Posted on May 6, 2022 at 5:36 PM

Hackers access the AWS database to steal vulnerable metadata

A Mandiant research report has revealed a threat actor group exploiting web applications to steal metadata. The threat actors have managed to steal this data using the AWS database. 

The attack exposed by Mandiant researchers happened from May 2021 to June 2021. The threat actors behind the attack managed to steal sensitive corporate data from AWS installations. The data was gradually stolen.

Hackers exploit the AWS database to steal sensitive data

Mandiant researchers uncovered this attack spearheaded by a threat actor group known as UNC2903. The attack happened within a period of reconnaissance. The attacks were carried out in multiple phases, and they could be used to conduct further attacks against the victim.

In a blog post released on Wednesday, the researchers said that “the threat identified in campaigns carried out by UNC2903 was multi-phased attacks, which involved infrastructure scanning, reconnaissance and further abuse of the underlying abstraction layers offered by cloud-hosted platforms.

After the threat actors launched their attack on the target system, the researchers noted that they used the stolen credentials to access more data contained in other AWS services within the target system. This signals that the first attack was done to pave the way for secondary attacks on the compromised user.

The Mandiant researchers further said that these attacks were random. The attacks did not target any specific industries or sectors. The threat actors failed to coordinate these attacks by focusing them on targeted individuals, showing that the threat actors were opportunistic. The nature of the attacks also demonstrated that the threat actors were targeting web-focused applications that were vulnerable to these kinds of attacks.

During this attack, the threat actors targeted vulnerable web applications that had integrated Adminer. Adminer is a popular database management tool used to connect web applications with a cloud database.

The flaw that was targeted by the attackers, in this case, was dubbed CVE-2021-21311. This vulnerability failed to offer direct access to the secret keys of the AWS database. However, the vulnerability allowed the attacker to access some of the metadata.

The metadata plays a crucial role in the attack, according to the data provided by Mandiant. When the attacker interacted with the AWS service dubbed IMDSv1, the attacker had a chance to trick the server into returning the error message that contained the secret keys of the AWS. The attacker went ahead to directly link with the AWS database and steal the data stored within it.

Adminer and IMDSv1 have been notified of this vulnerability, and they have been urged to update their systems and ensure that the vulnerability is sorted. The hackers in question, named the UNC2903, managed to access the right number of web-relying applications and AWS applications, allowing them to access vast amounts of data.

This attack was mainly focused on the AWS database. However, the Mandiant researchers added that cloud providers with similar metadata services were also at risk of facing similar attacks.

Adminer has been notified of the attack and has issued an update to ensure that users are no longer targeted at risk of their information being stolen in these kinds of attacks. Administrators can be assured of their databases getting the desired level of protection by upgrading their Adminer into version 4.7.9 and IMDSv2.

Cloud computing services pose an increased risk

However, the Mandiant researchers said there was still an issue with cloud computing services. The researchers said that companies continue to be at risk if they use cloud computing services. Given that most companies are focusing on digitization, the adoption and use of cloud computing services are expected to continue rising, posing a growing danger to businesses.

“As the adoption of cloud technology expands, so does the threat surface and targeting for vulnerable web infrastructure with underlying dates or deprecated metadata services with limited security capabilities,” the researchers said.

They also said that the level of risk related to vulnerabilities in web applications needed to be closely monitored and evaluated. The identified risk could be paired with the user’s understanding of metadata services within cloud environments and how they “increase the possibility of advanced or continued threats.”

Since July last year, the Mandiant researchers have been monitoring the threat actor group behind this attack. However, the researchers have not linked this group with a specific country. According to the research, UNC2903 is an opportunistic group. However, the group does not seem to be selling the stolen data, as is usually the case.