The 'Crimson Collective' threat group has been targeting AWS (Amazon Web Services) cloud environments for the past weeks, to steal data and extort companies.
The hackers claimed responsibility for the recent Red Hat attack, saying that they exfiltrated 570 GB of data from thousands of private GitLab repositories, and pressured the software company to pay a ransom.
Following the disclosure of the incident, Crimson Collective partnered with Scattered Lapsus$ Hunters to increase the extortion pressure on Red Hat.
An analysis from researchers at Rapid7 provides more information about Crimson Collective’s activity, which involves compromising long-term AWS access keys and identity and access management (IAM) accounts for privilege escalation.
The attackers use the open-source tool TruffleHog to discover exposed AWS credentials. After gaining access, they create new IAM users and login profiles via API calls and generate new access keys.
Next comes privilege escalation by attaching the ‘AdministratorAccess’ policy onto newly created users, granting Crimson Collective full AWS control.
The observed attack flow
Source: Rapid7
The threat actors take advantage of this level of access to enumerate users, instances, buckets, locations, database clusters, and applications, to plan the data collection and exfiltration phase.
They modify the RDS (Relational Database Service) master passwords to gain database access, create snapshots, and then export them to S3 (Simple Storage Service) for exfiltration via API calls.
... continue reading