The European Fee (EC) has confirmed that hackers stole over 300GB of information from its AWS setting utilizing an API key compromised within the Trivy provide chain assault.
The incident occurred on March 24 and was initially disclosed on March 27, when the EC warned that cloud infrastructure internet hosting its assets for the Europa.eu platform had been breached.
Now, CERT-EU reveals that the hack concerned an AWS cloud account that’s a part of the backend for the Europa.eu internet hosting service, which helps public web sites for the EC and different European Union entities.
Hackers gained entry to the AWS account utilizing an API key compromised on March 19 within the provide chain assault on Aqua Safety’s Trivy vulnerability scanner, carried out by the TeamPCP hacking group.
“The European Fee was unwittingly utilizing a compromised model of Trivy in the course of the related timeframe, having obtained it by way of regular software program replace channels,” CERT-EU explains.
Utilizing the compromised AWS key, the attackers created and connected a brand new entry key to a person account and carried out reconnaissance, in line with the EU’s cybersecurity crew.
“This key granted management over different AWS accounts affiliated with the European Fee. On the identical day, the risk actor tried to find further secrets and techniques by launching TruffleHog, a device generally used for scanning secrets and techniques and validating AWS credentials by calling the Safety Token Service (STS),” CERT-EU says.
Wiz not too long ago defined that TeamPCP wasted no time validating stolen credentials, launching discovery operations, exfiltrating extra knowledge, and making an attempt lateral motion.
“The risk actor used the compromised AWS secret to exfiltrate knowledge from the affected cloud setting. The exfiltrated knowledge pertains to web sites hosted for as much as 71 purchasers of the Europa internet hosting service: 42 inside purchasers of the European Fee, and not less than 29 different Union entities,” CERT-EU notes.
On March 28, the notorious ShinyHunters extortion group added the stolen info to its Tor-based leak web site.
The 340GB of uncompressed knowledge contains private info comparable to names, e-mail addresses, and usernames, primarily from the EC’s web sites. Customers throughout a number of EU entities had been doubtless affected as nicely, CERT-EU says.
Roughly 2.22GB of the information, or 51,992 information, represents automated notifications, together with bounce-back messages containing authentic user-submitted content material, which might embrace private info.
“The evaluation of the databases linked to the hosted web sites is underway. Given the amount and complicated nature of the information concerned, this course of requires a substantial period of time,” CERT-EU notes.
Upon studying of the compromise, the EC revoked the compromised account’s rights, deactivated and rotated the compromised credentials, and notified the related knowledge safety our bodies. The Fee additionally confirmed that the incident didn’t have an effect on its inside techniques.
Associated: React2Shell Exploited in Massive-Scale Credential Harvesting Marketing campaign
Associated: T-Cell Units the Document Straight on Newest Information Breach Submitting
Associated: 250,000 Affected by Information Breach at Nacogdoches Memorial Hospital
Associated: Mercor Hit by LiteLLM Provide Chain Assault
