web analytics

ShinyHunters, Nemesis Linked to Hacks After Leaking Their AWS S3 Bucket – Source:hackread.com

shinyhunters,-nemesis-linked-to-hacks-after-leaking-their-aws-s3-bucket-–-source:hackread.com
Rate this post

Source: hackread.com – Author: Waqas.

Summary

  • Large-Scale Hacking Operation Uncovered: Researchers link ShinyHunters and Nemesis to an operation exploiting millions of websites to steal over 2 terabytes of sensitive data.
  • Sophisticated Tools and Tactics: Hackers used Python, PHP, AWS IP ranges, and tools like ffuf, httpx, and Shodan to automate and expand their exploitation across regions.
  • Collaborative Mitigation Efforts: Researchers worked with the AWS Fraud Team to notify affected users, implement mitigation measures, and identify individuals involved in selling stolen data on Telegram.
  • Critical Discovery in Misconfigured S3 Bucket: An open S3 bucket used by the hackers exposed their stolen data, tools, and even potential identities, offering a unique glimpse into their operations.
  • Call for Stronger Cybersecurity Practices: The incident shows the need for proper configurations to protect cloud environments and prevent such large-scale breaches.

Cybersecurity researchers have identified a large-scale hacking operation linked to notorious ShinyHunters and Nemesis hacking groups. In this operation, hackers exploited vulnerabilities in millions of websites and took advantage of misconfiguration to access sensitive information including customer data, infrastructure credentials, and proprietary source code.

According to Noam Rotem and Ran Locar, two independent researchers who conducted this research, these attacks were carried out from a French-speaking country. It is worth noting that one of the ShinyHunters members Le Français Sébastien Raoult (aka Sezyo Kaizen), a France national, was arrested in Morocco back in July 2022. In January 2024, he was sentenced in the US to three years in prison. However, after spending less than a year, the hacker returned to France just last week.

Tools and Tricks

In their report for vpnMentor, researchers explained that the hackers were able to extract critical keys and secrets, which provided them with access to valuable data including application databases. The operation utilised several scripting languages, including Python and PHP, alongside specialized tools like ffuf and httpx, to automate the exploitation process.

Furthermore, the hackers used publicly available AWS IP address ranges to search millions of targets. They also used Shodan, a search engine for internet-connected devices, to perform reverse lookups and identify domain names associated with the discovered IPs. This method especially expanded their reach, allowing them to find and exploit numerous endpoints across different regions.

Researchers then collaborated with the AWS Fraud Team to implement mitigation measures and notify affected customers. The investigation also identified the names and contact information of some individuals behind the incident, assisting in further actions against the culprits who are selling their stolen data in dedicated Telegram channels for hundreds of Euros per breach.

The breach led to the theft of over 2 terabytes of data, including AWS customer keys and secrets that allowed access to various AWS services, as well as database and Git credentials, exposing source code and sensitive databases. SMTP and SMS credentials were also stolen, enabling attackers to send phishing emails and spam messages.

Moreover, cryptocurrency wallets and trading platform credentials were compromised, granting access to digital assets and trading accounts, alongside social media and email accounts, jeopardizing personal and business communications.

Investigations traced the infrastructure of this operation back to the ShinyHunters and Nemesis hacking groups because the tools and scripts used by the attackers held similarities to those previously associated with ShinyHunters, a group known for breaches at major companies like Ticketmaster, AT&T, Mashable and many more. The group also owned and administrated the notorious cybercrime and data breach forum Breach Forums for a while.

Additionally, the now-seized Nemesis Blackmarket was identified as a marketplace where the stolen credentials and access keys were being sold, often fetching hundreds of Euros per breach on platforms like Telegram.

ShinyHunters, Nemesis Linked to Hacks After Leaking Their AWS S3 Bucket
Attack Flaw (Via: vpnMentor)

Hackers Exposed Their AWS Bucket While Hunting Exposed Databases

One critical discovery was an open Amazon S3 bucket used by the attackers to store harvested data. This bucket acted as a shared storage space, mistakenly left unsecured by its owner, facilitating the easy collection and distribution of stolen information.

