AWS | Breaking Cybersecurity News | The Hacker News

If you're using AWS, it's easy to assume your cloud security is handled - but that's a dangerous misconception. AWS secures its own infrastructure, but security within a cloud environment remains the customer's responsibility. Think of AWS security like protecting a building: AWS provides strong walls and a solid roof, but it's up to the customer to handle the locks, install the alarm systems, and ensure valuables aren't left exposed. In this blog, we'll clarify what AWS doesn't secure, highlight real-world vulnerabilities, and how cloud security scanners like Intruder can help. Understanding the AWS Shared Responsibility Model AWS operates on a Shared Responsibility Model . In simple terms: AWS is responsible for securing the underlying infrastructure (e.g., hardware, networking, data centers) - the "walls and roof." The customer is responsible for securing their data, applications, and configurations within AWS - the "locks and al...

Threat actors are targeting Amazon Web Services ( AWS ) environments to push out phishing campaigns to unsuspecting targets, according to findings from Palo Alto Networks Unit 42. The cybersecurity company is tracking the activity cluster under the name TGR-UNK-0011 (short for a threat group with unknown motivation ), which it said overlaps with a group known as JavaGhost. TGR-UNK-0011 is known to be active since 2019. "The group focused historically on defacing websites," security researcher Margaret Kelley said . "In 2022, they pivoted to sending out phishing emails for financial gain." It's worth noting that these attacks do not exploit any vulnerability in AWS. Rather, the threat actors take advantage of misconfigurations in victims' environments that expose their AWS access keys in order to send phishing messages by abusing Amazon Simple Email Service (SES) and WorkMail services. In doing so, the modus operandi offers the benefit of not having to...

Everybody knows browser extensions are embedded into nearly every user's daily workflow, from spell checkers to GenAI tools. What most IT and security people don't know is that browser extensions' excessive permissions are a growing risk to organizations. LayerX today announced the release of the Enterprise Browser Extension Security Report 2025 , This report is the first and only report to merge public extension marketplace statistics with real-world enterprise usage telemetry. By doing so, it sheds light on one of the most underestimated threat surfaces in modern cybersecurity: browser extensions. The report reveals several findings that IT and security leaders will find interesting, as they build their plans for H2 2025. This includes information and analysis on how many extensions have risky permissions, which kinds of permissions are given, if extension developers are to be trusted, and more. Below, we bring key statistics from the report. Highlights from the Enterprise Browse...

Cybersecurity researchers have disclosed a new type of name confusion attack called whoAMI that allows anyone who publishes an Amazon Machine Image ( AMI ) with a specific name to gain code execution within the Amazon Web Services (AWS) account. "If executed at scale, this attack could be used to gain access to thousands of accounts," Datadog Security Labs researcher Seth Art said in a report shared with The Hacker News. "The vulnerable pattern can be found in many private and open source code repositories." At its heart, the technique is a subset of a supply chain attack that involves publishing a malicious resource and tricking misconfigured software into using it instead of the legitimate counterpart. The attack exploits the fact that anyone can AMI, which refers to a virtual machine image that's used to boot up Elastic Compute Cloud (EC2) instances in AWS, to the community catalog and the fact that developers could omit to mention the "--owners...

Google on Wednesday shed light on a financially motivated threat actor named TRIPLESTRENGTH for its opportunistic targeting of cloud environments for cryptojacking and on-premise ransomware attacks. "This actor engaged in a variety of threat activity, including cryptocurrency mining operations on hijacked cloud resources and ransomware activity," the tech giant's cloud division said in its 11th Threat Horizons Report . TRIPLESTRENGTH engages in a trifecta of malicious attacks, including illicit cryptocurrency mining, ransomware and extortion, and advertising access to various cloud platforms, such as Google Cloud, Amazon Web Services, Microsoft Azure, Linode, OVHCloud, and Digital Ocean, to other threat actors. Initial access to target cloud instances is facilitated by means of stolen credentials and cookies, some of which originate from Raccoon information stealer infection logs. The hijacked environments are then abused to create compute resources for mining cryp...

