Threat Research

Bling Libra’s Tactical Evolution: Unveiling the Threat Actor Group Behind ShinyHunters Ransomware

Unit42

The Bling Libra group (behind ShinyHunters) shifted from selling stolen data to extortion after gaining access to an AWS environment with credentials found in public repositories. They conducted cloud reconnaissance using S3 Browser and WinSCP, deleted data in S3 buckets with limited permissions, and sent an extortion email, underscoring the importance of cloud security practices. Hashtags: #BlingLibra #ShinyHunters #AWS #S3 #S3Browser #WinSCP

Keypoints

  • Bling Libra shifted from data sale to extortion against victims.
  • Credentials were obtained from a sensitive file exposed on the internet to gain access.
  • Reconnaissance used tools like S3 Browser and WinSCP to map S3 bucket configurations.
  • Permissions tied to the compromised credentials limited the overall impact.
  • Highlights the need for proactive monitoring of cloud environments and critical logs.
  • Emphasizes using AWS security tools (GuardDuty, Config, Security Hub) and MFA to reduce risk.

MITRE Techniques

  • [T1078.004] Cloud Accounts – Gained initial access by obtaining AWS credentials from a sensitive file exposed on the internet. “To gain initial access into the organization’s AWS environment, the threat actors obtained AWS credentials from a sensitive file exposed on the internet.”
  • [T1087] Account Discovery – Discovery: Performed IAM-related discovery, including “ListUsers” to see existing users and “ListBuckets” to enumerate buckets. “ListUsers API call returns a list of the existing users within the AWS account.” and “The ListBuckets API call using the AWS CLI.”
  • [T1567.002] Exfiltration to Cloud Storage – Data Access: “Accessed S3 buckets using WinSCP and deleted data.”
  • [T1059] Command and Scripting Interpreter – Execution: “Executed a script to create new S3 buckets after deleting existing ones.”
  • [T1485] Data Destruction – Extortion: “The extortion email” and explicit data deletion actions described, e.g., “extortion note” and “deleted a handful of buckets.”

Indicators of Compromise

  • [Email] threat actor email address – shinycorp@tutonota[.]com
  • [User Agent] S3 Browser – S3 Browser/X.X.X (https://s3browser[.]com)
  • [User Agent] WinSCP – WinSCP/X.X.X neon/X.X.X

Read more: https://unit42.paloaltonetworks.com/shinyhunters-ransomware-extortion/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint