Bling Libra attackers behind ShinyHunters are choosing to use deadline-driven ransom notes as a means of obtaining financial gain rather than selling stolen data on hacker forums.
The Bling Libra hacker collective responsible for the highly publicized Ticketmaster incident earlier this summer is expanding the scope of its operations beyond simple data theft and subsequent data sales. It is now using extortion-based assaults in its ongoing campaign to target environments on cloud services that have valid credentials. New information regarding the activities of the group known as “Bling Libra” (also known as ShinyHunters), which is most known for having stolen an astounding 560 million customer records from the massive event company Ticketmaster and offered them for sale on BreachForums earlier this year, has been disclosed by researchers at Palo Alto Networks’ Unit 42.
According to a recent blog post by Unit 42’s Margaret Zimmermann and Chandni Vaya, Bling Libra has continued to target cloud systems with a consistent assault pattern since then. The gang has been obtaining valid credentials since its establishment in 2020 with the intention of targeting database infrastructure and purloining personally identifiable information (PII). Though a recent change in strategy still employs the same initial-access procedure, Bling Libra has now switched to the double-extortion strategies usually used by ransomware groups, which involve first stealing victims’ data and then threatening to post it online if a ransom isn’t paid.
In a recent attack that Unit 42 looked into, the group used credentials that they had stolen to target an organization’s Amazon Web Services (AWS) environment. Once inside, they poked around the network, according to the researchers. “While the permissions associated with the compromised credentials limited the impact of the breach, Bling Libra infiltrated the organization’s AWS environment and conducted reconnaissance operations,” they stated in their post. Tools like WinSCP and the Amazon Simple Storage Service (S3) Browser were utilized by the team to access S3 objects, remove data, and obtain configuration details for S3 buckets.
According to the researchers, Bling Libra stole AWS credentials from a private file that was posted online and really held a number of credentials. The hackers “specifically targeted the exposed AWS access key belonging to an identity and access management (IAM) user and a handful of other exposed credentials,” they stated.
With the usage of the credentials, the threat actors were able to access the AWS account that belonged to the IAM user and use the AmazonS3FullAccess policy, which permits all user permissions, to interact with the S3 bucket through AWS API calls. But in this instance, it was sufficient for the attackers to linger on the network for over a month before initiating an attack that removed the data from the environment and exfiltrated it, leaving behind an extortion note giving the company a week to pay a ransom. Following them, Bling Libra also made new S3 buckets, most likely “to mock the organization about the attack,” according to the analysts.
The June Ticketmaster attack was noteworthy for the volume of information that Bling Libra was able to obtain. At the time, the group claimed that PII, including names, emails, addresses, and partial payment card details, were included in the more than half a million records that were stolen. Subsequently that month, the organization also took credit for an independent attack that took place in May on Ticketek Entertainment Organization (TEG), an Australian company that was comparable to Ticketmaster. In fact, the organization has been connected to multiple significant data breaches that have impacted tens of millions of pieces of information.
Frequently, Bling Libra uses a third-party cloud provider to assault its final targets. The supplier in question, Snowflake, was utilized by Ticketmaster and other companies. Attackers obtained credentials from these cloud accounts, which were weak as multifactor authentication (MFA) was not enabled. As the researchers noted, Bling Libra and other attackers use “a concerning trend of overly permissive credentials” and a lack of MFA to get access to cloud environments. According to them, defenders must address fundamental problems with authentication and permissions in order to even stand a chance of preventing compromise by cunning actors, as an increasing number of businesses are shifting their vital activities to the cloud.
Also read: DORA (Digital Operational Resilience Act) Batch 2 Changes and Expectations from BFSI sector
Do Follow: CIO News LinkedIn Account | CIO News Facebook | CIO News Youtube | CIO News Twitter
About us:
CIO News is the premier platform dedicated to delivering the latest news, updates, and insights from the CIO industry. As a trusted source in the technology and IT sector, we provide a comprehensive resource for executives and professionals seeking to stay informed and ahead of the curve. With a focus on cutting-edge developments and trends, CIO News serves as your go-to destination for staying abreast of the rapidly evolving landscape of technology and IT. Founded in June 2020, CIO News has rapidly evolved with ambitious growth plans to expand globally, targeting markets in the Middle East & Africa, ASEAN, USA, and the UK.
CIO News is a proprietary of Mercadeo Multiventures Pvt Ltd.