It was observed during an incident response engagement handled by Unit 42, that the threat actor group Bling Libra (which was responsible for distributing ShinyHunters ransomware) had shifted from extortion to extortion of victims rather than its traditional tactic of selling/publishing stolen data in an attempt to increase their profits.
During this engagement, it was also demonstrated how the group was able to acquire legitimate credentials, which were accessed from public repositories, to gain initial access to an organization's Amazon Web Services (AWS) environment through its public username and password.
The compromised credentials had limited impact due to the limited permissions associated with them, but Bling Libra managed to infiltrate the organization's AWS environment and conduct reconnaissance operations on it during this time.
The threat actor group used various tools for gaining information and accessing S3 bucket configurations, interacting with S3 objects, as well as deleting files from the service using tools such as the Amazon Simple Storage Service (S3) Browser and WinSCP.
As a result of previous jobs with high-profile data breaches, including the Microsoft GitHub and Tokopedia incidents in 2020, Bling Libra has developed a special part of their business model that enables them to monetize stolen data through underground marketplaces.
There has, however, been a significant change in the methods that Unit 42 implements, which have been reported in a recent report. As of 2024, Bling Libra has revitalized its business model from data theft to extortion, primarily targeting vulnerabilities within cloud-based environments to heighten its revenue.
As Unit 42 explained in its latest report, Bling Libra obtained AWS credentials from a sensitive file that was exposed online to perform the latest attack.
AWS account credentials were obtained from an Identity and Access Management (IAM) user, which would have provided the attackers with access to the victim's account on Amazon Web Services (AWS). While the permissions for accessing Amazon S3 resources were restricted, Bling Libra exploited them to gain a foothold in the cloud environment even though they were limited.
Even though Bling Libra uses the same method of accessing victims for the first few minutes, it has instead instigated the double-extortion tactics normally associated with ransomware gangs - they initially steal data from victims and threaten to publish it online if they do not pay the ransom.
According to the researchers, Bling Libra used credentials from a sensitive file exposed by the attacker on the Internet as a way of stealing the credentials, even though this file contained a variety of credentials. Aside from these exposed AWS access keys, the group also alleged that it "targeted a few other one-time credentials that were exposed by this individual as well as a few other exposed AWS access keys belonging to this individual.".
Using these credentials, it is possible for the threat actors to gain access to the AWS account where the IAM user resides and to use the AWS API call to interact with the S3 bucket under the context of the AmazonS3FullAccess policy, which allows all permissions to be granted to users.
The attackers in this case sat on the network and lurked for about a month before launching an attack that led to the exfiltration of information, its deletion from the environment, and the recovery of an extortion note demanding ransom payment.
Their ransom note gave them a week to make their payment. It has been reported that Bling Libra also created new S3 buckets in the aftermath of their attack, presumably to mock the organization about the attack, as well.
Ticketmaster's attack in June was notable because of how much data Bling Libra was able to obtain during this attack. At the time, the organization claimed that a total of more than half a million records were stolen, some of which contained Personal Identifiable Information (PII) such as names, emails, addresses, and partial credit card information.
In May, the same group also claimed responsibility for several other attacks on other companies, including Ticketek Entertainment Group (TEG), in Australia, that occurred around the same period as Ticketmaster. Like Ticketmaster, TEG was attacked at the beginning of May. This group has been associated with several significant data breaches that have affected millions of records of data, and the implications have been severe.
In the final phase of the attack, Bling Libra created new S3 buckets with mocking names to signify their control over the environment, illustrating their ability to manipulate the system.
The threat group known as Bling Libra has adopted a new tactic, pivoting to extortion as a primary method for monetizing their cyber breaches.
Following their recent cloud-based attacks, the group sent out extortion emails demanding payment in exchange for the return of stolen data and the cessation of further malicious activities. This shift in strategy underscores their focus on using extortion as a central means to profit from their operations.
A recent report by Unit 42 offers a comprehensive analysis of Bling Libra's operational tools, particularly emphasizing their use of S3 Browser and WinSCP.
These tools enable the threat actors to interact seamlessly with Amazon Web Services (AWS) environments. The report provides in-depth insights that assist incident responders in distinguishing between legitimate tool usage and activities indicative of a security breach.
To counteract such threats, Unit 42 strongly advises organizations to adhere to the principle of least privilege, ensuring that users have only the minimal level of access necessary to perform their functions.
Additionally, they recommend implementing robust security measures, including the use of AWS IAM Access Analyzer and AWS Service Control Policies. These tools are essential for mitigating the risks associated with similar attacks on cloud infrastructure.
As businesses increasingly depend on cloud technologies, maintaining a proactive and vigilant cybersecurity posture is critical. Organizations must be diligent in their efforts to protect their cloud environments from sophisticated threat actors like Bling Libra.