Cybersecurity researchers have detailed an attack that involved a threat actor utilizing a Python-based backdoor to maintain persistent access to compromised endpoints and then leveraged this access to deploy the RansomHub ransomware throughout the target network. According to GuidePoint Security , initial access is said to have been facilitated by means of a JavaScript malware downloaded named SocGholish (aka FakeUpdates), which is known to be distributed via drive-by campaigns that trick unsuspecting users into downloading bogus web browser updates. Such attacks commonly involve the use of legitimate-but-infected websites that victims are redirected to from search engine results using black hat Search Engine Optimization (SEO) techniques. Upon execution, SocGholish establishes contact with an attacker-controlled server to retrieve secondary payloads. As recently as last year, SocGholish campaigns have targeted WordPress sites relying on outdated versions of popular SEO plug...

According to research from GitGuardian and CyberArk, 79% of IT decision-makers reported having experienced a secrets leak , up from 75% in the previous year's report. At the same time, the number of leaked credentials has never been higher, with over 12.7 million hardcoded credentials in public GitHub repositories alone . One of the more troubling aspects of this report is that over 90% of valid secrets found and reported remained valid for more than 5 days. According to the same research, on average, it takes organizations 27 days to remediate leaked credentials. Combine that with the fact that non-human identities outnumber human identities by at least 45:1 , and it is easy to see why many organizations are realizing stopping secrets sprawl means finding a way to deal with this machine identity crisis. Unfortunately, the research also shows that many teams are confused about who owns the security of these identities. It is a perfect storm of risk.  Why Does Rotation Take So L...

Cybersecurity researchers have discovered a malicious package on the Python Package Index (PyPI) that has racked up thousands of downloads for over three years while stealthily exfiltrating developers' Amazon Web Services (AWS) credentials. The package in question is " fabrice ," which typosquats a popular Python library known as " fabric ," which is designed to execute shell commands remotely over SSH.  While the legitimate package has over 202 million downloads, its malicious counterpart has been downloaded more than 37,100 times to date. As of writing, "fabrice" is still available for download from PyPI. It was first published in March 2021. The typosquatting package is designed to exploit the trust associated with "fabric," incorporating "payloads that steal credentials, create backdoors, and execute platform-specific scripts," security firm Socket said . "Fabrice" is designed to carry out its malicious actions ...

Cybersecurity researchers have disclosed a security flaw impacting Amazon Web Services (AWS) Cloud Development Kit (CDK) that could have resulted in an account takeover under specific circumstances. "The impact of this issue could, in certain scenarios, allow an attacker to gain administrative access to a target AWS account, resulting in a full account takeover," Aqua researchers Ofek Itach and Yakir Kadkoda said in a report shared with The Hacker News. Following responsible disclosure on June 27, 2024, the issue was addressed by the project maintainers in CDK version 2.149.0 released in July. AWS CDK is an open-source software development framework for defining cloud application resources using Python, TypeScript, or JavaScript and provisioning them via CloudFormation. The problem identified by Aqua builds upon prior findings from the cloud security firm about shadow resources in AWS, and how predefined naming conventions for AWS Simple Storage Service (S3) buckets ...

As many as 15,000 applications using Amazon Web Services' (AWS) Application Load Balancer (ALB) for authentication are potentially susceptible to a configuration-based issue that could expose them to sidestep access controls and compromise applications. That's according to findings from Israeli cybersecurity company Miggo, which dubbed the problem ALBeast . "This vulnerability allows attackers to directly access affected applications, particularly if they are exposed to the internet," security researcher Liad Eliyahu said . ALB is an Amazon service designed to route HTTP and HTTPS traffic to target applications based on the nature of the requests. It also allows users to "offload the authentication functionality" from their apps into the ALB. "Application Load Balancer will securely authenticate users as they access cloud applications," Amazon notes on its website. "Application Load Balancer is seamlessly integrated with Amazon Cognit...

