Hackers exploit vulnerable Adminer for AWS database thefts

A threat group has been exploiting web apps to steal valuable metadata that allows them to pilfer data from AWS database instances.

Mandiant researchers uncovered an attack operation by a threat group designated as UNC2903. The attack, which ran from May to June last year, saw threat actors stealing corporate data from AWS installations after an extended period of reconnaissance.

"The threats identified in campaigns carried out by UNC2903 were multi-phased attacks, which involved infrastructure scanning, reconnaissance and further abuse of the underlying abstraction layers offered by cloud-hosted platforms," the researchers explained in a blog post Wednesday.

"Once exploitation and abuse of the underlying systems occurred, stolen credentials are leveraged for data exfiltration in other AWS services in the compromised tenant."

Mandiant told SearchSecurity that in this case, no specific industries or sectors were targeted in the attack, suggesting the hackers were being opportunistic and looking for web-facing applications known to be vulnerable to attack.

In this attack, the vulnerable web apps were using Adminer, a popular database management tool used to link web applications with cloud database instances. The server-side request forgery flaw, designated CVE-2021-21311, doesn't provide direct access to AWS secret keys on its own but does let the attacker get some amount of metadata.

That metadata is key to the attack, according to Mandiant. By interacting with an AWS service called IMDSv1, the attacker can trick the server into returning an error message that contains AWS secret keys.

From there, the attackers are able to directly connect with the AWS database instance and pilfer the data stored within.

While both Adminer and IMDSv1 have been updated to remove each of their respective security holes, the UNC2903 hackers were able to find enough web-facing apps and AWS instances to amass a series of successful data heists. While the attackers focused on AWS, Mandiant said other cloud providers with similar metadata services could be at risk of such attacks.

Although administrators can protect their databases from the UNC2903 hack technique by updating Adminer to version 4.7.9 and IMDSv2, the Mandiant researchers noted that a wider issue will prevail as long as companies continue to link up their web applications with cloud computing services.

"As the adoption of cloud technology expands, so does the threat surface and targeting for vulnerable web infrastructure with underlying dated or deprecated metadata services with limited security capabilities," the researchers explained.

"The level of risk related to web application vulnerabilities should be evaluated and paired with the understanding that underlying metadata services in cloud environments could increase the possibility of advanced or continued threats."

Mandiat said it has tracked UNC2903 since July 2021 but has not attributed the group to a specific nation; researchers described the group as "opportunistic" but noted they have not observed the threat actors attempting to monetize the stolen data.