The article discusses a security incident involving “DummyExample,” an e-commerce startup that migrated to Google Cloud Platform (GCP). A data breach occurred due to an exploited vulnerability in the Gitea platform, leading to unauthorized access and data exfiltration. The investigation revealed the attack’s origin, the compromised accounts, and the methods used, including identifying the decrypted sensitive content. Affected: DummyExample e-commerce startup, Google Cloud Platform (GCP)
Keypoints:
- Incident involved DummyExample, an e-commerce startup migrating to GCP.
- Data breach resulted from an exploited vulnerability in Gitea (CVE-2020–14144).
- The attack was classified as an insider attack originating from a Windows machine.
- Threat actor utilized a reverse shell connecting to 0.tcp.eu.ngrok.io:14509.
- Multiple Google Cloud logs identified the accounts used for pivoting and accessing resources.
- Accessed instances included multiple Linux machines and a packet mirroring instance.
- A sensitive file named “Customer-Data-e7b9e806c08435793e310d7137b068fa.xlsx” was compromised.
- Exfiltration occurred over port 3389 (RDP), exploiting default ingress traffic rules.
- Encryption key for the sensitive file was identified as “J@m37_h@Rd3st_k3Y_enCrypt_Exf!l7r@73”.
- Decryption of the file revealed sensitive data, including SSN and credit card numbers of the founder.
- Alternative to Gitea in Google Cloud is Cloud Source Repositories.
- Using the Default Compute Engine Service Account is discouraged due to excessive privileges.
- VPC Service Controls help restrict data exfiltration from Cloud Storage.
Full Story: https://infosecwriteups.com/miscloud-hackthebox-sherlock-writeup-bea5403dbcc2?source=rss—-7b722bfd1b8d—4
Views: 12