Security is an exercise in managing risk. Reviewing the common root causes of security incidents is an effective way to guide prioritized remediation efforts.
This repository seeks to index all publicly disclosed AWS customer security incidents with a known root cause. It will exclude incidents involving exposed data stores (e.g S3 bucket leaks, exposed managed or hosted databases). Those incidents are already well understood, and examples can be found cataloged in places like nagwww's s3-leaks repo, upguard's reports, hackmeggedon's annual rollup reports (2022) and Corey Quinn's LWIAWS S3 Bucket Negligence Award.
It also excludes incidents impacting individuals, such as the periodic reports of cryptomining due to compromised credentials. 1 2 3
This repository is in no way intended as a criticism of the listed companies. In the spirit of blameless postmortems 1, our goal is to learn from incidents without an atmosphere of blame.
A repository of breaches of AWS customers
| Name | Date | Root Cause | Escalation Vector(s) | Impact | Link to details |
|---|---|---|---|---|---|
| Uber | 2014, May | Github Gist (data analysis script) with AWS credentials | N/A | 50,000 records, including names and driver’s licenses from S3 hosted database prunes | Exclusive: In lawsuit over hacking, Uber probes IP address assigned to Lyft exec - sources , A blameless post-mortem of USA v. Joseph Sullivan |
| Code Spaces | 2014, June | AWS Console Credentials (Phishing?) | Attacker created additional accounts/access keys | Wiped S3 buckets, EC2 instances, AMIs, EBS snapshots | Hacker puts code spaces out of business |
| BrowserStack | 2014, November | Shellshock on exposed, outdated prototype machine | Access keys on server, used to create IAM user, create EC2, and mount backup | Steal user data and email users | BrowserStack analysis |
| DNC Hack by the GRU | 2016, June | Unknown, test clusters breached | EC2 Snapshots copied to attacker AWS accounts | Tableau and Vertica Queries | DEMOCRATIC NATIONAL COMMITTEE v. THE RUSSIAN FEDERATION |
| DataDog | 2016, July | CI/CD AWS access key and SSH private key leaked | Attacker attempted to pivot with customer credentials | 3 EC2 instances and subset of S3 buckets | 2016-07-08 Security Notice |
| Uber | 2016, October | ~13 Hacked Uber credentials purchased for forum gave access to private Github Repo with AWS credentials | N/A | Names and driver’s license numbers of 600k drivers, PII of 57 million users in unencrypted manual backup | Uber concealed cyberattack ..., A blameless post-mortem of USA v. Joseph Sullivan |
| Lynda.com | 2016, December | Private Github Repo with AWS credentials | N/A | User data for 9.5m users, attempted extortion | 2 Plead Guilty in 2016 Uber and Lynda.com Hacks |
| OneLogin | 2017, May | AWS keys | Created EC2 instances | Accessed database tables (with encrypted data) | May 31, 2017 Security Incident |
| Politifact | 2017, October | "Misconfigured cloud computing server" | N/A | Coinhive cryptojacking | Hackers have turned Politifact’s website into a trap for your PC |
| DXC Technologies | 2017, November | Private AWS key exposed via Github | 244 EC2 instance started | Cryptomining | DXC spills AWS private keys on public GitHub |
| Drizly | 2018 | AWS Credentials committed to public github repo | N/A | Cryptojacking | FEDERAL TRADE COMMISSION - Drizly Complaint |
| LA Times | 2018, February | S3 global write access | N/A | Cryptojacking | Coinhive cryptojacking added to homicide.latimes.com |
| Tesla | 2018, February | Globally exposed Kubernetes console, Pod with AWS credentials | N/A | Cryptojacking | Hack Brief: Hackers Enlisted Tesla's Public Cloud to Mine Cryptocurrency |
| Chegg | 2018, April | Former contractor abuses broadly shared root credential | Unknown | 40 million users' data (from S3 bucket) | FTC Complaint |
| imToken | 2018, June | Email account compromise | Reset AWS account password | Minimal customer device data | Disclosure of Security Incidents on imToken |