“The discovery provided a glimpse into the operations of a large-scale web-scanning operation, the code used by the attackers, and even the potential identities of the people behind it. Data harvested from the victims was stored in an S3 bucket, which was left open due to a misconfiguration by its owner. The S3 bucket was being used as a “shared drive” between the attack group members, based on the source code of the tools used by them. These tools are documented in French and signed by “Sezyo Kaizen”.

Researchers

Jim Routh, Chief Trust Officer at Saviynt, emphasized the scale and technical prowess of these criminal groups stating, “ShinyHunters and Nemesis represent highly organized cybercriminal syndicates operating on a large scale for profit. They exploit vulnerabilities in cloud services, often taking advantage of enterprises that may not fully understand the complexities and security controls of cloud environments. The range of targeted information, from credentials and cryptocurrency wallets to source code and cloud account secrets, shows their broad and opportunistic approach.”

Routh also highlighted the irony that the attackers themselves made a critical mistake by leaving an AWS S3 bucket open, which ultimately led to the detection of their activities.

Nevertheless, this incident shows why proper configuration and implementing cybersecurity practices are important to protect your online infrastructure. It will be interesting to see if the details shared by researchers with authorities lead to arrests or further revelations about the individuals involved in the hacking spree.

  1. ShinyHunters Leak 33M Twilio Authy Phone Numbers
  2. Canada Arrests Hacker Linked to Snowflake Data Breaches
  3. ShinyHunters’ Santander Bank Breach: 30M User Data for Sale
  4. ALBeast: Misconfiguration Flaw Exposes 15k AWS Load Balancers
  5. Hacker in $3 Billion SSN Leak Reveals Himself as Brazilian Citizen

Original Post url: https://hackread.com/shinyhunters-nemesis-hacks-aws-s3-bucket-leak/

Category & Tags: Security,Cyber Crime,Cyber Attack,Cybersecurity,Data Breaches,Nemesis,ShinyHunters,Shodan,Ticketmaster – Security,Cyber Crime,Cyber Attack,Cybersecurity,Data Breaches,Nemesis,ShinyHunters,Shodan,Ticketmaster

Views: 2

LinkedIn
Twitter
Facebook
WhatsApp
Email

advisor pick´S post

CISO2CISO Notepad Series
How Can We Structure Cybersecurity Teams To Better Integrate Security In Agile At Scale?
How Can We Structure Cybersecurity...
OCCUPYTHEWEB
Linux Basics for Hackers by Occupytheweb
Linux Basics for Hackers by...
NIST
Digital Forensics and Incident Response (DFIR) Framework for Operational Technology (OT) by NIST – Eran Salfati and Michael Pease
Digital Forensics and Incident Response...
Think Big Blog
Top 10 TED Talks to Learn about Cyber Security
Top 10 TED Talks to...
NCSC
NCSC Cyber Security for Small Business “SMEs” Guide.
NCSC Cyber Security for Small...
Practical DevSecOps
API Security Fundamentals – Your Handy Guide to Building an Unhackable System by practical-devsecops.com
API Security Fundamentals – Your...
Vendict
The 2024 CISO Burnout Report by Vendict
The 2024 CISO Burnout Report...
Mohammad Alkhudari
Cybersecurity Strong Strategy step by step Guide collected by Mohammad Alkhudari 2024
Cybersecurity Strong Strategy step by...
Marcos Jaimovich
The Silent Spectre Haunting Your Network: QPhishing, the CISO’s Unspoken Nightmare.
The Silent Spectre Haunting Your...
Marcos Jaimovich
Goodbye to Traditional: Why Conventional Cybersecurity Tools are No Longer Sufficient for the Future of Digital Threats ?
Goodbye to Traditional: Why Conventional...
Marcos Jaimovich
Why do we compare a SOC (Security Operations Center) with the cockpit of a commercial airplane? by Marcos Jaimovich
Why do we compare a...
Joas Antonio
Security Operations Center (SOC) – Tools for Operations Development by Joas Antonio
Security Operations Center (SOC) –...

