A newly identified cyber threat group, known as the Crimson Collective, has emerged as a significant concern for organizations utilizing Amazon Web Services (AWS). This group has been implicated in sophisticated data exfiltration and extortion campaigns, notably claiming responsibility for a recent attack on Red Hat. They assert that they successfully infiltrated Red Hat’s GitLab infrastructure, compromising and stealing private repositories. This incident underscores the escalating risks associated with cloud-based cyber threats and highlights the necessity for robust security measures within cloud environments.
Sophisticated Attack Methodology
The Crimson Collective employs a systematic approach to infiltrate AWS infrastructures. Their operations typically commence with the exploitation of leaked long-term access keys. Once initial access is secured, they escalate their privileges by manipulating AWS Identity and Access Management (IAM) accounts. This strategy demonstrates their advanced understanding of AWS services and security configurations, enabling them to navigate complex cloud architectures effectively and maintain persistent access within compromised environments.
Targeted Data Exfiltration
The group’s primary objective appears to be the collection and exfiltration of valuable organizational data. This includes databases, project repositories, and other critical information, posing significant risks to corporate intellectual property and customer data. The potential consequences of such breaches are extensive, affecting not only the targeted organizations but also their clients and partners.
Increased Activity and Operational Structure
Security researchers have observed a surge in activity from the Crimson Collective across multiple AWS environments, with documented incidents occurring throughout September. The group operates from various IP addresses and maintains a presence across several compromised accounts within the same target environment. This pattern suggests a coordinated, multi-operator structure. Their extortion communications often use plural pronouns, indicating collaboration among multiple individuals. However, the exact composition and organizational structure of the group remain unclear.
Technical Exploitation Methods
The Crimson Collective’s technical approach centers on leveraging TruffleHog, an open-source security tool designed to detect exposed credentials in code repositories and storage locations. Their exploitation process involves several key steps:
1. Credential Discovery and Validation: Utilizing TruffleHog, the group scans for valid AWS credentials. Upon finding potential credentials, they authenticate using the `GetCallerIdentity` API call to verify their validity. Analysis of AWS CloudTrail logs consistently reveals the TruffleHog user agent as the initial indicator of compromise across affected accounts, providing a clear detection point for security teams.
2. Establishing Persistence: After validating credentials, the attackers establish persistence by creating new IAM users and escalating their privileges. They execute `CreateUser` API calls followed by `CreateLoginProfile` to set up password authentication. Subsequently, they generate additional access keys using `CreateAccessKey` calls. This process is attempted across all compromised accounts. If an account lacks sufficient privileges, it is either abandoned or subjected to `SimulatePrincipalPolicy` calls to assess available permissions.
3. Privilege Escalation: When successful in creating new users, the attackers immediately escalate privileges by attaching the `arn:aws:iam::aws:policy/AdministratorAccess` policy through `AttachUserPolicy` API calls. This AWS-managed policy grants comprehensive access to all AWS services and resources, providing the attackers with unrestricted control over the compromised environment for subsequent data exfiltration operations.
Implications and Recommendations
The activities of the Crimson Collective highlight the evolving landscape of cloud-focused cyber threats. Organizations must recognize the increasing sophistication of attackers targeting cloud infrastructures and implement robust security measures to mitigate these risks. Recommendations include:
– Regular Credential Audits: Conduct frequent audits to identify and revoke any exposed or unnecessary access keys.
– Implement Least Privilege Access: Ensure that IAM policies adhere to the principle of least privilege, granting users only the permissions necessary for their roles.
– Monitor for Anomalous Activity: Utilize monitoring tools to detect unusual API calls or behaviors indicative of unauthorized access.
– Educate and Train Staff: Provide ongoing training to employees about the risks of credential exposure and best practices for maintaining security.
By adopting these measures, organizations can enhance their defenses against sophisticated threat actors like the Crimson Collective and protect their valuable data assets within cloud environments.