| Voova | 2019, March | Stolen credentials by former employee | N/A | Deleted 23 servers | Sacked IT guy annihilates 23 of his ex-employer’s AWS servers |
| Capital One | 2019, April | "Misconfigured WAF" that allowed for a SSRF attack | Over-privileged EC2 Role | 100 million credit applications | A Technical Analysis of the Capital One Cloud Misconfiguration Breach |
| JW Player | 2019, September | Weave Scope (publicly exposed), RCE by design | N/A | Cryptojacking | How A Cryptocurrency Miner Made Its Way onto Our Internal Kubernetes Clusters |
| Malindo Air | 2019, September | Former employee insider threat | N/A | 35 million PII records | Malindo Air: Data Breach Was Inside Job |
| Imperva | 2019, October | “Internal compute instance” globally accessible, “Contained” AWS API key | N/A | RDS snapshot stolen | Imperva Security Update |
| Cameo | 2020, February | Credentials in mobile app package | N/A | Access to backend infrastructure, including user data | Celeb Shout-Out App Cameo Exposes Private Videos and User Data |
| Open Exchange Rates | 2020, March | Third-party compromise exposing access key | N/A | User database | Exchange rate service’s customer details hacked via AWS |
| Live Auctioneers | 2020, July | Compromised third party software granting access to cloud environment | N/A | User database, including MD5 hashed credentials | Washington State OAG - Live Auctioneers |
| Twilio | 2020, July | S3 global write access | N/A | Magecart2 | Incident Report: TaskRouter JS SDK Security Incident |
| Natures Basket responsible disclosure | 2020, July | Hard-coded root keys in source code exposed via public S3 bucket | N/A | N/A | GotRoot! AWS root Account Takeover |
| Drizly | 2020, July | Inactive Github account compromised via reused password, granting AWS credential access in source code | N/A | RDS Instance with 2.5 million users data exfiltrated | FTC Takes Action Against Drizly and its CEO James Cory Rellas for Security Failures that Exposed Data of 2.5 Million Consumers |
| Cryptomining AMI | 2020, August | Windows 2008 Server Community AMI | N/A | Monero miner | Cryptominer Found Embedded in AWS Community AMI |
| Animal Jam | 2020, November | Slack compromise exposes AWS credentials | N/A | User database | Kids' gaming website Animal Jam breached |
| Cisco | 2020, December | Former employee with AWS access 5 months post-resignation | N/A | Deleted ~450 EC2 instances | Former Cisco engineer sentenced to prison |
| Juspay | 2021, January | Compromised old, unrecycled Amazon Web Services (AWS) access key | N/A | Masked card data, email IDs and phone numbers | Data from August Breach of Amazon Partner Juspay Dumped Online |
| 20/20 Eye Care Network and Hearing Care Network | 2021, January | Compromised credential | N/A | S3 buckets accessed then deleted | 20/20 Eye Care Network and Hearing Care Network notify 3,253,822 health plan members of breach that deleted contents of AWS buckets |
| Sendtech | 2021, February | (Current or former employee) Compromised credentials | Created additional admin account | Accessed customer data in S3 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-2102-B7884 |
| LogicGate | 2021, April | Compromised credentials | N/A | Backup files in S3 stolen | Risk startup LogicGate confirms data breach |
| Ubiquiti | 2021, April | Compromised credentials from IT employee Lastpass (alleged former employee insider threat) | N/A | root administrator access to all AWS accounts, extortion | Ubiquiti All But Confirms Breach Response Iniquity |
| Uran Company | 2021, July | Compromised Drupal with API keys | N/A | Cryptomining | Clear and Uncommon Story About Overcoming Issues With AWS |
| redoorz.com | 2021, September | Access Key leaked via APK | N/A | Customer database stolen | PERSONAL DATA PROTECTION COMMISSION Case No. DP-2009-B7057 |
