Current Cybercrime Events: AWS Acquisition Campaign, Columbus Ransomware Attack, and City of Columbus Sues Ransomware Investigation Whistleblower – Flare | Cyber ​​​​Threat Intel

There’s so much to keep up with in the world of cybercrime… especially for security professionals.

Leaky Weekly is a biweekly podcast from security researcher Nick Ascoli, where he addresses the most pressing stories about data breaches, cybercrime, and the dark web from the past week.

In this episode of Leaky Weekly, Nick discusses:

• AWS Acquisition Campaign
• Ransomware Attack on Columbus, Ohio
• In relation to the same ransomware attack mentioned above, the city of Columbus is suing a whistleblower investigating ransomware

Catch up on current events every two weeks with short, punchy episodes of about 15 minutes. You can also keep reading this article for highlights.

A whole new category (not just a variant) of ransomware has emerged.

Palo Alto’s new research team, Unit 42, discovered an extortion campaign where attackers exfiltrated data from AWS cloud storage containers and left a ransom note. Threat actors scanned more than 230 million unique targets for exposed .env files.

Unit 42 tracked 111,000 domains targeted in the campaign, and approximately 90,000 unique environment variables in .env files had hard-coded AWS access keys. These .env files are not intended to be internet-facing, especially if they contain secrets. They contain configuration variables used by an application, and in many cases a configuration variable can be an API key, database login, or AWS access key.

This is the lifecycle of the attack:

1. The attacker scans the Internet for exposed .env files.
2. The attacker searches the contents of that file for an AWS access key.
3. Using the AWS access key, the attacker can figure out what it is by sending it to the AWS API endpoint GetCallerIdentity. There, the user ID and account number are passed, and the ARN provides information such as what account the key is in, what AWS service it uses, and what kind of resource it is (a user, a role, a group, etc.).
4. The threat actor sends the key to the AWS API endpoint ListUsers, which returns a list of other IAM users in that AWS account. They can later use this list for lateral movement within the environment. They then query the ListBuckets endpoint, which lists existing S3 buckets that they can also target for exfiltration and extortion.
5. If the key was authorized, the attacker would create a new IAM resource for himself in the target environment with unrestricted access.
6. The attacker would then attempt to create a lambda to spin up virtual machines in ec2 and crypto mine on it. If they misconfigured it, it would fail.
7. But if what didn’t fail was another lambda, they could create something that would scan more targets, using a file they pulled from another S3 bucket in an AWS instance that the attacker had previously compromised. In that bucket, Unit 42 found 110,000 domains with exposed .env files that the threat actor was targeting, and in their bucket, a file that showed approximately 230 million unique targets that the threat actor was scanning for exposed environment files.
8. Finally, the malicious party would exfiltrate the data in the S3 bucket and upload this ransom note.

In this situation, the threat actor left an .env file open that contained a wide variety of credentials, presumably ones they had collected through their scanning campaign. Approximately 90,000 unique environment variables were found that were specifically access keys or IAM credentials, approximately 7,000 were tied to cloud services, approximately 1,500 were tied to social media accounts, and there were other variables tied to other services.

Unit 42 notes in their report that the attack appears to have started with Mailgun credentials, a service for automating email sending. This likely started as an attack looking for Mailgun credentials in exposed .env files and slowly evolved into this extortion operation looking for all sorts of credentials. This replicated itself across AWS environments and behaved like a worm.

We can draw two conclusions from this:

• Cybercriminals know that many organizations no longer store data on hosts or on-prem apps. This is a hint at the future campaigns that threat actors are likely to carry out, as it is easy and can be commodified. With ransomware affiliate programs and the growing infrastructure of infostealer malware, ransomware gangs with a lower barrier to entry are turning into highly commodified cybercriminal operations.
• This continues the trend of ransomware with the “true” part, or at least without the encryption.

The Rhysida ransomware group infected the city of Columbus, Ohio. The group then advertised 6.5 terabytes of stolen data and made 45% of it available for download, claiming that the data had not yet been sold.

Often, a ransomware group will post small samples on their data breach site to prove that there really was a compromise, but they will release or sell the entire files after negotiations have failed or never started.

The director of the Department of Technology in Columbus claims not only that they never received a ransom demand from the group, but that they also received no response when they tried to contact the group.

Meanwhile, the group put the entire 6.5 terabytes of data up for sale for $2 million in Bitcoin, but didn’t sell it all, as they put 3.1 terabytes of data up for free on their data breach site. They claimed that the 3.1 terabytes of data had not been sold.

If it is true that Rhysida had no contact with the Columbus city government, it would be surprising from an ethical standpoint, but it is not common. The typical goal of a ransomware operation is to extort a victim into paying the ransomware group to decrypt the files. In recent years, ransomware groups have sought to double extort by threatening to auction off the files as well or release them to the general public if the ransom is not paid. In this situation, Rhysida is said to have done both.

This next story also involves Columbus, Ohio and is related to the previously mentioned Rhysida hack. The city is suing security researcher Connor Goodwolf for letting them know they had been hacked.

Goodwolf read that the mayor of Columbus claimed that the 3.1 terabytes of data that Rhysida posted was encrypted or corrupted. But when Goodwolf looked at this data that the ransomware group posted and was publicly accessible, he discovered that not only was it encrypted or corrupted, but it also contained sensitive information about the city’s residents.

Goodwolf left a voicemail with the city claiming that he knew someone at the Department of Technology had lied, and asked them to call him back so he could walk them through the data that had actually been exposed and not corrupted. He then informed them that he would be calling the news to discuss the exposed data.

Shortly thereafter, the city attorney filed a lawsuit against Goodwolf, stating, “If there is information that needs to be brought forward, there is a way to get that information out to law enforcement, rather than going directly to the media. That’s why we had to file a TRO.”

Goodwolf had left a voicemail message with the city government the day before he reported this story in the news, which shows that he had indeed provided the party concerned with information before reporting it in the news.

Goodwolf has at least succeeded in making the public aware of the true scale of the danger and the scope of the exposed data.

Separate from the Goodwolf lawsuit, the city is facing two class-action lawsuits. These were filed by local police and firefighters, including an undercover officer who was concerned that his cover had been blown by a specific set of police records that were present in the leak. They are specifically suing because the city did not notify them of their exposed information as quickly as it should have.

The complaint specifically states:

“The suspect’s actions of downloading from the dark web and distributing this stolen, sensitive information locally have caused widespread concern in the Central Ohio region,”

“Only individuals who are willing to navigate and interact with the criminal elements on the dark web, and who also have the computer knowledge and tools necessary to download data from the dark web, would be able to do so.”

However, this information is relatively accessible: there are YouTube videos from news organizations like CNBC that show how to access the dark web.

So it remains unclear whether Columbus residents, or the involved firefighters and police officers who are suing the city, would ever have learned they were affected by the leak if Goodwolf had not been in the news.

These are all developing stories that we’ve covered very briefly, so check out cybersecurity news to stay up to date. We couldn’t cover everything in the past few weeks, and we’ll look at new stories and developments in two weeks.

Powered by Flare, Threat Exposure Management solution that enables organizations to proactively detect, prioritize, and mitigate exposure types commonly exploited by threat actors. Sign up for our free trial here.