Crimson Collective hackers target AWS cloud instances for data theft www.bleepingcomputer.com/news/secu…

The ‘Crimson Collective’ threat group has been targeting AWS (Amazon Web Services) cloud environments for the past weeks, to steal data and extort companies. The hackers claimed responsibility for the recent Red Hat attack, saying that they exfiltrated 570 GB of data from thousands of private GitLab repositories, and pressured the software company to pay a ransom.

An analysis from researchers at Rapid7 provides more information about Crimson Collective’s activity, which involves compromising long-term AWS access keys and identity and access management (IAM) accounts for privilege escalation.

The attackers use the open-source tool TruffleHog to discover exposed AWS credentials. After gaining access, they create new IAM users and login profiles via API calls and generate new access keys. Next comes privilege escalation by attaching the ‘AdministratorAccess’ policy onto newly created users, granting Crimson Collective full AWS control. The threat actors take advantage of this level of access to enumerate users, instances, buckets, locations, database clusters, and applications, to plan the data collection and exfiltration phase.