They Hacked Thousands of Cloud Accounts Then Sent Us Weird GIFs

Presented at Black Hat Europe 2021, Nov. 11, 2021, 1:30 p.m. (40 minutes)

As organizations migrate their computing resources to cloud and container environments, attackers are taking notice -- and following. In August 2020, we discovered the first crypto-mining worm stealing AWS credentials. The attackers are now well known for their cloud-specific attacks. Recently, we discovered they had expanded their toolkit to both steal more credentials from compromised cloud systems and deploy some innovative techniques to exploit containerised Kubernetes systems and more cloud providers.

In this session, we will discuss the cloud-specific nature of the real-world attacks we've seen, sharing insights and details that have not yet been published. We will walk attendees through the overall attack group operation and their most recent innovations to be on the lookout for. Finally, we will highlight the attack group's recent movements, operational security mistakes and provide a behind the scenes look at how they manage compromised cloud accounts.


Presenters:

  • James Campbell - Co-Founder, Cado Security
    James Campbell is a co-founder of Cado Security and has over 13 years of experience in helping global organisations tackle sophisticated cyber espionage and criminal campaigns. James has a deep passion for cyber incident response, forensics and cyber crisis. His background includes a career in intelligence previously leading Australians National Incident Response capability as the Assistant Director of Operations at the Australian Signals Directorate. After moving to the UK in 2013 James started with PwC to help build and lead the Cyber Incident Response service. As a Director within the PwC cyber practice, he worked with his team on unveiling the APT10 Cloudhopper cyber espionage campaign, as well as helping many global organisations investigate, isolate and mitigate significant compromises. James has previously spoken at various conferences, including cloudsec, crestcon, and the forensics Europe expo. James has also published papers on topics such as disruptive cyber attacks, and supply chain attacks and loves to stay active in the wider cyber security community.
  • Christopher Doman - Co-Founder, Cado Security
    Chris Doman is a co-founder of Cado Security. He joined the industry after winning a cyber-security competition run by the US DoD. Chris is known for building the popular threat intelligence portal ThreatCrowd, which subsequently merged into the AlienVault Open Threat Exchange. Whilst working at PwC and ATT AlienVault in research and development, Chris published a number of widely read articles and papers on targeted cyber attacks. His research on topics such as the North Korean government's crypto-currency theft schemes, and China's attacks against dissident websites, have been widely discussed in the media. He has given interviews to print, radio, and TV such as CNN and BBC News. Chris has previously spoken at conferences including various B-Sides events and Infosec Europe.

Links:

Similar Presentations: