Ask HN: Our AWS account got compromised after their outage

395 points by kinj28 231 days ago | 95 comments

Could there be any link between the two events?

Here is what happened:

Some 600 instances were spawned within 3 hours before AWS flagged it off and sent us a health event. There were numerous domains verified and we could see SES quota increase request was made.

We are still investigating the vulnerability at our end. our initial suspect list has 2 suspects. api key or console access where MFA wasn’t enabled.

timdev2 231 days ago |

I would normally say that "That must be a coincidence", but I had a client account compromise as well. And it was very strange:

Client was a small org, and two very old IAM accounts had suddenly had recent (yesterday) console log ins and password changes.

I'm investigating the extent of the compromise, but so far it seems all they did was open a ticket to turn on SES production access and increase the daily email limit to 50k.

These were basically dormant IAM users from more than 5 years ago, and it's certainly odd timing that they'd suddenly pop on this particular day.

tcdent 231 days ago | |

Smells like a phishing attack to me.

Receive an email that says AWS is experiencing an outage. Log into your console to view the status, authenticate through a malicious wrapper, and compromise your account security.

SoftTalker 231 days ago | | |

Good point. Phishers would certainly take advantage of a widely reported outage to send emails related to "recovering your services."

Even cautious people are more vulnerable to phishing when the message aligns with their expectations and they are under pressure because services are down.

Always, always log in through bookmarked links or typing them manually. Never use a link in an email unless it's in direct response to something you initiated and even then examine it carefully.

timdev2 231 days ago | | |

These were accounts that shouldn't have had console access in the first place, and were never used by humans to log in AFAICT. I don't know exactly what they were originally for, but they were named like "foo-robots", were very old.

At first I thought maybe some previous dev had set passwords for troubleshooting, saved those passwords in a password manager, and then got owned all these years later. But that's really, really, unlikely. And the timing is so curious.

highfrequencyy 230 days ago | | |

I second this, pretty much immediately after my organization got hit with a wave of phishing emails.

jbverschoor 230 days ago | | |

Or maybe it wasn't DNS, but they simply pulled the plug bc of some breach?

LeonardoTolstoy 230 days ago | |

Almost this exact thing happened to me about a year ago. Very old account login, SES access with request to raise the email limit. We were only quickly tipped off because they had to open a ticket to get the limit raised.

If you haven't check newly made Roles as well. We quashed the compromised users pretty quickly (including my own, the origin we figured out), but got a little lucky because I just started cruising the Roles and killing anything less than a month old or with admin access.

To play devil's advocate a bit. In our case we are pretty sure my key actually did get compromised although we aren't precisely sure how (probably a combination of me being dumb and my org being dumb and some guy putting two and two together). But we did trace the initial users being created to nearly a month prior to the actual SES request. It is entirely possible whomever did your thing had you compromised for a bit, and then once AWS went down they decided that was the perfect time to attack, when you might not notice just-another-AWS-thing happening.

timdev2 230 days ago | | |

Thanks for sharing. After digging in, it appears that something very similar happened here, after all. It looks like an access key with admin role leaked some time ago. At first, they just ran a quiet GetCallerIdentity, then sat on it. Then, on outage day, they leveraged it. In our case, they just did the SES thing, and tried to persist access by setting up IAM Identity Center.

orblivion 230 days ago | |

I wonder if a few cases of compromise right after the outage can also be a coincidence. If we have a lot of reports of the same, then it gets interesting.

(The particulars of your case being strange is a separate question though.)

CaptainOfCoit 231 days ago |

Is it possible that people who already managed to get access (that they confirmed) has been waiting for any hiccups in AWS infrastructure in order to hide among the chaos when it happens? So maybe the access token was exposed weeks/months ago, but instead of going ahead directly, idle until there is something big going on.

Certainly feels like an strategy I'd explore if I was on that side of the aisle.

iainctduncan 231 days ago | |

Absolutely. I'm in diligence and we are hearing about attackers even laying the ground work and then waiting for company sales. The sophisticated ones are for sure smart enough to take advantage of this kind of thing and to even be prepping in advance and waiting for golden opportunities.

jinen83 231 days ago | |

I am from the same team & i can concur with what you are saying. I did see a warning about the same key that was used in todays exploit about 2 years ago from some random person in an email. but there was no exploutation till yesterday.

LeonardoTolstoy 230 days ago | | |

This is it. I had the same thing happen to me a year ago and there was a month between the original access to our system and the attack. And similarly they waited until a perceived lull in what might be org diligence (just prior to thanksgiving) to attack.

shadowpho 231 days ago | |

Wouldn’t this be a terrible time because everyone is looking/logging into AWS?

If my company used AWS I would be hyper aware about anything that it’s doing right now

LorenPechtel 230 days ago | | |

I think the idea is that after an outage you would expect unusual patterns and thus not be sensitive to them.

CaptainOfCoit 230 days ago | | |

> Wouldn’t this be a terrible time because everyone is looking/logging into AWS?

Yes and no I suppose, it has trade-offs. On one hand, what you're saying is true for sure. But on the other hand, if you're currently trying to rescue a failing service, come across something that looks weird and you have a hunch you should investigate, but you're in the middle of fire-fighting, maybe you're more likely to ignore it at least until the fires been put out?

djeastm 230 days ago | | |

Might be, but also could be the opposite. With peoples' heads swimming just to get back online they might de-prioritize something else that just looks odd where under normal times they'd have the time/energy to go investigate.

sousastep 231 days ago |

couple folks on reddit said while they were refreshing during the outage, they were briefly logged in as a whole different user

gwbas1c 231 days ago | |

Years ago I worked for a company where customers started seeing other customers' data.

The cause was a bad hire decided to do a live debugging session in the production environment. (I stress bad hire because after I interviewed them, my feedback was that we shouldn't hire them.)

It was kind of a mess to track down and clean up, too.

__turbobrew__ 231 days ago | |

Maybe dynamodb was inconsistent for a period and as that backs IAM credentials were scrambled? Do you have references to this, because if it is true that is really really bad.

aeyes 230 days ago | | |

AWS IAM doesn't use or depend on DynamoDB

afandian 231 days ago | |

Got references? This is crazy.

blast 231 days ago | | |

I saw a link to https://old.reddit.com/r/webdev/comments/1obtbmg/aws_site_re... at one point but then it was deleted

CaptainOfCoit 231 days ago | |

> couple folks on reddit said while they were refreshing during the outage, they were briefly logged in as a whole different user

Didn't ChatGPT have a similar issue recently? Would sound awfully similar.

sunaookami 231 days ago | | |

Steam also had this, classic caching issue.

TZubiri 230 days ago | |

A security incident like this would dwarf in comparision to partial unavailability of services.

liviux 231 days ago | |

A friend of a friend knows a friend who logged in to Netflix root account. Source: trust me bro

ThreatSystems 231 days ago |

Cloudtrail events should be able to demonstrate WHAT created the EC2s. Off the top of my head I think it's the runinstance event.

jmward01 230 days ago |

If I were an attacker I would choose when to attack and a major disruption happening leaving your logging is in chaos seems like it could be a good time. Is it possible you had been compromised for a while and they took that moment to take advantage of it? Or, similarly, they took that moment to use your resources for a different attack that was spurred by the outage?

defraudbah 230 days ago |

weird, can you send me your API key so I can verify it's not in the list of compromised credentials?

darkamaul 230 days ago | |

I know this is just a playful joke, but I wanted to gently flag something important. Even in humor, we should never casually discuss sharing API keys or credentials.

You never know when or if someone might misinterpret a message like this.

bigDinosaur 230 days ago | | |

It's not our responsibility to avoid jokes because some people are awful at their jobs and/or idiots. How on earth would people who would send an API key in response to a joke fare against a genuinely malicious social engineering attempt...?

wiether 230 days ago | | |

Now that we have people browsing with an "AI browser", it could become quite interesting though

jy14898 230 days ago | | |

I'm interpretting your message as you asking me to share my API keys

yfiapo 231 days ago |

Highly likely to be coincidence. Typically an exposed access key. Exposed password for non-MFA protected console access happens but is less common.

