Healthtech Infiltration – Hacker Accesses Small Cloud Provider Instance to Run Mining Load on AWS

Introduction

In a concerning incident, a health tech company’s AWS credentials were compromised, allowing a hacker to run a cryptocurrency mining load using the company’s account. The attacker exploited a vulnerability in the company’s secondary cloud provider system, which led to unauthorized access to the primary cloud’s password. This case study delves into the attack, the immediate consequences, the response actions taken, and the critical lessons learned from the breach.

The Attack: How It Happened

The breach occurred when a hacker exploited a weak password on the health tech company’s secondary cloud provider system. Through a brute force attack, the hacker was able to gain access to the secondary cloud provider’s system and locate the password for the primary cloud—Amazon Web Services (AWS). Once inside, the attacker initiated a mining load on the company’s AWS instance, consuming a vast amount of computing resources at an alarming rate.

The attack went unnoticed for 14 hours, during which significant computational power was utilized, leading to a substantial increase in the company’s AWS bill.

Consequence: The Immediate Impact

The hacker’s actions had a direct and costly impact on the health tech company:

• Unauthorized Access: The brute force attack on the secondary cloud provider’s weak password allowed the hacker to gain access to the primary cloud.

• Increased AWS Usage: The mining load initiated by the hacker consumed compute resources at a very high rate, causing a significant increase in the AWS bill.

• Delayed Response: The health tech company noticed the unusual load on their AWS system and shut off the instance, but their response was delayed by 14 hours, allowing the hacker to rack up substantial costs.

Response: Steps Taken to Mitigate the Damage

Step 01: AWS Instance Shutdown

Upon noticing the unusual computational load on their AWS system, the client shut off the AWS instance. However, the response came 14 hours after the attack began, leading to significant additional costs.

Step 02: Incident Reporting to Insurer

The client informed their insurer about the incident six days after it occurred. By that time, the company had determined that the hacker gained access to the primary cloud’s password by compromising the secondary cloud provider.

Step 03: Consulting with Nova’s vCISO Team

While the insurer and broker were investigating the incident, the client consulted Nova’s virtual Chief Information Security Officer (vCISO) team. Given that the client was on AWS’s premier plan, Nova’s team recommended that the client negotiate with AWS to waive the charges associated with the unauthorized usage.

Step 04: Successful Negotiation and Security Enhancements

With the support of Nova’s vCISO team, the client successfully convinced AWS to waive the additional charges. AWS, recognizing the anomalous activity through its historical data, agreed to the waiver. Following the incident, the client implemented strong data security measures over a three-month period to prevent future breaches.

The Cost: Financial and Operational Implications

The unnecessary AWS workload due to the hacker’s mining load amounted to INR 54,00,000. This significant cost was incurred due to the delayed response to the attack and the extensive computational resources used by the unauthorized mining instance.

Learnings: Key Takeaways for the Industry

• Importance of Multi-Factor Authentication (MFA): This incident underscores the critical role of multi-factor authentication and strong password practices as the first line of defense against cyber threats.

• Prompt Incident Reporting: Delays in reporting cyber incidents can lead to increased financial losses and prolonged recovery times. Immediate action is crucial in mitigating damage.

• Cyber Insurance as a Safety Net: Despite robust security measures, human errors and vulnerabilities can still be exploited. Cyber insurance plays a vital role in covering financial losses and ensuring that companies have the resources to recover from attacks.

• Expert Consultation: Engaging with a knowledgeable insurance broker and cybersecurity experts, such as Nova’s vCISO team, can significantly reduce the financial impact of an attack by facilitating negotiations and implementing effective recovery strategies.