Crimson Collective Hackers Breach AWS for Data Theft
▼ Summary
– The Crimson Collective threat group targets AWS cloud environments to steal data and extort companies, as seen in their recent attack on Red Hat.
– They compromise long-term AWS access keys and IAM accounts, then escalate privileges by attaching ‘AdministratorAccess’ policies for full control.
– Attackers use tools like TruffleHog to find exposed credentials and modify RDS master passwords to access and exfiltrate data via S3 and EC2 instances.
– After data theft, Crimson Collective sends extortion notes via AWS SES and external emails, pressuring victims to pay ransoms.
– To mitigate such attacks, AWS recommends using short-term, least-privileged credentials and scanning environments for exposed secrets with tools like S3crets Scanner.
A sophisticated hacking group known as the Crimson Collective has been actively infiltrating Amazon Web Services (AWS) cloud infrastructures, aiming to steal sensitive data and extort targeted organizations. This group recently took credit for a significant breach at Red Hat, asserting they successfully extracted 570 gigabytes of proprietary information from thousands of private GitLab repositories. Following the initial attack, Crimson Collective joined forces with another entity called Scattered Lapsus$ Hunters to intensify ransom demands against the software firm.
Security analysts at Rapid7 have detailed the group’s methods, which begin with the compromise of long-term AWS access keys and IAM accounts. Using the open-source tool TruffleHog, attackers systematically scan for exposed AWS credentials. Once inside, they establish new IAM users and login profiles through API calls, subsequently generating fresh access keys. The threat actors then escalate privileges by attaching the powerful ‘AdministratorAccess’ policy to these new accounts, effectively seizing complete administrative control over the AWS environment.
With this elevated access, the hackers perform reconnaissance across users, instances, storage buckets, geographic regions, database clusters, and applications. This reconnaissance phase allows them to carefully plan data collection and exfiltration. They alter master passwords for Amazon’s Relational Database Service to gain entry, create database snapshots, and export these snapshots to Amazon S3 for removal via API calls. Rapid7 also documented instances where Elastic Block Store volumes were snapshotted, after which new EC2 instances were launched. These EBS volumes were then attached using permissive security groups to streamline data theft.
Once data extraction is complete, Crimson Collective delivers extortion messages to victims. These notes are sent both through the AWS Simple Email Service from within the compromised account and to external email addresses. Researchers observed that the group employed multiple IP addresses during their operations, with some addresses reused across different incidents—potentially simplifying tracking efforts for investigators.
AWS has responded by advising customers to adopt short-term, least-privileged credentials and enforce strict IAM policies. The company also directs users who suspect credential exposure to follow specific security guidelines and to contact AWS support with any account security concerns. Earlier this year, Halcyon reported on a separate threat actor, “Codefinger,” which conducted ransomware attacks on AWS by encrypting S3 buckets—a different approach from Crimson Collective’s data theft and extortion model.
To defend against such intrusions and prevent damaging data leaks resulting from exposed AWS secrets, security teams are urged to scan their environments for unintended credential exposure. Open-source tools such as S3crets Scanner can assist in these detection efforts. While the exact size and makeup of Crimson Collective remain unclear, Rapid7 emphasizes that the group’s aggressive tactics and extortion campaigns represent a serious and ongoing threat to cloud security.
(Source: Bleeping Computer)