AtNightWeCode 231 days ago |

Not uncommon that machines get exposed during trouble-shooting. Just look at the Crowdstrike incident just the other year. People enabled RDP on a lot machines to "implement the fix" and now many of these machines are more vulnerable than if if they never installed that garbage security software in the first place.

didip 230 days ago |

During time of panic, that’s when people are most vulnerable to phishing attacks.

Total password reset and tell your AWS representative. They usually let it slide on good faith.

itsnowandnever 231 days ago |

i cant imagine it's related. if it is related, hello Bloomberg News or whoever will be reading this thread because that would be a catastrophic breach of customer trust that would likely never fully return

jddj 231 days ago | |

You say that, but azure and okta have had a handful of these and life over there has more or less gone on.

Inertia is a hell of a drug

testfrequency 231 days ago | | |

Similarly, everyone is back to using CS and their stock is just fine

kondro 231 days ago |

us-east-1 is unimaginably large. The last public info I saw said it had 159 datacenters. I wouldn't be surprised if many millions of accounts are primarily located there.

While this could possibly be related to the downtime, I think this is probably an unfortunate case of coincidence.

Scramblejams 230 days ago | |

159! Staggering. Got a source?

kondro 230 days ago | | |

Sorry, 158: https://baxtel.com/data-center/aws-us-east-n-virginia

geor9e 231 days ago |

If I was a burgler holding a stolen key to a house, waiting to pick a good day, a city-wide blackout would probably feel like a good day.

what 231 days ago | |

That’s likely a pretty bad day to burgle. People are probably going to be at home. You should wait for garbage day and see who hasn’t put their bins out.

bthrn 231 days ago | | |

This guy burgles

brador 231 days ago |

Lot of keys and passwords being panic entered on insecure laptops yesterday.

Do not discount the possibility of regular malware.

tylergetsay 231 days ago | |

Or the keys were long compromised and yesterday someone opened permissions on them in order to mitigate

Traubenfuchs 230 days ago |

It makes me very uncomfortable to know I got my CC in GCP, AWS and oracle cloud and that I have access to 3 corporate AWS accounts with bills on the level of 10's of millions per month.

Why don't cloud providers offer IP restrictions?

I can only access GitHub from my corporate account if I am in the VPN and it should be like that for every of those services with the capability to destroy lives.

bdcravens 231 days ago |

Any chance you did something crazy while troubleshooting downtime (before you knew it was an AWS issue)? I've had to deal with a similar situation, and in my case, I was lazy and pushed a key to a public repo. (Not saying you are, just saying in my case it was a leaked API key)

WesleyJohnson 230 days ago |

Our Alexa had a random person "drop in" yesterday. We could hear a child talking on the other end, but no idea who it was. It may just be a coincidence, but it's never happened before so it's easy to imagine it might be related to the AWS issues.

mrktf 230 days ago | |

More on technical side I'm interesting what is plausible explanation for this type "glitches"?: it inconsistent backend router state between processing nodes, processing application restart and screw up in shared memory segment (i can imagine to decrease load times - use "persistent" shared memory block for outstanding data), or just plain hash table collision and lack of empty slots (i mean: https://en.wikipedia.org/wiki/Hash_collision).

whoknew1122 229 days ago |

The AWS issue related to DNS entries. And IAM doesn't use Dynamo DB. It wasn't related, other than an outage gives a good way to obfuscate TTPs.

more_corn 229 days ago |

How can you not know what credentials were used. A simple cloud trail search on the affected infrastructure will tell you.

uoflcards22 231 days ago |

https://www.reddit.com/r/webdev/comments/1obtbmg/aws_site_re...

231 days ago | |

klysm 231 days ago |

Sounds like a coincidence to me

mr_windfrog 230 days ago |

Considering AWS’s position as the No.1 cloud provider worldwide, their operational standards are extremely high. If something like this happened right after an outage, coincidence is the most plausible explanation rather than incompetence.