As cloud infrastructure becomes the backbone of modern enterprises, ensuring the security of these environments is paramount. With AWS (Amazon Web Services) still being the dominant cloud it is important for any security professional to know where to look for signs of compromise. AWS CloudTrail stands out as an essential tool for tracking and logging API activity, providing a comprehensive record of actions taken within an AWS account. Think of AWS CloudTrail like an audit or event log for all of the API calls made in your AWS account. For security professionals, monitoring these logs is critical, particularly when it comes to detecting potential unauthorized access, such as through stolen API keys. These techniques and many others I've learned through the incidents I've worked in AWS and that we built into SANS FOR509 , Enterprise Cloud Forensics.  1. Unusual API Calls and Access Patterns A. Sudden Spike in API Requests One of the first signs of a potential security breach is ...

Cybersecurity researchers have discovered multiple critical flaws in Amazon Web Services (AWS) offerings that, if successfully exploited, could result in serious consequences. "The impact of these vulnerabilities range between remote code execution (RCE), full-service user takeover (which might provide powerful administrative access), manipulation of AI modules, exposing sensitive data, data exfiltration, and denial-of-service," cloud security firm Aqua said in a detailed report shared with The Hacker News. Following responsible disclosure in February 2024, Amazon addressed the shortcomings over several months from March to June. The findings were presented at Black Hat USA 2024. Central to the issue, dubbed Bucket Monopoly, is an attack vector referred to as Shadow Resource, which, in this case, refers to the automatic creation of an AWS S3 bucket when using services like CloudFormation, Glue, EMR, SageMaker, ServiceCatalog, and CodeStar. The S3 bucket name created in...

As many as 196 hosts have been infected as part of an aggressive cloud campaign mounted by the TeamTNT group called  Silentbob . "The botnet run by TeamTNT has set its sights on Docker and Kubernetes environments, Redis servers, Postgres databases, Hadoop clusters, Tomcat and Nginx servers, Weave Scope, SSH, and Jupyter applications," Aqua security researchers Ofek Itach and Assaf Morag  said  in a report shared with The Hacker News. "The focus this time seems to be more on infecting systems and testing the botnet, rather than deploying cryptominers for profit." The development arrives a week after the cloud security company  detailed  an intrusion set linked to the TeamTNT group that targets exposed JupyterLab and Docker APIs to deploy the Tsunami malware and hijack system resources to run a cryptocurrency miner. The latest findings suggest a broader campaign and the use of a larger attack infrastructure than previously thought, including various shell sc...

Cloud environments continue to be at the receiving end of an ongoing advanced attack campaign dubbed SCARLETEEL, with the threat actors now setting their sights on Amazon Web Services (AWS) Fargate. "Cloud environments are still their primary target, but the tools and techniques used have adapted to bypass new security measures, along with a more resilient and stealthy command and control architecture," Sysdig security researcher Alessandro Brucato said in a new report shared with The Hacker News. SCARLETEEL was  first exposed  by the cybersecurity company in February 2023, detailing a sophisticated attack chain that culminated in the theft of proprietary data from AWS infrastructure and the deployment of cryptocurrency miners to profit off the compromised systems' resources illegally. A follow-up analysis by Cado Security  uncovered  potential links to a prolific cryptojacking group known as  TeamTNT , although Sysdig told The Hacker News that it "could be...

A financially motivated threat actor of Indonesian origin has been observed leveraging Amazon Web Services (AWS) Elastic Compute Cloud (EC2) instances to carry out illicit crypto mining operations. Cloud security company's Permiso P0 Labs, which first detected the group in November 2021, has assigned it the moniker  GUI-vil  (pronounced Goo-ee-vil). "The group displays a preference for Graphical User Interface (GUI) tools, specifically S3 Browser (version 9.5.5) for their initial operations," the company said in a report shared with The Hacker News. "Upon gaining AWS Console access, they conduct their operations directly through the web browser." Attack chains mounted by GUI-vil entail obtaining initial access by weaponizing AWS keys in publicly exposed source code repositories on GitHub or scanning for GitLab instances that are vulnerable to remote code execution flaws (e.g.,  CVE-2021-22205 ). A successful ingress is followed by privilege escalation and...