It was a balmy Saturday afternoon in April and I had a half hour to kill before guests were to arrive and I would don my BBQ apron to commence grilling activities. Earlier that day I’d been thinking about an AWS CLI (Command Line Interface) utility that I might use to automate software updates for a clustered WordPress hosting platform and I and decided to begin researching and prototyping some of the key ingredients towards an eventual Bash script. Ominously, this required an IAM user with full access to EC2, a first for me. Something about the clearly-not-for-production-use nature of what I was embarking on at that moment along with nice weather and the anticipation of barbequed pork ribs and beer all culminated into a false sense of security. Euphorically, it turned out that I largely completely the project in this one, single sitting. AWS CLI is incredible, and some of the code samples that you find in stackoverflow.com seem as though they arrived to you through divine intervention!
And so, that was that. With one completed, fully-functional bash script in my possession I thought to myself, “Hey, why not add this to Github right now?”, and so I did exactly that.
The two security alert emails from Github and AWS arrived simultaneously and immediately, both alerting me to the fact that I had just pushed a file containing AWS IAM credentials, ~/.aws/credentials in my case, into a public repository. “I’m such a noob!”, I thought to myself. And then I calmly started thinking through what I’d need to do to clean up what I believed to be an inconsequential mishap. Little did I know that at that moment I’d crossed paths with the Internet’s newest bottom feeders: bots that scan Github for AWS EC2 credentials for the express purpose of running clandestine blockchain server farms.
Blockchain hackers harvest AWS EC2 credentials from their Github botnet and then drop these into a simple bash script – not unlike the one I’d just written incidentally – to launch up to 20 of AWS’ largest EC2 instances in each of AWS’ 16 data centers around the world; in aggregate, around two thousand dollars per hour in resource consumption.
In my case, in a matter of seconds these blockchain hackers launched more than three hundred EC2 instances in my AWS account; a breach that endured less than five minutes in aggregate but enabled them to steal more than three thousand dollars in computing resources at my expense.
Twenty minutes after having deleted the IAM credentials entirely from my account I received a second email alert from AWS informing me that my account had been compromised that they would terminate my account in 48 hours unless I could demonstrate the breach had been both contained and disinfected. OMG!! So that’s approximately when the fecal matter hit the air distribution system. It took me around ninety minutes to stop and terminate all three hundred-twenty EC2 instances, and then to inspect all other sensitive resources that the hackers might have coopted at my expense.
Ultimately, by following AWS’ instructions and maintaining close and frequent communication with my customer service representative, they did not terminate my account. In fact, after a lengthy investigation that endured more than three months, AWS eventually refunded in their entirely all charges for pilfered EC2 services. To this day I remain unclear as to why I was granted such benevolent treatment from AWS, but, I’m thankful.
The moral to this story is that the enemy at the gates is closer than you might think. Blockchain hackers are ruthlessly effective: in my experience it took them approximately 5 seconds from the moment that I committed code to Github for them to begin launching EC2 instances in my account. Read more here: