Incidentes de seguridad relacionados a AWS
Última actualización
Última actualización
Estos incidentes ilustran la importancia de una gestión de seguridad adecuada en la nube.
Capital One Data Breach (2019): Uno de los incidentes más notorios involucró a Capital One, donde un atacante logró acceder a más de 100 millones de registros de clientes almacenados en AWS. Este ataque se realizó explotando una configuración mal configurada de un Web Application Firewall (WAF) en AWS, lo que permitió al atacante obtener credenciales con amplios permisos. Este incidente subraya la importancia de una configuración segura y el principio de mínimo privilegio.
Imperva Data Breach (2019): Imperva, una empresa de ciberseguridad, experimentó una brecha de seguridad que expuso datos de clientes debido a una configuración incorrecta de AWS S3. La brecha afectó a los datos de los clientes de Cloud Web Application Firewall (WAF) de Imperva, anteriormente conocido como Incapsula. Este incidente destaca los riesgos de no seguir las prácticas recomendadas para la seguridad de los buckets de S3.
Verizon Data Exposure (2017): Un incidente de exposición de datos de Verizon ocurrió cuando un bucket S3 de AWS, mal configurado y accesible públicamente, expuso aproximadamente 6 millones de registros de clientes. Aunque los datos no fueron robados por ciberdelincuentes, el incidente mostró cómo la visibilidad y el control adecuados sobre las configuraciones de los servicios en la nube son cruciales para la seguridad de los datos.
Estos incidentes destacan diferentes aspectos de la seguridad en la nube y la importancia de seguir las mejores prácticas de seguridad, como asegurar adecuadamente las configuraciones, aplicar el principio de mínimo privilegio y realizar auditorías y revisiones de seguridad regularmente. AWS proporciona herramientas y documentación para ayudar en la gestión de la seguridad, pero las organizaciones también deben tomar medidas proactivas para proteger sus recursos en la nube.
Te recomendamos estar al dia con el siguiente recurso:
| Name | Date | Root Cause | Escalation Vector(s) | Impact | Link to details |
|---|---|---|---|---|---|
Uber | 2014, May | Github Gist (data analysis script) with AWS credentials | N/A | 50,000 records, including names and driver’s licenses from S3 hosted database prunes | |
Code Spaces | 2014, June | AWS Console Credentials (Phishing?) | Attacker created additional accounts/access keys | Wiped S3 buckets, EC2 instances, AMIs, EBS snapshots | |
BrowserStack | 2014, November | Shellshock on exposed, outdated prototype machine | Access keys on server, used to create IAM user, create EC2, and mount backup | Steal user data and email users | |
DNC Hack by the GRU | 2016, June | Unknown, test clusters breached | EC2 Snapshots copied to attacker AWS accounts | Tableau and Vertica Queries | |
DataDog | 2016, July | CI/CD AWS access key and SSH private key leaked | Attacker attempted to pivot with customer credentials | 3 EC2 instances and subset of S3 buckets | |
Uber | 2016, October | ~13 Hacked Uber credentials purchased for forum gave access to private Github Repo with AWS credentials | N/A | Names and driver’s license numbers of 600k drivers, PII of 57 million users in unencrypted manual backup | |
Lynda.com | 2016, December | Private Github Repo with AWS credentials | N/A | User data for 9.5m users, attempted extortion | |
OneLogin | 2017, May | AWS keys | Created EC2 instances | Accessed database tables (with encrypted data) | |
Politifact | 2017, October | "Misconfigured cloud computing server" | N/A | Coinhive cryptojacking | |
DXC Technologies | 2017, November | Private AWS key exposed via Github | 244 EC2 instance started | Cryptomining | |
Drizly | 2018 | AWS Credentials committed to public github repo | N/A | Cryptojacking | |
LA Times | 2018, February | S3 global write access | N/A | Cryptojacking | |
Tesla | 2018, February | Globally exposed Kubernetes console, Pod with AWS credentials | N/A | Cryptojacking | |
Chegg | 2018, April | Former contractor abuses broadly shared root credential | Unknown | 40 million users' data (from S3 bucket) | |
imToken | 2018, June | Email account compromise | Reset AWS account password | Minimal customer device data | |