LASTEST PUBLISHED POSTS

Cyberint
Retail Threat Landscape Report Q1-Q3 – November 2024 Summary by Cyberint a Check Point Company
Retail Threat Landscape Report Q1-Q3...
NCSC
Protecting Critical Supply Chains – A Guide to Securing your Supply Chain Ecosystem
Protecting Critical Supply Chains –...
Culture AI
Time to Adapt – The State of Human Risk Management in 2024 by Culture AI.
Time to Adapt – The...
National Cyber Security Centre
Engaging with Boards to improve the management of cyber security risk.
Engaging with Boards to improve...
Microsoft Security
2024 State of Multicloud Security Report by Microsoft Security
2024 State of Multicloud Security...
bugcrowd
Inside the Mind of a CISO 2024 The Evolving Roles of Security Leaders 2024 by bugcrowd
Inside the Mind of a...
Mohammad Alkhudari
Cybersecurity Strong Strategy step by step Guide collected by Mohammad Alkhudari 2024
Cybersecurity Strong Strategy step by...
Lacework
CISO’s Playbookto Cloud Security by Lacework
CISO’s Playbookto Cloud Security by...
MITRE - Carson Zimmerman
Ten Strategies of a World-Class Cybersecurity Operations Center by MITRE
Ten Strategies of a World-Class...
SILVERFRONT - AIG
Identity Has Become the Prime Target of Threat Actors by Silverfort AIG.
Identity Has Become the Prime...
CYZEA.IO
Enterprise Information Security
Enterprise Information Security
IGNITE Technologies
ENCRYPTED REVERSE
ENCRYPTED REVERSE

More Latest Published Posts

WORLD BANK GROUP
Global Cybersecurity Capacity Program
Global Cybersecurity Capacity Program
Gary Hinson
Getting started withsecurity metrics
Getting started withsecurity metrics
EDPS
Generative AI and the EUDPR.
Generative AI and the EUDPR.
Bright
2024 Guide to Application Security Testing Tools
2024 Guide to Application Security Testing Tools
HADESS
Hacker Culture
Hacker Culture
Quuensland Govermment
RISK ASSESSMENT PROCESS HANDBOOK
RISK ASSESSMENT PROCESS HANDBOOK
Ministry of MOS Security
HIPAA SIMPLIFIED
HIPAA SIMPLIFIED
Hacker Combat
How Are Passwords Cracked?
How Are Passwords Cracked?
CIS - Center for Internet Security
How to Plan a Cybersecurity Roadmap in Four Steps
How to Plan a Cybersecurity Roadmap in Four Steps
ACSC Australia
Information Security Manual
Information Security Manual
Kaspersky
Incident Response Playbook: Dark Web Breaches
Incident Response Playbook: Dark Web Breaches
ninjaOne
Endpoint Hardening Checklist
Endpoint Hardening Checklist
HADESS
Important Active Directory Attribute
Important Active Directory Attribute
ISA GLOBAL CYBERSECURITY ALLIANCE
IIoT System Implementation and Certification Based on ISA/IEC 62443 Standards
IIoT System Implementation and Certification Based on ISA/IEC 62443 Standards
Rajneesh Gupta
IAM Security CHECKLIST
IAM Security CHECKLIST
sqrrl
Hunt Evil
Hunt Evil
Searchinform
How to protect personal data and comply with regulations
How to protect personal data and comply with regulations
Giuseppe Manco
Threat Intelligence Platforms
Threat Intelligence Platforms
CSA Cloud Security Alliance
Hardware Security Module(HSM) as a Service
Hardware Security Module(HSM) as a Service
IGNITE Technologies
CREDENTIAL DUMPING FAKE SERVICES
CREDENTIAL DUMPING FAKE SERVICES
IGNITE Technologies
A Detailed Guide on Covenant
A Detailed Guide on Covenant
NIST
Computer Security Incident Handling Guide
Computer Security Incident Handling Guide
IGNITE Technologies
DIGITAL FORENSIC FTK IMAGER
DIGITAL FORENSIC FTK IMAGER
Accedere
Cloud Security Assessment
Cloud Security Assessment
YL VENTURES
CISO Reporting Landscape 2024
CISO Reporting Landscape 2024
CISO Edition
Reporting Cyber Risk to Boards
Reporting Cyber Risk to Boards
CIOB
CIOB Artificial Intelligence (AI) Playbook 2024
CIOB Artificial Intelligence (AI) Playbook 2024
INCIBE & SPAIN GOVERNMENT
Nuevas normativas de 2024 de ciberseguridad para vehículos
Nuevas normativas de 2024 de ciberseguridad para vehículos