A major US-based cellular service company recently fell victim to a cyber attack orchestrated by Brazilian hackers. The incident highlights the importance of robust cybersecurity measures and the potential consequences of failing to secure sensitive data.
The Attack
The breach occurred when attackers gained access to the company’s AWS S3 buckets, which were meant to be accessible by authorized personnel only. This breach occurred because the credentials used to access these buckets, provided by AWS’s Security Token Service (STS), did not have an expiration date set.
The compromised account, which belonged to a Canadian supplier, granted the attackers unrestricted access to all S3 assets. They swiftly downloaded all objects from the buckets and then attempted to delete them entirely from the bucket. To make matters worse, the attackers also managed to obtain the AWS Secrets, further compromising the security of the company’s data.
Ransom Demands
After the breach, the attackers contacted the company’s CISO and CEO via LinkedIn, demanding a ransom payment of $50,000. They sent emails and a video in Portuguese to pressure the company into paying the ransom.
Investigations revealed that the IP addresses used to access the S3 buckets originated from Brazil. The attack resulted in the leak of 1TB of customer data, and while the company claims that the data was non-sensitive, things could have turned out very differently.
Security Lapses
Further investigation uncovered that the compromised credentials were found in various locations, including email, Google Drive, and an on-premises GitHub repository. The company also lacked proper backup of assets in the online bucket, making it impossible to revert the changes made by the attackers.
To make matters worse, the company had insufficient access logs, hindering the investigation process and making it difficult to determine the full extent of the breach.
Lessons Learned
This incident serves as a stark reminder of the importance of implementing robust cybersecurity measures. Companies should ensure that:
1. AWS S3 buckets are properly secured and access is limited to authorized personnel only.
2. Credentials have appropriate expiration dates and are managed using AWS STS.
3. Recertification of personnel with access to assets is conducted at least twice a year, and more frequently for highly sensitive assets, to verify the continued necessity of their access privileges.
4. Sensitive information, such as credentials, is not stored in unsecured locations like emails, cloud drives, or code repositories.
5. Regular backups are maintained to enable quick recovery in the event of a breach.
6. Comprehensive access logging is implemented to facilitate thorough investigations.
By addressing these security lapses and adopting best practices, companies can significantly reduce the risk of falling victim to similar attacks in the future.In this case, regular penetration testing would have easily identified these security flaws, allowing the company to address them proactively and prevent the breach from occurring in the first place.
