Tuesday, September 17, 2024
HomeAmazon AWSBeware! Hackers Attack AWS EC2 Workloads to Steal Credentials

Beware! Hackers Attack AWS EC2 Workloads to Steal Credentials

Published on

Cybersecurity experts at Trend Micro have recently identified that hackers are actively attacking the Amazon Web Services (AWS) EC2 workloads to steal credentials.

By exploiting this tool, hackers get the ability to exfiltrate essential data like access keys and tokens. 

In this case, the hackers sent the stolen data to a domain under their control. On the AWS-owned domain, amazonaws.com to accomplish this task threat actors used the technique called typosquatting.

- Advertisement - EHA

Attack Flow

There was a report earlier that legitimate tools are being abused for nefarious purposes with the abuse of Weave Scope specifically.

It was determined that the attacker made use of an exposed Docker REST API server to gain access to the honeypot that was planted by the researchers during this attempt, which is common practice for threat actors such as TeamTNT to leverage.

AWS EC2

Within the container, the attackers mounted the host’s root directory on the path </host> in the container, which corresponded to the underlying host’s root directory on the host.

In this case, rather than any other command being supplied that should have been executed by the container during the creation procedure, a script named init.sh was executed.

While there are two variable that are declared and here we have mentioned them:-

  • SCOPE_SH, a Base64-encoded string that installs Weave Scope
  • WS_TOKEN, a  secret access token that can be used to include hosts in fleets

Functions of the script

After analyzing the script, cybersecurity analysts have concluded that there are five primary functions that are offered by this script. These functions are mainly used by attackers during attacks for several types of implementations and deployments.

Here below we have mentioned the 5 primary functions offered by the script:-

  • main
  • wssetup
  • checkkey
  • getrange
  • rangescan

Domain analysis

To resolve the domain, the IP addresses used by the attackers depict the strong connection between the following domains with the TeamTNT threat group:-

  • amazon2aws[.]com
  • teamtnt[.]red
AWS EC2

It is no secret that cybercriminals are constantly sharpening their arsenal, testing, developing, and abusing tools and platforms meant for legitimate purposes.

The adoption of cloud platforms by many companies has entailed the building of malicious tools by attackers to exploit the services that are available in the cloud.

  • In terms of being defenders, it is important that we keep in mind the following points:-
  • It is imperative to know what attackers are targeting after they have gained entry into the system.
  • To disable them, there are a number of methods that need to be used.
  • For them to be disarmed, there needs to be a set of methods.
  • Removal of threats using different security procedures.

Network Security Checklist – Download Free E-Book

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Chinese Hackers Charged for Multi-Year Spear-Phishing Attacks

Song Wu, a Chinese national, has been indicted on charges of wire fraud and...

Entro Security Labs Releases Non-Human Identities Research Security Advisory

Analysis of millions of real-world NHI secrets by Entro Security Labs reveals widespread, significant...

Critical Vulnerabilities Impact Million of D-Link Routers, Patch Now!

Millions of D-Link routers are at risk due to several critical vulnerabilities. Security researcher...

Windows MSHTML Zero-Day Vulnerability Exploited In The Wild

Adobe released eight security updates in September 2024, addressing 28 vulnerabilities in various products,...

Free Webinar

Decoding Compliance | What CISOs Need to Know

Non-compliance can result in substantial financial penalties, with average fines reaching up to $4.5 million for GDPR breaches alone.

Join us for an insightful panel discussion with Chandan Pani, CISO - LTIMindtree and Ashish Tandon, Founder & CEO – Indusface, as we explore the multifaceted role of compliance in securing modern enterprises.

Discussion points

The Role of Compliance
The Alphabet Soup of Compliance
Compliance
SaaS and Compliance
Indusface's Approach to Compliance

More like this

Hackers Mimic Google, Microsoft & Amazon Domains for Phishing Attacks

Phishing remains a significant concern for both individuals and organizations. Recent findings from ThreatLabz...

AWS Launches Mithra To Detect Malicious Domains Across Systems

Amazon's e-commerce platforms and cloud services form a digital ecosystem requiring a strong cybersecurity...

Researchers Detail on How Defenders Eliminate Detection Gaps in AWS Environments

As enterprises increasingly migrate their workloads to cloud infrastructure, the need for robust security...