Emergence of Crimson Collective: A New Cyberthreat on AWS
A nascent threat group, dubbed the Crimson Collective, has surfaced as a formidable concern in the realm of cybersecurity. This collective is actively targeting Amazon Web Services (AWS) cloud environments, deploying intricate data exfiltration and extortion strategies.
Recently, the group publicly claimed credit for breaching Red Hat, alleging the successful compromise and theft of private repositories housed within Red Hat’s GitLab framework.
This incident signifies a troubling escalation in cloud-centric cybercriminal activity, exposing the dynamic and evolving threats that organizations utilizing cloud infrastructures face.
Crimson Collective employs a meticulous strategy to infiltrate AWS systems. Initially, they exploit leaked long-term access keys, subsequently escalating their privileges via manipulations of Identity and Access Management (IAM) accounts.
Their operations reflect a sophisticated understanding of AWS services and security configurations, allowing them to traverse complex cloud architectures while ensuring persistence within compromised environments.
The group has primarily focused on amassing and exfiltrating databases, project repositories, and other high-value organizational assets. This relentless pursuit places both corporate intellectual property and sensitive customer information in jeopardy.
In recent weeks, cybersecurity experts have observed a spike in activity attributed to this threat actor across numerous AWS environments, with confirmed incidents occurring throughout September.
Operating from a myriad of IP addresses, Crimson Collective showcases a coordinated multi-operator framework, maintaining a presence across various compromised accounts within the same target environment.
The extortion notes disseminated by the group employ plural pronouns, hinting at a collaborative effort among multiple individuals, although the specific composition and hierarchical structure of this collective remain obscured.
Expert analysts at Rapid7 have identified the malicious software and corresponding operational behaviors through extensive analysis of CloudTrail logs and behavioral indicators across the affected environments.
Their research unveiled that Crimson Collective relies primarily on the open-source tool TruffleHog to discover compromised AWS credentials embedded within code repositories and various storage locations.
Technical Exploitation Methods
The technical strategies employed by the group center around the utilization of TruffleHog, a legitimate security instrument engineered for the identification of exposed credentials in diverse storage environments.
When TruffleHog identifies valid AWS credentials, it employs the GetCallerIdentity API call to validate these credentials. Consistent analyses of CloudTrail logs reveal the TruffleHog user agent as the initial indicator across all compromised accounts, thereby presenting security teams with a prime opportunity for detection.
Upon verifying the credentials, Crimson Collective secures persistence by establishing systematic user creation and elevating privileges. This involves executing CreateUser API calls followed by CreateLoginProfile to facilitate password authentication, which is subsequently reinforced by generating additional access keys via CreateAccessKey calls.
Persistent efforts are made across all compromised accounts; however, accounts lacking sufficient privileges are either abandoned or subjected to SimulatePrincipalPolicy calls to evaluate available permissions.
When successful in creating new user accounts, the threat actors promptly escalate their privileges by attaching the arn:aws:iam::aws:policy/AdministratorAccess policy through AttachUserPolicy API calls.
This AWS-managed policy bestows comprehensive access across all AWS services and resources, affording attackers unfettered control over the compromised environment for subsequent data exfiltration endeavors.
Source link: Cybersecuritynews.com.
