Hi everyone, I really need some guidance here. We discovered that one of our servers has been compromised. A PowerShell command was run that sets up an S3 connection, and I've captured the following environment variables:
- AWS_ACCESS_KEY_ID: (redacted)
- AWS_SECRET_ACCESS_KEY: (redacted)
- RESTIC_REPOSITORY: 's3:s3.eu-west-1.wasabisys.com/backvalue/(redacted)'
- RESTIC_PASSWORD: (redacted)
It appears that a modified winupdate.exe was used as a cover for exfiltration. Any data that is now stored on this S3 repository has been unlawfully uploaded. Since I don't have any account access, I'm wondering how I can go about shutting down this repository. Any help would be greatly appreciated!
5 Answers
If you have the credentials still, you might access the Wasabi storage and try to delete the data that's been uploaded. Just be careful when doing this, as unauthorized access could have legal implications.
The best route is probably to contact AWS support directly for help with abuse reports. They can assist you in shutting down the bucket, although be prepared for a bit of back and forth.
Using the AWS CLI, you might run the command `aws sts get-caller-identity`, which could give you the AWS account number linked to those credentials. This might help inform AWS of the account being used for illegal activities. You could also try accessing the bucket to see what’s been uploaded and document it. However, if you only have write access, consider uploading non-essential data to flood the bucket and increase costs to the perpetrator!
If you have the valid credentials, you could just write a quick script to delete all the data you've got access to. Do this before they potentially revoke the credentials!
It looks like you're dealing with a Wasabi storage bucket, which is different from AWS. I'd recommend reaching out to Wasabi’s customer support directly, as they might be able to assist you in this situation. Contacting them may yield a quicker response than going through AWS. Also, involving law enforcement could expedite the process if illegal activity is confirmed. Good luck!
Definitely still send an AWS report; they can contact Wasabi to address any Terms of Service violations and help escalate your issue.