The code in the S3 bucket revealed that the breach involved discovery and exploitation, starting with an AWS IP range that was extended to a domain list through Shodan and SSL certificate analysis. The scanners then identify exposed endpoints and system types, extracting data such as database credentials and AWS keys.
Attackers used custom scripts, including Python and PHP, to exploit open source tools like Laravel to harvest information, including Git, SMTP, and cryptocurrency keys. Confirmed credentials were stored for later use, and remote shells were installed for deep access when needed.
AWS keys have been tested for access to IAM, SES, SNS, and S3 services, allowing attackers to gain persistence, send phishing emails, and steal sensitive data. AI service keys are not included significantly, possibly due to outdated tools or limited quantity.
Source link