- Crimson Collective hackers attack AWS using exposed credentials to escalate privileges and leak data
- Attackers use TruffleHog to find secrets, then create IAM users and access keys via API
- Red Hat breach yielded 570GB of sensitive files, including 800 infrastructure-rich consulting records
Crimson Collective, the threat actor behind the recent Red Hat breach, is now going after Amazon Web Services (AWS) cloud environments, seeking to establish persistence, steal data, and extort money from victims.
Cybersecurity researchers Rapid7 discovered that attackers are using TruffleHog, an open source security tool designed to search for secrets, credentials, and API keys that may have been accidentally exposed in code repositories or other sources. After finding exposed AWS credentials, attackers create new IAM users and login profiles via API calls, and create new access keys, as well as escalate privileges by attaching new policies.
Finally, they use their access to map their victims’ networks and plan data exfiltration and extortion.
Crimson Collective
talking to beepcomputerThe company said its users should use short-term, less privileged credentials and implement restrictive IAM policies to combat the threat.
“In the event that a customer suspects that their credentials may have been exposed, they can begin by following the steps listed in this post,” AWS explained. “If customers have any questions about the security of their accounts, they are encouraged to contact AWS Support.
Crimson Collective recently attracted attention when it broke into the private repositories of Red Hat’s GitLab environment and exfiltrated approximately 570 GB of different files from 28,000 internal projects.
Among the files were 800 Customer Engagement Records (CERs): internal consulting documents that Red Hat created to support enterprise customers and that typically include detailed infrastructure information (network architecture, system configuration, etc.), authentication and access data (credentials, access tokens, and more), and operational information (recommendations, troubleshooting notes, and the like).
This makes them extremely valuable as they can be easily exploited in subsequent attacks.
Through beepcomputer
