The risk group behind the notorious Ticketmaster breach earlier this summer season is evolving its techniques to transcend information theft and subsequent sale of stolen information. It is now embracing extortion-based assaults because it continues to focus on cloud environments with legit credentials.
Researchers at Palo Alto Networks’ Unit 42 have revealed new particulars in regards to the operations of the group it calls “Bling Libra” (aka ShinyHunters), which is probably greatest identified for stealing a formidable 560 million buyer data from occasions big Ticketmaster and placing them up on the market on BreachForums earlier this yr.
Since then, Bling Libra has continued to focus on cloud environments with a constant assault sample, in line with a current weblog put up by Unit 42’s Margaret Zimmermann and Chandni Vaya. Since its inception in 2020, the group has been buying legit credentials in an effort to goal database infrastructure and steal personally identifiable info (PII).
Nevertheless, whereas a current shift in techniques makes use of the identical initial-access routine, Bling Libra now has pivoted to the double-extortion techniques sometimes related to ransomware gangs — first stealing information from victims, then threatening to publish it on-line if a ransom is not paid.
Concentrating on AWS for Extortion
In a current assault investigated by Unit 42, the group focused a corporation’s Amazon Internet Providers (AWS) atmosphere by utilizing stolen credentials to achieve entry after which proceeded to poke round on the community, the researchers mentioned.
“Whereas the permissions related to the compromised credentials restricted the affect of the breach, Bling Libra infiltrated the group’s AWS atmosphere and carried out reconnaissance operations,” they wrote within the put up. The group used instruments such because the Amazon Easy Storage Service (S3) Browser and WinSCP to assemble info on S3 bucket configurations, entry S3 objects, and delete information.
Bling Libra lifted AWS credentials from a delicate file uncovered on the Web that truly contained quite a lot of credentials, the researchers famous. Nevertheless, the group “particularly focused the uncovered AWS entry key belonging to an id and entry administration (IAM) person and a handful of different uncovered credentials,” they wrote.
The credentials allowed the risk actors to achieve entry to the AWS account the place the IAM person resided, and carry out AWS API calls to work together with the S3 bucket within the context of with the AmazonS3FullAccess coverage, during which all person permissions are allowed.
On this case, nonetheless, it was sufficient for attackers to lurk on the community for a few month earlier than launching an assault that exfiltrated information and deleted it from the atmosphere, abandoning an extortion be aware that gave the group one week to pay a ransom. Bling Libra additionally created new S3 buckets of their wake, presumably “to mock the group in regards to the assault,” the researchers mentioned.
Credentials Stay a Safety Gap
The Ticketmaster assault that got here to gentle in June was notable for the sheer quantity of knowledge Bling Libra was capable of procure within the assault, with the group claiming on the time that the greater than half-million data stolen included PII comparable to names, emails, addresses, and partial payment-card particulars.
Later that month, the group additionally claimed duty for a separate assault on an analogous firm in Australia, Ticketek Leisure Group (TEG); like Ticketmaster, that assault occurred in Might. Certainly, the group has been tied to a number of notable information breaches affecting tens of hundreds of thousands of knowledge data.
In lots of circumstances, Bling Libra assaults its final targets via a third-party cloud supplier. Within the case of Ticketmaster and others, that supplier was Snowflake, and attackers used credentials of legit cloud accounts that had been weak as a result of they didn’t have multifactor authentication (MFA) activated.
Certainly, lack of MFA and “a regarding development of overly permissive credentials” are widespread themes in not solely how Bling Libra and different attackers acquire entry to cloud environments, the researchers wrote. Since an increasing number of organizations are shifting essential operations to the cloud, defenders must resolve primary points round authentication and permissions to actually have a hope of avoiding compromise by savvy actors, they mentioned.
Unit 42 really helpful that organizations at all times use MFA wherever doable to keep away from the initial-access state of affairs that Bling Libra exploited within the assault. Using a safe IAM answer that restricts person permissions to solely what processes and property they want (whatever the particular person IAM insurance policies inside every account) additionally might have prevented attackers getting access to delicate information, the researchers mentioned.
“As companies more and more embrace cloud applied sciences, the risk posed by teams like Bling Libra underscores the significance of sturdy cybersecurity practices,” they wrote. “By implementing proactive safety measures and monitoring essential log sources, organizations can successfully safeguard their cloud property and mitigate the affect of cyberthreats.”