“Following the successful creation of the privileged IAM role, the threat actor attempted to create two different infrastructure stacks, one using Amazon Elastic Cloud Compute (EC2) resources and the other with AWS Lambda,” the researchers said. “By performing these execution tactics, the actors failed to create a security group, key pair and EC2 instance, but they successfully created multiple lambda functions with the newly created IAM role attached.”
AWS Lambda is a serverless computing platform designed to execute user-supplied application code on demand. It has been abused by attackers before for crypto mining with miners written in Go, but in this case the hackers used it to deploy a bash script that would scan other domains for exposed .env files, extract credentials from them and upload them to a public S3 bucket they previously compromised.
That particular script was looking for credentials for the Mailgun email sending platform, but by accessing the attackers’ publicly exposed S3 storage bucket the researchers were able to understand the full scope of the campaign. “We identified more than 230 million unique targets that the threat actor was scanning for misconfigured and exposed environment files. At the time of access to this public S3 bucket, we estimate that multiple compromised AWS accounts were the target of this malicious scanning as part of a compromise-scan-compromise automated operation.”