Incident Details
Mandiant identified a new threat actor, UNC2903, exploiting vulnerabilities in Amazon Instance Metadata Service (IMDS) to harvest and abuse credentials.
Incident
How Did the Breach Happen?
UNC2903 exploited Adminer, an open-source database management tool with a known vulnerability, CVE-2021-21311, leading to server-side request forgery. This allowed UNC2903 to manipulate a victim's server to inadvertently reveal AWS API credentials via a specially crafted relay box and redirect script.
What Data has been Compromised?
AWS API credentials were compromised, potentially allowing access to the victim's AWS account. The specific extent of the data accessed is unknown as the victim has not been identified.
Why Did the company's Security Measures Fail?
The victim failed to update to IMDSv2, did not restrict IAM role access, allowed credentials to be used from the internet, lacked internet egress filtering, did not implement specific S3 Bucket Policies, and did not limit service ports.
What Immediate Impact Did the Breach Have on the company?
While the immediate impact on the company is not detailed in the provided information, compromised AWS API credentials typically lead to unauthorized access, data loss, or data exposure.
How could this have been prevented?
Upgrading to IMDSv2, restricting IAM role and credential access, implementing outbound server traffic filtering, enforcing S3 Bucket Policies, and limiting allowed service ports could have prevented the breach.
What have we learned from this data breach?
It is critical to stay updated with security patches, enforce strict access controls and policies, use advanced security features like IMDSv2, and continuously monitor for unusual activities to prevent credential abuse.
Summary of Coverage
Mandiant discovered threat actor UNC2903 exploiting a vulnerability in Adminer tool to abuse Amazon IMDS and obtain AWS API credentials. Inadequate security controls, including not adopting IMDSv2 and lax IAM policies, led to the breach. Mandiant emphasizes the importance of robust security measures, including updating to newer services like IMDSv2 and comprehensive logging and alerting to prevent similar attacks.