| HPE Aruba | 2021, October | Unknown exposure of Access Key | N/A | Potential access to network telemetry and contact trace data | Aruba Central Security Incident |
| Kaspersky | 2021, November | Compromised SES token from third party | N/A | Phishing attacks | Kaspersky's stolen Amazon SES token used in Office 365 phishing |
| Onus | 2021, December | Log4Shell vulnerability in Cyclos server | AmazonS3FullAccess creds (and DB creds) in Cyclos config | 2 million ONUS users’ information including EKYC data, personal information, and password hash was leaked. | The attack on ONUS – A real-life case of the Log4Shell vulnerability |
| Flexbooker | 2021, December | Unknown | Unknown | 3.7M first and last names, email addresses, phone numbers, "encrypted" passwords | Booking management platform FlexBooker leaks 3.7 million user records |
| npm | 2022, April | Third party OAuth token compromise granting private repository access, containing AWS keys | Unknown | 100k users data (from 2015) | npm security update: Attack campaign using stolen OAuth tokens |
| Uber | 2022, September | Contractor account compromise leading to AWS credential discovery on a shared drive | Unknown | N/A | Uber - Security update |
| Lastpass | 2022, October | Stole source code and accessed development environment via compromised developer account | Unknown pivot point into production environment. Later compromise of a privileged engineer's personal machine to gain access to decryption keys for stolen data | Internal and customer data broadly compromised, including backups of MFA database | Notice of Recent Security Incident,Incident 2 – Additional details of the attack |
| Teqtivity (Uber Vendor) | 2022, December | Unknown | Unknown | "AWS backup server" with device and user information | Breach Notification Statement, Uber suffers new data breach after attack on vendor, info leaked online |
| CommuteAir | 2023, January | Publicly Exposed Jenkins with hardcoded credentials | N/A | 2019 FAA No Fly List | how to completely own an airline in 3 easy steps, U.S. airline accidentally exposes ‘No Fly List’ on unsecured server |
| Report | Date | Root Cause | Escalation Vector(s) | Impact | Link to details |
|---|---|---|---|---|---|
| Mandiant M-Trends 2020 | 2020, February | Credentials stolen from GitHub repository commit history | Takes snapshot of EBS volumes, creates EC2 instances, exfiltrates data over SSH | Stolen EBS volumes | M-Trends 2020 |
| TeamTNT Worm | 2020, April | Misconfigured Docker & k8s platforms | Steals AWS credentials from ~/.aws/* | Cryptojacking for Monero | Team TNT – The First Crypto-Mining Worm to Steal AWS Credentials, TeamTNT with new campaign aka “Chimaera” |
| Expel case study 1 | 2020, April | 8 IAM access keys compromised | Backdoored security groups | Command line access to EC2 instances | Finding evil in AWS: A key pair to remember |
| Expel case study 2 | 2020, July | Root IAM user access keycompromised | SSH keys generated for EC2 instances | Cryptojacking | Behind the scenes in the Expel SOC: Alert-to-fix in AWS |
| Mandiant: Insider Threat Scenario | 2020, September | Fired employee uses credentials | Access CI/CD server, create a new user, steal credentials | Deleted production databases | Cloud Breaches: Case Studies, Best Practices, and Pitfalls |
| FireEye M-Trends 2021 case study | 2021, April | Use of SSH key by former employee | Creates users and EC2 instances | Deleted RDS backups | M-Trends 2021 |
| DarkLab case study | 2021, July | Jenkins RCE | Create IAM users, use S3 Browser tool | Use environment to launch scanning, nuked account | Trouble in Paradise |
| Expel case study 3 | 2022, April | Credentials in publicly available code repository | AttachUserPolicy used for privesc | Cryptojacking (prevented) | Incident report: From CLI to console, chasing an attacker in AWS |
| Permiso case study 1 | 2022, June | Gitlab vulnerability (CVE-2021-22205) | Credentials on the system found, used to create a backup user | Cryptojacking | Anatomy of an Attack: Exposed keys to Crypto Mining |
| Clearvector case study | 2022, August | ADFS pivot into IAM Identity Center | N/A | N/A | Auditing identity activity for NOBELIUM and MagicWeb in AWS |
| Positive Thinking Company case study | 2022, June | Unknown | N/A | Cryptojacking | Mitigating a crypto jacking incident on an AWS machine from the earliest stages |
| Palo Alto Unit 42 | 2022, December | Code execution in Lambda context | Exfiltrate credentials from envvars | SES abuse for phishing | Compromised Cloud Compute Credentials: Case Studies From the Wild |
| Permiso case study 2 | 2022, December | Exploit publicly facing software, mainly Jupyter notebooks or k8s | N/A | Credential Theft | Cloud Cred Harvesting Campaign - Grinch Edition |
| Crowdstrike | 2022, December | Exploit known ForgeRock CVE | aws_consoler used to obtain pivot to console sessions without MFA | N/A | Responding to an attack in AWS, Part 2 |
| Expel case study 4 | 2023, January | Publicly exposed Postman server with access key credentials stored in the project’s variables | N/A | (likely) AWS SES abuse (prevented) | Incident report: stolen AWS access keys |
| Cado Security and Invictus Incident Response | 2023, January | N/A | Responding to an attack in AWS, Part 2 | ||
| AWS | 2023, February | Key disclosure, or SSRF | N/A | N/A | The anatomy of ransomware event targeting data residing in Amazon S3 |
| Sysdig | 2023, February | Exploit public facing k8s service | IAM creds in Lambda env vars and in S3 bucket | Data exfiltration | SCARLETEEL: Operation leveraging Terraform, Kubernetes, and AWS for data theft |
| Name | Vectors | Reports |
|---|---|---|
| 8220 Gang | Exploit outdated and misconfigured software | JupiterOne - 8220 Gang Cloud Botnet Targets Misconfigured Cloud Workloads |
| AlienFox | Opportunistic exploitation of server side misconfigurations, AWS and SES-centric functionality | [Sentine Labs - Dissecting AlienFox |
| AndroxGh0st / Xcatze | Exposed Laravel .env configs, use compromise for SES spam or malicious email | Lacework Labs - AndroxGh0st: the python malware exploiting your AWS keys |
| Cloud Snooper | Rootkit | Sophos - Cloud Snooper Attack Bypasses AWS Security Measures |
| Cosmic Wolf | Credential compromise | CrowdStrike - 2022 Global Threat Report |
| Demonia | Lambda Malware | Cado Discovers Denonia: The First Malware Specifically Targeting Lambda |
| Kinsing | Malware | CyberArk - Kinsing: The Malware with Two Faces |
| LAPSUS$ / DEV-0537 | phone-based social engineering; SIM-swapping to facilitate account takeover; accessing personal email accounts of employees at target organizations; paying employees, suppliers, or business partners of target organizations for access to credentials and multifactor authentication (MFA) approval | Microsoft - DEV-0537 criminal actor targeting organizations for data exfiltration and destruction |
| Outlaw | Targeting known CVEs or SSH bruteforce | Outlaw Group Distributes Cryptocurrency-Mining Botnet |
| Rocke | Targeting known CVEs | Cisco Talos - Rocke: The Champion of Monero Miners |
| TeamTNT | Exploit misconfigured docker and k8s | MITRE ATT&CK - TeamTNT |
| UNC2903 | SSRF (targeting known CVEs) | Mandiant - Old Services, New Tricks: Cloud Metadata Abuse by UNC2903 |
| Watchdog | Exploit misconfigured docker and k8s | TeamTNT Returns – or Does It? |
| Report | Takeaways |
|---|---|
| Palo Alto Unit 42: Cloud Threat Report H2 2020 | Unit 42 research shows that cryptojacking affects at least 23% of organizations globally that maintain cloud infrastructure |
