ShinyHunter, a hacker team whose main business is stealing information and launching extortion, has recently taken down the well-known cloud development platform Vercel. After the platform was attacked, some internal sensitive information and customer information were leaked. The platform is currently notifying affected customers to immediately rotate various credentials and check activity logs.

Initially, Vercel did not announce the cause of the attack. At that time, there were rumors that the source came from the AI ​​tool Context.ai. Later, Vercel updated the security incident page to confirm this statement. Its employees were compromised using Context.AI. The hacker used the access rights of the tool to control the Vercel Google Workspace account, and then used this account to enter the internal environment.

The screenshot shows that Vercel has contacted the hacker through Telegram and asked the hacker not to publish any data. However, the hacker's extortion is mainly for money. The hacker wants $2 million in exchange for data confidentiality. It is unclear whether Vercel will provide ransom in exchange for data confidentiality.

Vercel said only a small number of customers were affected:

In its security incident update, Vercel emphasized that this security incident only resulted in the theft of a small number of customer data. It has now contacted these customers privately to strengthen security measures and rotate various types of credentials. Vercel also emphasized that the internal information stolen by the hackers was not confidential because information marked as sensitive within Vercel was not allowed to be read, so the hackers did not obtain Vercel's sensitive information.

How to judge whether you have been attacked is also very simple. Log in to the Google or Google Workspace console and check whether the OAuth application contains: 110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj.apps.googleusercontent.com (Google officials seem to have deleted the application. I don’t know if I can view the authorization history)

If there is this OAuth authorization application, it means that the user has been hacked. At this time, the user should immediately rotate all credentials and check various services for abnormal login behavior, because hackers may have also installed other persistence backdoors by logging into the server through credentials.

Context.AI has not posted a response yet:

Vercel has notified Context.AI of this security incident, but the latter has not issued any response yet. Bluedot checked its blog and found that Context.AI published three blogs last night to introduce other content, but did not mention any security-related content, so it is completely unclear how the hacker invaded Context.AI.

Therefore, it is recommended that users using Context.AI also immediately check and rotate various credentials and check whether there is any abnormal login behavior. Of course, if you pursue higher security, you should directly rotate all credentials even if no abnormal behavior is found.

via Vercel