en la nube y la importancia de seguir las mejores prácticas de seguridad, como asegurar adecuadamente las configuraciones, aplicar el principio de mínimo privilegio y realizar auditorías y revisiones de seguridad regularmente. AWS proporciona herramientas y documentación para ayudar en la gestión de la seguridad, pero las organizaciones también deben tomar medidas proactivas para proteger sus recursos en la nube.

Te recomendamos estar al dia con el siguiente recurso:

Name

Date

Root Cause

Escalation Vector(s)

Impact

Link to details

Uber

2014, May

Github Gist (data analysis script) with AWS credentials

N/A

50,000 records, including names and driver’s licenses from S3 hosted database prunes

Code Spaces

2014, June

AWS Console Credentials (Phishing?)

Attacker created additional accounts/access keys

Wiped S3 buckets, EC2 instances, AMIs, EBS snapshots

BrowserStack

2014, November

Shellshock on exposed, outdated prototype machine

Access keys on server, used to create IAM user, create EC2, and mount backup

Steal user data and email users

DNC Hack by the GRU

2016, June

Unknown, test clusters breached

EC2 Snapshots copied to attacker AWS accounts

Tableau and Vertica Queries

DataDog

2016, July

CI/CD AWS access key and SSH private key leaked

Attacker attempted to pivot with customer credentials

3 EC2 instances and subset of S3 buckets

Uber

2016, October

~13 Hacked Uber credentials purchased for forum gave access to private Github Repo with AWS credentials

N/A

Names and driver’s license numbers of 600k drivers, PII of 57 million users in unencrypted manual backup

Lynda.com

2016, December

Private Github Repo with AWS credentials

N/A

User data for 9.5m users, attempted extortion

OneLogin

2017, May

AWS keys

Created EC2 instances

Accessed database tables (with encrypted data)

Politifact

2017, October

"Misconfigured cloud computing server"

N/A

Coinhive cryptojacking

DXC Technologies

2017, November

Private AWS key exposed via Github

244 EC2 instance started

Cryptomining

Drizly

2018

AWS Credentials committed to public github repo

N/A

Cryptojacking

LA Times

2018, February

S3 global write access

N/A

Cryptojacking

Tesla

2018, February

Globally exposed Kubernetes console, Pod with AWS credentials

N/A

Cryptojacking

Chegg

2018, April

Former contractor abuses broadly shared root credential

Unknown

40 million users' data (from S3 bucket)

imToken

2018, June

Email account compromise

Reset AWS account password

Minimal customer device data

Voova

2019, March

Stolen credentials by former employee

N/A

Deleted 23 servers

Capital One

2019, April

"Misconfigured WAF" that allowed for a SSRF attack

Over-privileged EC2 Role

100 million credit applications

JW Player

2019, September

Weave Scope (publicly exposed), RCE by design

N/A

Cryptojacking

Malindo Air

2019, September

Former employee insider threat

N/A

35 million PII records

Imperva

2019, October

“Internal compute instance” globally accessible, “Contained” AWS API key

N/A

RDS snapshot stolen

Cameo

2020, February

Credentials in mobile app package

N/A

Access to backend infrastructure, including user data

Open Exchange Rates

2020, March

Third-party compromise exposing access key

N/A

User database

First Republic Bank

2020, March

Fired employee incompletely offboarded

N/A

System interruption

Live Auctioneers

2020, July

Compromised third party software granting access to cloud environment

N/A

User database, including MD5 hashed credentials

Twilio

2020, July

S3 global write access

N/A

Natures Basket responsible disclosure

2020, July

Hard-coded root keys in source code exposed via public S3 bucket

N/A

Drizly

2020, July

Inactive Github account compromised via reused password, granting AWS credential access in source code

N/A

RDS Instance with 2.5 million users data exfiltrated

Cryptomining AMI

2020, August

Windows 2008 Server Community AMI

N/A

Monero miner

Animal Jam

2020, November

Slack compromise exposes AWS credentials

N/A

User database

Cisco

2020, December

Former employee with AWS access 5 months post-resignation

N/A

Deleted ~450 EC2 instances

Juspay

2021, January

Compromised old, unrecycled Amazon Web Services (AWS) access key

N/A

Masked card data, email IDs and phone numbers

20/20 Eye Care Network and Hearing Care Network

2021, January

Compromised credential

N/A

S3 buckets accessed then deleted

Sendtech

2021, February

(Current or former employee) Compromised credentials

Created additional admin account

Accessed customer data in S3

LogicGate

2021, April

Compromised credentials

N/A

Backup files in S3 stolen

Ubiquiti

2021, April

Compromised credentials from IT employee Lastpass (alleged former employee insider threat)

N/A

root administrator access to all AWS accounts, extortion

Uran Company

2021, July

Compromised Drupal with API keys

N/A

Cryptomining

redoorz.com

2021, September

Access Key leaked via APK

N/A

Customer database stolen

HPE Aruba

2021, October

Unknown exposure of Access Key

N/A

Potential access to network telemetry and contact trace data

Kaspersky

2021, November

Compromised SES token from third party

N/A

Phishing attacks

Onus

2021, December

Log4Shell vulnerability in Cyclos server

AmazonS3FullAccess creds (and DB creds) in Cyclos config

2 million ONUS users’ information including EKYC data, personal information, and password hash was leaked.

Flexbooker

2021, December

Unknown

3.7M first and last names, email addresses, phone numbers, "encrypted" passwords

npm

2022, April

Third party OAuth token compromise granting private repository access, containing AWS keys

Unknown

100k users data (from 2015)

Uber

2022, September

Contractor account compromise leading to AWS credential discovery on a shared drive

Unknown

N/A

Lastpass

2022, October

Stole source code and accessed development environment via compromised developer account (an IAM User)

Unknown pivot point into production environment. Later compromise of a privileged engineer's personal machine to gain access to decryption keys for stolen data

Internal and customer data broadly compromised, including backups of MFA database

Teqtivity (Uber Vendor)

2022, December

Unknown

"AWS backup server" with device and user information

CommuteAir

2023, January

Publicly Exposed Jenkins with hardcoded credentials

N/A

2019 FAA No Fly List

AnteriorPrefijo de ID con IAM SiguienteLimitaciones en un pentest dentro de AWS

Última actualización hace 10 meses