With a tighter implementation of the principle of least privilege, Europa.eu might have escaped the breach.
The assessment comes from reading the analysis of a Polish information-security specialist. The expert went further than the public briefing from CERT-EU. He concluded there were two distinct problems with resource access controls.
On the one hand, the identity used by the attackers had permission to retrieve secrets from any ARN within the account. On the other, the main SSO carried a wildcard. The problematic policy could look like this:
Coupled with the absence of MFA at the identity-provider level, this level of access allowed enumerating resources (s3:ListBucket, iam:ListRoles), retrieving DKIM keys (stored in clear text in AWS Secrets Manager), and exfiltrating 340 GB of data (via S3, Athena and NextCloud).
CERT-EU had revealed the initial access vector
The loot includes emails with attachments as well as the contents of the SSO directory. Their combination opens the door to targeted phishing; the DKIM keys, at least until confirmation of key rotation at the DNS level (something Europa.eu has probably done since).
In the package there are also potentially interesting operational data for future attacks. For example, AWS config dumps, results of Athena queries (typically log and metric analysis) and URLs of internal administration interfaces.
The European Commission had officially acknowledged the Europa.eu breach (the EU’s web hosting platform) on March 27, three days after finding traces. The next day, the ShinyHunters group published the data.
The CERT-EU had issued a statement on April 2. It notably provided details on the initial access vector. Specifically, Trivy, an open-source vulnerability scanner. A token retrieved through a misconfiguration in the GitHub Actions environment allowed an intrusion into the release process. And the publication of a malicious version containing an infostealer.
