A threat group known as Crimson Collective has been actively targeting Amazon Web Services (AWS) cloud environments to steal data and extort companies. Their attacks involve a sophisticated series of steps, as detailed by researchers at Rapid7. The group’s recent claim of responsibility for a major data theft from Red Hat highlights the severity of their operations. According to Crimson Collective, they exfiltrated 570 GB of data from thousands of private GitLab repositories and partnered with Scattered Lapsus$ Hunters to increase pressure on Red Hat for a ransom payment. This incident underscores the group’s aggressive extortion tactics and the significant risks they pose to organizations using AWS.
Crimson Collective’s attack methodology begins by compromising long-term AWS access keys and identity and access management (IAM) accounts. They use the open-source tool TruffleHog to find exposed AWS credentials, then gain access and create new IAM users and login profiles via API calls. Once inside, they escalate their privileges by attaching the ‘AdministratorAccess’ policy to these new users. This gives them full control over the AWS environment. They then use this high-level access to enumerate a wide range of assets, including users, instances, buckets, and database clusters, to plan their data exfiltration strategy.
The group’s data theft process is systematic and thorough. For databases, they modify the Relational Database Service (RDS) master passwords to gain access, create snapshots, and then export them to Simple Storage Service (S3) buckets using API calls for exfiltration. They also create snapshots of Elastic Block Store (EBS) volumes and launch new Elastic Compute Cloud (EC2) instances. These EBS volumes are then attached to permissive security groups to facilitate data transfer, ensuring they can move the stolen information out of the compromised environment with ease.
After exfiltrating the data, Crimson Collective moves on to the extortion phase. They send a ransom note to their victims via the AWS Simple Email Service (SES) from within the breached cloud environment, as well as to external email addresses. Researchers note that the group uses multiple IP addresses in their operations but has also reused some across different incidents, which could aid in tracking. In response to these threats, AWS advises customers to use short-term, least-privileged credentials and implement restrictive IAM policies to reduce their exposure.
While the exact size and composition of the Crimson Collective threat group remain unknown, their activities and extortion tactics should not be overlooked. Their methods differ from other threat actors, such as “Codefinger,” who was known for encrypting S3 buckets rather than exfiltrating data. To mitigate these attacks, it’s recommended that organizations scan their environments for unknown exposures using open-source tools like the S3crets Scanner. Staying vigilant and implementing strong security practices are crucial steps in preventing catastrophic breaches from leaked AWS secrets.
Reference:
