Bling Libra’s Cloud Hijinks: How ShinyHunters Turned from Data Thieves to Extortion Experts

Hot Take:

When your ransomware group decides to pivot to extortion, you know they’re just trying to keep up with the latest trends in cybercrime fashion. Bling Libra, aka ShinyHunters, is now all about that “pay up or else” life, and they’re using legit credentials to sneak into your AWS like a ninja in a server room. It’s like they took a course in “Cloud Heist 101” and aced it with flying colors (or should we say, glittering ones?).

Key Points:

• Bling Libra (ShinyHunters) has shifted from selling stolen data to extorting victims.
• The group uses legitimate AWS credentials from public repositories for initial access.
• They employ tools like S3 Browser and WinSCP to navigate and manipulate AWS environments.
• CloudTrail logs are critical in differentiating legitimate tool activity from malicious actions.
• Palo Alto Networks offers products to protect against such threats, including Cortex XDR and Prisma Cloud.