Executive Summary

Incident Overview

On April 19, 2024, a security breach was detected in our AWS account, originating from a Russian IP address. The unauthorized access led to the deployment of multiple EC2 instances via the AWS API, indicating that an admin-level account was compromised. Concurrently, suspicious activity related to cryptocurrency mining was observed. Additionally, a Trojan was identified on an internal system, which likely facilitated SSL tunneling to exfiltrate personal data from the Experience Center server to a Chinese IP address.

Key Events

  • AWS Account Access: A hacker gained access to our AWS account from a Russian IP address at 5:59:12 PM.
  • EC2 Instances Setup: Multiple EC2 instances were created via the AWS API, suggesting admin-level access.
  • Crypto Mining Detected: Cryptocurrency mining activities were identified at the same time as the unauthorized access.
  • Trojan Detection: A Trojan was found running on an internal system, likely responsible for the malicious activities.
  • Data Exfiltration: SSL tunneling was used to exfiltrate personal data from the Experience Center server to a Chinese IP address at 5:59:12 PM.
  • Network Attack Attempt: The source attempted to attack more hosts on the network than are known to exist, indicating an automated attack.

Malicious Activity

The Trojan appears to have been preprogrammed to:

  • Initiate cryptocurrency mining processes.
  • Exfiltrate sensitive information.
  • Gain access to AWS and set up EC2 instances, potentially for further crypto mining activities.

Next Steps

  1. Immediate Actions
  • Revoke Access: Immediately revoke all compromised credentials and implement a forced password reset for all users.
  • Terminate Instances: Shut down all unauthorized EC2 instances to prevent further resource usage and potential data exfiltration.
  • Contain the Trojan: Isolate and remove the Trojan from all affected systems.
  1. Investigation
  • Analyze Exfiltrated Data: Conduct a thorough review to determine what data was exfiltrated during the breach.
  • Identify the Trojan: Investigate the source and nature of the Trojan to understand how it infiltrated the system and its capabilities.
  • Log Analysis: Review AWS CloudTrail logs and internal system logs to trace the hacker's activities and identify any other compromised areas.
  1. Preventative Measures
  • Enhance Security Protocols: Implement multi-factor authentication (MFA) for all sensitive accounts and services.
  • Update Firewall Rules: Strengthen firewall rules to prevent unauthorized access from suspicious IP addresses.
  • Security Audits: Schedule regular security audits and penetration testing to identify and address vulnerabilities.

Risk Assessment

  • Data Breach: High risk due to potential exfiltration of sensitive personal data.
  • Financial Loss: Moderate to high risk from unauthorized use of AWS resources for crypto mining.
  • Operational Disruption: Moderate risk from potential disruption of services due to unauthorized access and malicious activities.
  • Reputation Damage: High risk due to the breach of customer trust and potential regulatory implications.
    Test