Voova | 2019, March | Stolen credentials by former employee | N/A | Deleted 23 servers | |
Capital One | 2019, April | "Misconfigured WAF" that allowed for a SSRF attack | Over-privileged EC2 Role | 100 million credit applications | |
JW Player | 2019, September | Weave Scope (publicly exposed), RCE by design | N/A | Cryptojacking | |
Malindo Air | 2019, September | Former employee insider threat | N/A | 35 million PII records | |
Imperva | 2019, October | “Internal compute instance” globally accessible, “Contained” AWS API key | N/A | RDS snapshot stolen | |
Cameo | 2020, February | Credentials in mobile app package | N/A | Access to backend infrastructure, including user data | |
Open Exchange Rates | 2020, March | Third-party compromise exposing access key | N/A | User database | |
First Republic Bank | 2020, March | Fired employee incompletely offboarded | N/A | System interruption | |
Live Auctioneers | 2020, July | Compromised third party software granting access to cloud environment | N/A | User database, including MD5 hashed credentials | |
Twilio | 2020, July | S3 global write access | N/A | Magecart2 | |
Natures Basket responsible disclosure | 2020, July | Hard-coded root keys in source code exposed via public S3 bucket | N/A | N/A | |
Drizly | 2020, July | Inactive Github account compromised via reused password, granting AWS credential access in source code | N/A | RDS Instance with 2.5 million users data exfiltrated | |
Cryptomining AMI | 2020, August | Windows 2008 Server Community AMI | N/A | Monero miner | |
Animal Jam | 2020, November | Slack compromise exposes AWS credentials | N/A | User database | |
Cisco | 2020, December | Former employee with AWS access 5 months post-resignation | N/A | Deleted ~450 EC2 instances | |
Juspay | 2021, January | Compromised old, unrecycled Amazon Web Services (AWS) access key | N/A | Masked card data, email IDs and phone numbers | |
20/20 Eye Care Network and Hearing Care Network | 2021, January | Compromised credential | N/A | S3 buckets accessed then deleted | |
Sendtech | 2021, February | (Current or former employee) Compromised credentials | Created additional admin account | Accessed customer data in S3 | |
LogicGate | 2021, April | Compromised credentials | N/A | Backup files in S3 stolen | |
Ubiquiti | 2021, April | Compromised credentials from IT employee Lastpass (alleged former employee insider threat) | N/A | root administrator access to all AWS accounts, extortion | |
Uran Company | 2021, July | Compromised Drupal with API keys | N/A | Cryptomining | |
redoorz.com | 2021, September | Access Key leaked via APK | N/A | Customer database stolen | |
HPE Aruba | 2021, October | Unknown exposure of Access Key | N/A | Potential access to network telemetry and contact trace data | |
Kaspersky | 2021, November | Compromised SES token from third party | N/A | Phishing attacks | |
Onus | 2021, December | Log4Shell vulnerability in Cyclos server | AmazonS3FullAccess creds (and DB creds) in Cyclos config | 2 million ONUS users’ information including EKYC data, personal information, and password hash was leaked. | |
Flexbooker | 2021, December | Unknown | Unknown | 3.7M first and last names, email addresses, phone numbers, "encrypted" passwords | |
npm | 2022, April | Third party OAuth token compromise granting private repository access, containing AWS keys | Unknown | 100k users data (from 2015) | |
Uber | 2022, September | Contractor account compromise leading to AWS credential discovery on a shared drive | Unknown | N/A | |
Lastpass | 2022, October | Stole source code and accessed development environment via compromised developer account (an IAM User) | Unknown pivot point into production environment. Later compromise of a privileged engineer's personal machine to gain access to decryption keys for stolen data | Internal and customer data broadly compromised, including backups of MFA database | |
Teqtivity (Uber Vendor) | 2022, December | Unknown | Unknown | "AWS backup server" with device and user information | |
CommuteAir | 2023, January | Publicly Exposed Jenkins with hardcoded credentials | N/A | 2019 FAA No Fly List |
