Tales from the cloud trenches: The Attacker doth persist too much, methinks
May 21, 2025, 7:34 p.m.
Description
A leaked AWS access key led to malicious activities over a 150-minute period, involving five distinct IP addresses. The attackers employed both common and innovative tactics, including creating 'persistence-as-a-service' infrastructure, manipulating AWS Identity Center, and disabling organization-level services. Notable techniques involved creating Lambda functions for dynamic IAM user creation, using Telegram for operations, disabling trusted access for AWS services, and exploiting AWS Identity Center for persistence. The attack encompassed initial access, discovery, persistence, credential access, and impact tactics, highlighting the need for enhanced cloud security measures and detection strategies.
Tags
Date
- Created: May 13, 2025, 9:01 p.m.
- Published: May 13, 2025, 9:01 p.m.
- Modified: May 21, 2025, 7:34 p.m.
Indicators
- 1d7187a66f6e19b7d346c061d98c07292945e71c70ac08209621ecba80f73866
- 1c03eaf4445e255102e602dabed73f832779bd9b5df5e894185f77dadd230716
- 182.185.156.45
- 149.154.161.235
- 103.131.213.89