icon

Digital safety starts here for both commercial and personal Use...

Defend Your Business Against the Latest WNY Cyber Threats We offer Safe, Secure and Affordable Solutions for your Business and Personal Networks and Devices.



WNYCyber is there to help you to choose the best service providers in Western New York... We DO NOT provide the services ourselves, as we are Internet Programmers who have to deak daily with Cyber Threats... (Ugghhh)... So we know what it's like and what it takes to protect OUR and OUR CUSTOMERS DATA... We built this Website to help steer you to those that can give you the best service at realistic and non-inflated prices. We do charge or collect any fees.

Buffalo, New York
United States

Current Threat Data

Bling Libra's Tactical Evolution: The Threat Actor Group Behind ShinyHunters Ransomware

Summary:
Unit 42’s recent investigation uncovered a shift in strategy by the Bling Libra group, which is known for its ShinyHunters ransomware. Instead of just selling stolen data as they have in the past, they’ve now turned to extorting their victims. This new approach involves using legitimate credentials they found in public repositories to break into and compromise Amazon Web Services (AWS) environments.

Even though the stolen credentials had limited access, Bling Libra was able to get into the AWS environment, carry out some reconnaissance, and use tools like Amazon S3 Browser and WinSCP to examine S3 bucket settings, access data, and delete it. By analyzing the logs from these tools, we can better understand which activities were performed by the attackers and which were just automated actions from the tools themselves.

Security Officer Comments:
As more businesses move to the cloud, the threat posed by groups like Bling Libra highlights the urgent need for robust cybersecurity practices. Using AWS’s security tools, such as Amazon GuardDuty, AWS Config, and AWS Service Control Policies, is essential for protecting cloud resources.

Incident Details

  • Initial Access: Bling Libra obtained AWS credentials from a publicly exposed file, allowing them to interact with S3 buckets.
  • Discovery: The attackers used CloudTrail logs to explore the permissions and contents of the AWS environment.
  • Data Access and Impact: After a delay, the attackers accessed and deleted S3 buckets. Due to inadequate logging, data exfiltration was not recorded, but the ransom note confirmed their actions.
  • Execution: The attackers created new S3 buckets as part of their extortion strategy.
  • Extortion: Bling Libra sent an extortion email demanding payment from the victim organization.

Tool Analysis

  • S3 Browser: Generates numerous API calls in CloudTrail logs based on user interactions, which helps differentiate between automated and manual actions.
  • WinSCP: Also generates API calls but is less comprehensive in its AWS management compared to S3 Browser.

Suggested Corrections:
To secure AWS environments and mitigate risks, organizations should adopt the principle of least privilege by ensuring that IAM users and roles have only the permissions necessary for their tasks, while regularly reviewing and adjusting permissions.

Link(s):
https://unit42.paloaltonetworks.com/shinyhunters-ransomware-extortion/

Contact Us for Threat Assistance
Back to Current Threats