logo
allArticlesConferencesPresentations

They Hacked Thousands of Cloud Accounts Then Sent Us Weird GIFs

Conference:  BlackHat USA 2021

2021-11-10

Summary

The presentation discusses the importance of basic security measures in cloud computing, particularly in developer and test environments, and highlights the vulnerability of AWS credentials to malware attacks.
  • Basic security measures are crucial in cloud computing
  • Developer and test environments are often overlooked and vulnerable to attacks
  • AWS credentials are susceptible to malware attacks
  • Team TnT is a group of attackers who use AWS credit to spread malware
  • Hackers may respond to blog posts about their activities
The presenter discovered a malware attack on an AWS server that stole AWS credentials and could potentially download files and control instances. The attackers, Team TnT, had their own official website and even left messages on the server warning against further exploration. The presenter's blog post about the attack gained attention for its coverage of the unique AWS credit method used by the attackers. The attackers even responded to the post with a somewhat polite message expressing frustration with the publicity.

Abstract

As organizations migrate their computing resources to cloud and container environments, attackers are taking notice -- and following. In August 2020, we discovered the first crypto-mining worm stealing AWS credentials. The attackers are now well known for their cloud-specific attacks. Recently, we discovered they had expanded their toolkit to both steal more credentials from compromised cloud systems and deploy some innovative techniques to exploit containerised Kubernetes systems and more cloud providers.In this session, we will discuss the cloud-specific nature of the real-world attacks we've seen, sharing insights and details that have not yet been published. We will walk attendees through the overall attack group operation and their most recent innovations to be on the lookout for. Finally, we will highlight the attack group's recent movements, operational security mistakes and provide a behind the scenes look at how they manage compromised cloud accounts.
Materials:
Tags:

Post a comment

Related work

Destroying Long-Lived Cloud Credentials with Workload Identity Federation

Conference:  RSA Conference 2023
Authors: Eric Johnson
2023-04-24

Remotely Attacking System Firmware

Conference:  BlackHat USA 2018
Authors:
2018-08-08

Smishmash - Text Based 2fa Spoofing Using OSINT, Phishing Techniques and a Burner Phone

Conference:  Black Hat USA 2022
Authors:
2022-08-10

Keynote: Securing Shopify's Software Supply Chain

Conference:  KubeCon + CloudNativeCon Europe 2022
Authors: Shane Lawrence
2022-05-19

ChaosDB: How We Hacked Databases of Thousands of Azure Customers

Conference:  BlackHat USA 2021
Authors:
2021-11-11

Unlocking Doors from Half a Continent Away

Conference:  Defcon 31
Authors: Trevor Stevado Founding Partner/Hacker @ Loudmouth Security, Sam Haskins Hacker, Loudmouth Security
2023-08-01