Cybercrime Current Events: AWS Takeover Campaign, Ransomware Attack on Columbus, and City of Columbus Sues Ransomware Researcher Whistleblower

There’s so much to keep up with in the world of cybercrime…especially for security practitioners.

Leaky Weekly is a bi-weekly podcast hosted by security researcher Nick Ascoli as he dives into the most pressing stories on data leaks, cybercrime, and the dark web in the last week or so.

On this episode of Leaky Weekly, Nick covers:

• AWS takeover campaign
• Ransomware attack on Columbus, Ohio
• Regarding the same ransomware attack mentioned above, the city of Columbus sues a ransomware researcher whistleblower

Tune in for current events every other week with short and sweet episodes in about 15 minutes, or keep reading this article for the highlights. 

AWS Takeover Campaign

A whole new category (not just a variant) of ransomware is here.

Palo Alto’s new research team, Unit 42, uncovered an extortion campaign involving attackers exfiltrating data from AWS cloud storage containers, and leaving a ransom note. The threat actors scanned over 230 million unique targets for exposed .env files.

Unit 42 tracked 111,000 domains targeted by the campaign, and roughly 90,000 unique environment variables  in .env files had hard coded AWS access keys. These .env files are not supposed to be internet facing, especially if they contain secrets. They contain configuration variables used by an application, and in many cases, a configuration variable might be an API key, database login, or AWS access key.

This is the lifecycle of the attack:

1. The attacker scans the internet for exposed .env files.
2. The attacker searches the contents of that file for an AWS access key.
3. Using the AWS access key, the threat actor figures out what it is by sending it to the AWS API endpoint GetCallerIdentity, which tells them the user ID, the account number, and the ARN tells them information such as what account it’s located in, what AWS service it uses, and what types of resource it is (a user, a role, a group, etc).
4. The threat actor sends the key to the AWS API endpoint ListUsers, which sends back a list of other IAM users in that AWS account, which they may use later on for lateral movement within the environment, and then request the ListBuckets endpoint, which lists the existing S3 buckets that they can also target for exfiltration and extortion.
5. If the key had permission, the attacker would create a new IAM resource for themselves in the target environment with unlimited access.
6. The attacker then would attempt to create a lambda for spin up virtual machines in ec2 and cryptomine on them. If they misconfigure it, it would fail.
7. But, if what didn’t fail was another lambda, they could create what would scan more targets, using a file it pulled down from another S3 bucket in an AWS instance the attacker had previously compromised. In that bucket, Unit 42 found 110,000 domains with exposed .env files the threat actor was targeting, and in their bucket, a file that showed roughly 230 million unique targets that the threat actor was scanning for exposed environment files. 
8. Finally, the threat actor would exfiltrate the data stored in the S3 bucket and upload this ransom note.

In this situation, the threat actor left an .env file exposed that contained a wide variety of credentials, presumably that they had harvested from their scanning campaign. About 90,000 unique environment variables were found to be specifically access keys or IAM credentials, about 7,000 were associated with cloud services, about 1,500 were associated with social media accounts, and there were other variables associated with other services.

Unit 42 mentions in their report that the attack seems to have started with Mailgun credentials which is a service for automating sending emails. This probably started as an attack looking for mailgun creds in exposed .env files and slowly evolved into this extortion operation looking for all kinds of credentials. This self-replicated through AWS environments, acting like a worm.

Here are two conclusions to draw:

• Cybercriminals know that a lot of organizations don’t keep data on hosts or on-prem apps anymore. This is a hint at the future campaigns threat actors are likely to engage in the future, because it’s easy and can be commodified. With the ransomware affiliate programs and growing infostealer malware infrastructure, the lower-barrier to entry ransomware gangs shift to become highly commodified cybercrime operations.
• This continues the trend of ransomware with the “ware” portion, or at least without the encryption. 

Ransomware Attack on Columbus, Ohio

The Rhysida ransomware group infected the city of Columbus, Ohio. The group then advertised 6.5 terabytes of stolen data, and made 45% of this available for download, claiming this data wasn’t already sold.

Often, a ransomware group will post small samples to their data leak site to prove that a compromise was real. However, they release the entirety of the files or sell them, after negotiations have failed or never started.

But, Columbus’s Director of the Department of Technology not only claims they never received a ransom demand from the group, but also when they tried to reach out to the group, they didn’t get a response.

Meanwhile, the group listed the entire 6.5 terabytes of data for sale for $2 million in Bitcoin, but didn’t sell all of it, since they listed 3.1 terabytes for free on their data leak site. They claimed that the 3.1 terabytes of data was not sold.

If it’s true that Rhysida didn’t engage in contact with the city government of Columbus, that would possibly be surprising from an ethical standpoint, but not common. A ransomware operation’s typical goal is to extort a victim into paying the ransomware group to decrypt the files. In recent years, ransomware groups pursue double extortion by threatening to also auction off the files or release them to the general public if the ransom is not paid. In this situation, supposedly Rhysida did both of these things.

City of Columbus Sues Ransomware Researcher Whistleblower

This next story is also about Columbus, Ohio and is related to the aforementioned Rhysida hack. The city is suing the security researcher Connor Goodwolf for notifying them that they were hacked.

Goodwolf read that the mayor of Columbus claimed that the 3.1 terabytes of data posted by Rhysida were encrypted or corrupted. But, when Goodwolf looked into this data that the ransomware group posted and was publicly accessible, he discovered that it was not only encrypted or corrupted, but it also contained sensitive information about the city’s residents.

Goodwolf left a voicemail with the city claiming that he was aware someone in the Department of Technology lied, and asked them to call him back so he could walk them through the data that was actually exposed and not corrupted. He then informed them that he would notify the news to discuss the exposed data.

Shortly after, the city attorney sued Goodwolf stating, “If there is information that needs to be brought forward, there is a way to disclose that information to law enforcement, and not going directly to the media, and this is why we had to file the TRO.”

Goodwolf had left the voicemail with the city government the day before he told this story on the news, which indicates that he did disclose information to the concerned party ahead of revealing the information to the news.

Goodwolf has at the very least succeeded in making the public aware of the full extent of the actual danger and breadth of the exposed data.

Separate from the lawsuit against Goodwolf, the city is facing two class-action lawsuits. These were brought forward by local police and firefighters, including an undercover officer, who worried that his cover had been exposed by a specific set of police data present in the leak. They are suing specifically because the city did not inform them of their exposed information as soon as they should have.

The complaint specifically states:

“Defendant’s actions of downloading from the dark web and spreading this stolen, sensitive information at a local level has resulted in widespread concern throughout the Central Ohio region,”

“Only individuals willing to navigate and interact with the criminal element on the dark web, who also have the computer expertise and tools necessary to download data from the dark web, would be able to do so.”

However, this information is relatively accessible–there are YouTube videos from news organizations such as CNBC that show how to access the dark web.

So at this point, it remains unclear if Columbus residents, or the implicated firefighters and police officers suing the city, would have ever learned that they were impacted by the leak if Goodwolf had not been on the news. 

These are all developing stories that we covered very briefly, so check out cybersecurity news outlets to stay up-to-date. We couldn’t cover everything in the last few weeks or so, and we’ll look into new stories and developments in two weeks.

Brought to you by Flare, Threat Exposure Management solution that empowers organizations to proactively detect, prioritize, and mitigate types of exposures commonly exploited by threat actors. Sign up for our free trial here.