| Accenture: Cyber Threat Intelligence Report Volume 2 - 2021 | Cloud environments were and continue to be attractive targets, perhaps due to lower monitoring levels than on-premise environments. ... cloud-related malware has evolved faster than more traditional malware in 2021 based on analysis of the rate of code changes between cryptominers (a primary malware malicious actors deploy in compromised cloud environments) compared to code changes in botnets and ransomware ... Accenture observed ransomware and extortion operators targeting cloud infrastructure and hosted backups in attempts to increase operational impact |
| Fugue: The State of Cloud Security 2021 | N/A |
| IBM Security: 2021 X-Force Cloud Threat Landscape Report | The three most commonly observed methods for threat actors to compromise cloud environments in cases studied by X-Force IR were password spraying, software vulnerability, and pivoting from an on-premise compromise to the cloud |
| IDC for Ermetic: State of Cloud Security 2021 | Most organizations (63%) confirmed that their sensitive data has been exposed in the cloud |
| Snyk: State of Cloud Native Application Security 2021 | Over 56% experienced a misconfiguration or known unpatched vulnerability incident involving their cloud native applications |
| GCP: November 2021 Cloud Threat Intelligence report | Of 50 recently compromised GCP instances, 86% of the compromised Google Cloud instances were used to perform cryptocurrency mining |
| AWS: 2022 re:Inforce session on ransomware h/t Rich Mogull | ransomware is a common problem for AWS customers, stemming from two common exploit vectors: A traditional ransomware attack against instances in AWS. The attacker compromises an instance (often via phishing a user/admin, not always direct compromise), then installs their malware to encrypt the data and spread to other reachable instances. This is really no different than ransomware in a data center since it doesn’t involve anything cloud-specific. The attacker copies data out of an S3 bucket and then deletes the original data. This is the most commonly seen cloud native ransomware on AWS. |
| AWS: AWS CIRT announces the release of five publicly available workshops | Over the past year, AWS CIRT has responded to hundreds of such security events, including the unauthorized use of AWS Identity and Access Management (IAM) credentials, ransomware and data deletion in an AWS account, and billing increases due to the creation of unauthorized resources to mine cryptocurrency. |
| CheckPoint: Cyber Security Report 2022 | Since late 2021, we have witnessed a wave of attacks leveraging flaws in the services of industry-leading cloud service providers |
| CrowdStrike: 2022 Global Threat Report | Cloud-related threats are particularly likely to become more prevalent and to evolve, given that targeted intrusion adversaries are expected to continue prioritizing targets that provide direct access to large consolidated stores of high-value data |
| CrowdStrike: Protectors of the Cloud eBook | CrowdStrike continues to see adversary activity in three particular areas concerning the cloud: Neglected cloud infrastructure that is slated for retirement yet still contains sensitive data A lack of outbound restrictions and workload protection to exfiltrate your data Adversaries leveraging common cloud services to obfuscate malicious activity |
| Datadog: State of AWS Security 2022 | N/A |
| ENISA Threat Landscape 2022 | Cybercriminals target cloud services mostly in the following ways. \n * Exploiting cloud vulnerabilities: virtualisation infrastructure has been increasingly targeted (e.g. VMWare vSphere and ESXi platforms) by cybercriminals and especially by ransomware groups. • Using cloud services for hosting their infrastructure: cybercriminals take advantage of the highly scalable and reliable cloud infrastructure and use legitimate cloud services to bypass security controls by blending into normal network traffic. • Targeting cloud credentials: cybercriminals use social engineering attacks to harvest credentials for cloud services (e.g. Microsoft Office 365, Okta, etc.). • Exploiting misconfigured image containers cybercriminals increasingly target poorly configured Docker containers and Kubernetes clusters. • Targeting cloud instances for cryptomining (e.g. TeamTNT group): security researchers have identified a cloud-focused toolset from the TeamTNT group. • Targeting cloud infrastructure (e.g. Azure AD), cloud application programming interfaces (APIs), and cloud-hosted backups by ransomware groups to infiltrate cloud environments and increase impact. |
