- Crimson Collective hackers target AWS using exposed credentials to escalate privileges and exfiltrate data.
- Attackers use TruffleHog to find secrets, then create IAM users and access keys via API
- Red Hat breach generated 570 GB of sensitive files, including 800 infrastructure-rich consulting records
Crimson Collective, the threat actor behind the recent Red Hat breach, is now attacking Amazon Web Services (AWS) cloud environments, seeking to establish persistence, steal data, and extort money from victims.
Cybersecurity researchers Rapid7 discovered that the attackers were using TruffleHog, an open source security tool designed to search for secrets, credentials and API keys that might have been accidentally exposed in code repositories or other sources. After finding exposed AWS credentials, attackers create new IAM users and login profiles via API calls, create new access keys, as well as elevate privileges by attaching new policies.
Finally, they use their access to map their victim’s network and plan data exfiltration and extortion.
Crimson Collective
Talk to BeepComputerthe company said its users should use short-term and least privileged credentials and implement restrictive IAM policies to combat the threat.
“If a customer suspects that their credentials may have been exposed, they can start by following the steps listed in this article,” AWS explained. “If customers have questions about the security of their accounts, they are advised to contact AWS Support.
Crimson Collective recently turned heads when it broke into the private repositories of Red Hat’s GitLab environment and exfiltrated approximately 570 GB of different files from 28,000 internal projects.
Among the files were 800 Customer Engagement Records (CERs), internal consultation documents created by Red Hat to support enterprise customers, and typically including detailed infrastructure information (network architecture, system configuration, etc.), authentication and access data (credentials, access tokens, etc.), and operational information (recommendations, troubleshooting notes, etc.).
This makes them extremely valuable, as they can easily be exploited in subsequent attacks.
Via BeepComputer
