2024-09-05

Bling Libra Strikes AWS for S3 Data Deletion and Extortion

Level: 
Tactical
  |  Source: 
Unit 42
Global
Share:

Bling Libra Strikes AWS for S3 Data Deletion and Extortion

A threat group, Bling Libra, has compromised AWS cloud environments through mismanaged credentials exposed on the internet to extort victims. Researchers Margaret Zimmermann and Chandni Vaya from Unit 42 reveal that the threat actors have recently pivoted to a data extortion strategy rather than directly posting data for sale. First observed in 2020, Bling Libra is also responsible for the ShinyHunters ransomware. Their proficiency in intrusions is exemplified by breaches at Microsoft GitHub and Tokopedia, both resulting in significant data theft. Leveraging credentials left exposed on public repositories, the threat actors navigated the environment, running API calls to gather context about their permissions and identifying data of interest in S3 buckets before exfiltration and deletion. To facilitate these objectives, Bling Libra operators have employed tools like Amazon Simple Storage Service (S3) Browser and WinSCP.

Observing Bling Libra’s attack lifecycle, Unit 42 researchers note that following their initial access through mismanaged credentials, the threat actors ran API calls to check their permissions. Notably, they utilized "ListUsers" to attempt enumeration of users, although restricted permissions hindered them. They then explored the environment further through reconnaissance-focused API calls, executing "ListBuckets" to gather information about S3 buckets using the AWS CLI. Using the S3 Browser tool enabled them to run additional API queries such as "GetBucketLocation" and "GetBucketObjectLockConfiguration," refining their understanding of the target environment. Usage of the S3 Browser tool can be identified in the user-agent field from CloudTrail logs.

"Following the discovery operations, the threat actor waited almost a month before returning and taking disruptive actions within the organization’s AWS account. Due to both CloudTrail S3 data logging and S3 server access logging not being enabled within the organization's AWS environment, no logs existed that showed exfiltration activity from the S3 buckets," reports Unit 42 researchers. Resuming their activities after this dwell time, Bling Libra escalated their attack by using WinSCP. Usage of WinSCP with S3 buckets for data transfer required inputting the "Amazon S3 file protocol and entering the access key ID and secret access key," which results in a "ListBuckets" API call from WinSCP. Due to the lack of visibility with S3 objects, analysis from CloudTrail could not reveal what the threat actor had accessed and lacked evidence of data exfiltration. Ultimately, the impact of their intrusion led the threat actors to delete data in selected buckets using the "DeleteBucket" API call and further antagonize the compromised organization by creating new buckets with the "CreateBucket" API call.

A detailed comparison between the S3 Browser and WinSCP was offered by Unit 42 researchers, providing insights into the discrepancy in logging. While WinSCP logs can be identified through the user-agent field in CloudTrail logs, the tool does not generate as many automatic API calls as the S3 Browser, as it is a non-native tool. "When comparing the two tools, the S3 Browser generates many more API calls that automatically appear in the CloudTrail logs based on user interaction, compared to WinSCP. The difference in the events generated in the CloudTrail logs comes down to the purpose of the two tools. Being a cloud-native tool, the S3 Browser takes advantage of more AWS features that generate additional API calls versus WinSCP, which works for more file transfer types than solely S3," explains the Unit 42 researchers.

Get trending threats published weekly by the Anvilogic team.

Sign Up Now