A large-scale cyber theft operation targeting Amazon Web Services (AWS) customers is underway, with attackers exploiting misconfigured public websites to steal sensitive information, including source code, database credentials, and API keys, according to a report by security researchers Noam Rotem and Ran Locar.
The researchers identified an open AWS S3 bucket used as a “shared drive” among the attackers, revealing 2 TB of data, including proprietary source codes, infrastructure credentials, and database access details. The misconfigured bucket also stored source code for the attackers’ tools and logs of their operations, providing insights into their tactics and the scope of the breach.
The operation was running in two phases. In the discovery phase, the attackers compiled IP ranges from publicly available AWS CIDRs; used Shodan and SSL certificate analysis to associate IPs with domain names; scanned domains for exposed endpoints such as .env files, git repositories, and more.
In the exploitation phase, they leveraged custom scripts, open-source tools, and cracked utilities like MultiGrabber to extract sensitive information, including, AWS access keys, database and SMTP credentials, cryptocurrency wallets, third-party API keys.
The attackers employed remote shells like “EmperorsTools” to gain control over compromised systems.
Rotem and Locar discovered links between this group, operating under the alias “Nemesis,” and the now-defunct “ShinyHunters,” known for high-profile breaches like Microsoft and Ticketmaster. Tools used in this operation were written in French and associated with “Sezyo Kaizen,” an alias tied to Sebastien Raoult, a French hacker recently convicted in the United States. Raoult was also charged in France with selling malware designed to hack AWS email servers. According to French media, he created software that could scan and hijack vulnerable SMTP servers running on AWS cloud infrastructure. Raoult allegedly sold the software online between 2021 and 2022.
The stolen data, including credentials and access keys, was monetized through dedicated Telegram channels and darknet markets such as “Nemesis Blackmarket,” where each breach fetched hundreds of Euros.
The attackers targeted AWS services such as, IAM (Identity and Access Management) to establish persistence; SES (Simple Email Service) for phishing and spam campaigns; SNS (Simple Notification Service) to send mass notifications; S3 (Simple Storage Service) to steal sensitive customer data.
AWS acknowledged the issue but said that the breaches result from customers’ misconfigurations rather than AWS platform vulnerabilities.