| Expel: Q1 2022 Threat Report | Misconfigurations and exposed long-term credentials in Amazon Web Services (AWS) and Google Cloud Platform (GCP) accounted for 3% of incidents These incidents break down into two categories: 1. Admins accidentally setting AWS S3 Buckets to Public 2. Threat actors gaining access to exposed long-lived credentials in AWS and GCP, which resulted in unauthorized access |
| Fidelis: 2022 AWS Cloud Security Report | For the 31% of organizations that experienced a security incident in the cloud, misconfiguration was the leading cause (28%), followed by inappropriately shared data (17%) and account compromise (15%). Exploited vulnerabilities account for 13% of incidents |
| GCP: July 2022 Cloud Threat Intelligence report | the most common attack vectors used across cloud providers was brute force of cloud services that are exposed to the internet and have a weak or default password ... close behind brute force attacks was the exploitation of vulnerable software |
| IBM: Cost of a Data Breach 2022 | 45% of Breaches Were Cloud-Based. Stolen or compromised credentials were the number one attack vector in the past two years. Following credentials, the next most common initial attack vectors were: Second place: Phishing - 16% of breaches, $4.91M average costs Third place: Cloud misconfigurations - 15% of breaches, $4.14M average costs Fourth place: Third-party software vulnerability - 13% of breaches, $4.55M average costs |
| (ISC)2: 2022 Cloud Security Report | We asked cybersecurity professionals about the cloud security threats that most concern them. Misconfiguration of cloud security remains the biggest cloud security risk according to 62% of cybersecurity professionals in our survey. This is followed by insecure interfaces/APIs (54%), exfiltration of sensitive data (51%) and unauthorized access (50%). |
| Orca: 2022 State of Public Cloud Security | N/A |
| Palo Alto Unit 42: Incident Response Threat Report 2022 | Nearly 65% of known cloud security incidents were due to misconfigurations. The main culprit? IAM configuration. |
| riskrecon: Cloud Risk Surface Report | N/A |
| Snyk: State of cloud security 2022 | 80% of organizations experienced a serious cloud security incident during the last year - 33% breach, 26% leak, 27% intrusion, 23% cryptomining |
| Trend Micro: 2022 Midyear Cybersecurity Report | 62% of the respondents admitted to having blind spots that weaken their security posture. 37% of the organizations also claimed to have the least insight into cloud assets. 35% said the same of their insights into networks, while 32% responded that they have the least insight into their end-user assets. |
| Wiz: 2022 cloud security threats report | Effectively, unintentionally exposed databases are one of the most common sources of data breaches |
| GCP: GCAT Threat Horizons January 2023 | The most common cloud compromise factors from Q3 2022 include Weak or No Credentials (41.1%), API Compromise (19.6%), Software issue (17.9%), and Misconfiguration (16.1%) |
| Wiz: State of the Cloud 2023 | In experiments we ran where we created S3 buckets ... we spotted attempts to list the contents of the S3 buckets in as little as 13 hours |
| Permiso: 2022 - End of Year Observations | All of the incidents we detected and responded to were a result of a compromised credential ... GitHub is still one of the primary sources ... The majority of exposed keys live in three main file types: APKs, Windows Biaries, Plain Text Files |
| Date | Vulnerability | Reference |
|---|---|---|
| 2020, Feb | Credentials leaked in repository | Access to Glassdoor's Infra (AWS) and BitBucket account through leaked repo |
| 2021, Apr | Ssubdomain takeover, deleted EC2 instance | Subdomain takeover of www2.growasyouplan.com |
| 2021, Oct | AWS Creds hardcoded in MSI | Hardcoded AWS credentials in ███████.msi |
| 2021, Nov | Potential subdomain takeover, dangling CNAME | Possible Domain Takeover on AWS Instance |
| 2021, Nov | Subdomain takeover, deleted S3 bucket | Subdomain takeover of images.crossinstall.com |
| 2021, Dec | Account takeover via Cognito user email change | Flickr Account Takeover using AWS Cognito API |
| 2022, Oct | Subdomain takeover, deleted S3 bucket | Subdomain takeover at http://test.www.midigator.com |
| 2022, Nov | AWS credentials in string constant in public python package | Infosys leaked FullAdminAccess AWS keys on PyPi for over a year |
| 2022, Jan | NoSQL-Injection discloses discloses S3 File Upload URLs | NoSQL-Injection discloses S3 File Upload URLs |
| 2022, Dec | Lack of forced verification on email update in AWS Cognito | Account Takeover Due to Cognito Misconfiguration Earns Me €xxxx |
| 2023, Jan | AWS credentials found in 57 PyPi packages | I scanned every package on PyPi and found 57 live AWS keys |
| 2023, Jan | AWS credentials disclosed in client-side source | Owning half of a government assets through AWS |
| 2023, Feb | RCE in Lambda function with access to AWS credentials via /proc/*/environ | Facebook bug: A Journey from Code Execution to S3 Data Leak |
| 2023, Mar | Staging environment file leaked, revealing AWS Access Keys and Secrets | Saudi social media app leaks user info and pictures |
| 2023, Mar | Passive subdomain takeover | Passive Takeover - uncovering (and emulating) an expensive subdomain takeover campaign |
Server-side request forgery is a class of attack that is not cloud or AWS specific. However, the existence of cloud metadata services, such as IMDS in AWS, have historically allowed for a substantial straightforward impact when SSRF is achieved on a cloud hosted application. For that reason, we include this list of SSRF attacks against AWS environments.
- October 2014 - Prezi Got Pwned: A Tale of Responsible Disclosure
- Bypassing SSRF Protection to Exfiltrate AWS Metadata from LarkSuite
- ESEA Server-Side Request Forgery and Querying AWS Meta Data
- A pair of Plotly bugs: Stored XSS and AWS Metadata SSRF
- Dropbox - Full Response SSRF via Google Drive
- Mandiant - Old Services, New Tricks: Cloud Metadata Abuse by UNC2903
- SSRF leads to access AWS metadata.
- Escalating SSRF to RCE
- SSRF Leads To AWS Metadata Exposure
- How I discovered an SSRF leading to AWS Metadata Leakage
- Exploitation of an SSRF vulnerability against EC2 IMDSv2
- Mozilla - AWS SSRF to Pull AWS Metadata and Keys
- Full read SSRF in www.evernote.com that can leak aws metadata and local file inclusion |
- SSRF allows reading AWS EC2 metadata using "readapi" variable in Streamlabs Cloudbot
- Server Side Request Forgery (SSRF) at app.hellosign.com leads to AWS private keys disclosure
- SSRF via Office file thumbnails
- Getting AWS creds via SSRF on rss.app
- AWS takeover through SSRF in JavaScript
- Yahoo Small Business (Luminate) and the Not-So-Secret Keys
- Bug Bounty Story: Escalating SSRF to RCE on AWS
- A Nifty SSRF Bug Bounty Write Up
- Mozilla Hubs Cloud: cloud api credentials exposure
For more about this attack, please see Hacking the Cloud - Steal EC2 Metadata Credentials via SSRF
The initial data was collected for a talk at BSidesCT 2020: Learning from AWS (Customer) Security Incidents slides here A follow up talk was given at OWASP DevSlop in May 2022. video, slides
Postmortem Culture: Learning from Failure
Note: There have been numerous identified incidents of Magecart exploiting S3 Global Write - in one review targeting "well over 17,000 domains"