The attack was claimed on March 28 by the group “ShinyHunters”. A few days later, the European Commission has just lifted the veil on an informative security incident which affected the platform of its public website hosted on an Amazon cloud. As Cert-EU explains in a detailed article published last Thursday, this hack was spotted on March 24.
That day, the European Commission’s Cybersecurity Operations Center received an alert. Abnormal usage of Amazon APIs suggests account compromise, while unusual traffic is also spotted. After investigations, Cert-EU was able to precisely trace the contours of the compromise, providing feedback on experience that is valuable because it is relatively complete.
The Trivy brand
It all started almost a week earlier, on March 19. That day, the attacker managed to obtain a key that opened the way to Amazon’s cloud. The hacker immediately attempts to open other accesses, via the TruffleHog tool, before beginning reconnaissance activities, all entry points since closed by the Commission.
A timeline which coincides with the attack on Trivy, attributed to the “TeamPCP” operating mode. But this is not the only element that suggests links between these two attacks. The European Commission was in fact unknowingly using a compromised version of Trivy. Brussels also advises all Trivy users to update their tool to a version recognized as secure.
The compromise of this open source vulnerability scanner seemed like a jackpot for hackers. They had in fact collected identification data in a cascade, noted Anssi. This first hack began with the takeover of a repository on GitHhub, followed by the compromise of other projects. The result is the deployment of infostealers, malware hungry for credentials of all kinds.
Analysis in progress
Among the indirect victims of Trivy, the European Commission. Brussels thus deplores the theft of approximately 92 gigabytes of data, files relating to websites hosted by the Europa service, entities internal and external to the Union.
Cert-EU notes that around 52,000 files concern emails. Although the majority of these communications were automated notifications, these messages may “contain original user-submitted content, posing a risk of disclosure of personal information.”
“Analysis of databases linked to hosted websites is underway,” Cert-EU also warns. Given the volume and complexity of the data involved, this process requires considerable time. » Clearly, if the methods of the attack were quickly identified, it will still take time to measure the extent of the damage.
Originally published at Almouwatin.com
