christophetd
commented
2 weeks ago My summary FWIW:
- threat actor group Bling Libra (the group behind the ShinyHunters ransomware)
- Write-up of a full AWS attack chain
- Found IAM creds in a publicly-accessible log file
- Creds had AmazonS3FullAccess policy
- Enumeration
- iam:ListUsers (failed)
- s3:ListBuckets
- Then use of S3 Browser and WinSCP
- Accessed all S3 buckets
- Deleted a few buckets (probably some objects were removed before, but no data events enabled) Threat actor created a large number of S3 buckets to catch the victim’s attention / mock them
ramimac
https://unit42.paloaltonetworks.com/shinyhunters-ransomware-extortion/