Attackers stole data from the European Commission’s Europa web platform after gaining access through the Trivy supply-chain compromise, according to CERT-EU.
Europa is the Commission’s public website platform, hosted on AWS, and CERT-EU says the breach affected data tied to up to 71 clients of the service: 42 internal Commission clients and at least 29 other Union entities. CERT-EU says about 91.7 GB compressed was exfiltrated, including personal data such as names, email addresses and email content. Reuters reported last week that the Commission said its internal systems were not compromised.
Trivy is Aqua Security’s open-source vulnerability scanner. Aqua said attackers used compromised credentials on March 19 to publish malicious releases of Trivy v0.69.4 as well as the trivy-action and setup-trivy GitHub Actions. CERT-EU says the Commission unknowingly used the compromised Trivy software through normal update channels, exposing an AWS API key tied to one of its cloud accounts. That key, CERT-EU said, granted control over other AWS accounts affiliated with the Commission.
CERT-EU said the attacker used the stolen key to access the cloud environment, then deployed TruffleHog, an open-source tool that scans repositories for exposed secrets such as API keys, passwords, certificates and SSH keys. The attacker then validated credentials through AWS Security Token Service, created a new access key on an existing user account, and proceeded to reconnaissance and data theft.
The agency says the stolen data relates to websites hosted for Commission clients and other Union entities. The hacking group ShinyHunters published the dataset on March 28 after the Commission’s cyber operations center first detected suspicious activity on March 24 and CERT-EU was notified on March 25.
Photo by Guillaume Périgois on Unsplash
