A significant cyber operation exploiting vulnerabilities in improperly configured public websites has been linked to the Nemesis and ShinyHunters hacking groups, exposing sensitive data, including customer information, infrastructure credentials and proprietary source code.
According to independent cybersecurity researchers Noam Rotem and Ran Locar, the attackers orchestrated a large-scale internet scan targeting vulnerable endpoints within Amazon Web Services (AWS) IP ranges.
They accessed sensitive information through misconfigured systems, resulting in over 2 TB of compromised data. This data included thousands of credentials and secrets alongside detailed lists of exploitable targets worldwide.
How the Operation Worked
The cybercriminals implemented a two-phase attack strategy:
-
Discovery: Using publicly available AWS IP ranges, attackers identified potential targets by scanning for application vulnerabilities or misconfigurations. They employed tools like Shodan to perform reverse lookups on IP addresses and extract associated domain names. SSL certificate analysis further expanded their domain target lists.
-
Exploitation: The group scanned exposed endpoints for sensitive data, including database access credentials, API keys and other security secrets. Exploits such as remote shells enabled deeper penetration into compromised systems.
The stolen information ranged from AWS keys to credentials for popular platforms like GitHub, Twilio and cryptocurrency exchanges. Verified credentials were later marketed on Telegram channels for hundreds of euros per breach.
The research uncovered links between the operation and Sebastien Raoult, associated with the defunct ShinyHunters group. Other connections tied the attackers to the Nemesis Blackmarket, known for selling stolen credentials.
“Both of these ‘gangs’ represent a technically sophisticated cybercriminal syndicate that operates at scale for profit,” said Jim Routh, chief trust officer at Saviynt.
“They use their technical skills to identify weaknesses in controls from enterprises migrating to cloud computing without fully understanding the complexity of services nor the controls offered in cloud computing. The diversity in targeted information [...] sought is significant, and the scale of operations for the criminals is significant.”
Mitigation and Prevention
AWS collaborated with the researchers and emphasized that the breaches stemmed from customer-side misconfigurations under the shared responsibility model.
Customers were advised to:
-
Avoid hard-coded credentials by using services like AWS Secrets Manager
-
Periodically rotate keys and secrets
-
Deploy Web Application Firewalls (WAFs)
-
Use CanaryTokens as tripwires for sensitive information
While AWS took steps to mitigate the attack’s impact, experts warn that such operations persist. Proactive measures, including regular vulnerability assessments, remain crucial to safeguarding digital assets.
An statement from an AWS spokesperson sent to Infosecurity said: “All services are operating as expected. AWS credentials include secrets that must be handled securely. AWS provides capabilities which remove the need to ever store these credentials in source code. For example, AWS Secrets Manager helps you manage, retrieve, and rotate database credentials, API keys, and other secrets throughout their lifecycles."
It continued: "Customers still sometimes inadvertently expose credentials in public code repositories. When AWS detects this exposure, we automatically apply a policy to quarantine the IAM user with the compromised credentials to drastically limit the actions available to that user, and we notify the customer. If a customer's credentials are compromised, we recommend they revoke the credentials, check AWS CloudTrail logs for unwanted activity, and review their AWS account for any unwanted usage.”
Updated: This article was updated on December 12 to include a statement from AWS and the headline amended to reflect that no AWS infrastructure was breached or exploited to get the customer data.