Tales from the cloud trenches: The Attacker doth persist too much, methinks

May 21, 2025, 7:34 p.m.

Description

A leaked AWS access key led to malicious activities over a 150-minute period, involving five distinct IP addresses. The attackers employed both common and innovative tactics, including creating 'persistence-as-a-service' infrastructure, manipulating AWS Identity Center, and disabling organization-level services. Notable techniques involved creating Lambda functions for dynamic IAM user creation, using Telegram for operations, disabling trusted access for AWS services, and exploiting AWS Identity Center for persistence. The attack encompassed initial access, discovery, persistence, credential access, and impact tactics, highlighting the need for enhanced cloud security measures and detection strategies.

External References

https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-the-attacker-doth-persist-too-much
https://otx.alienvault.com/pulse/6823b3308e073eafba14e06f
Tags
persistence
aws
telegram
2025-05-13
cloud-security
api-gateway
identity-center
iam
lambda

Date

  • Created: May 13, 2025, 9:01 p.m.
  • Published: May 13, 2025, 9:01 p.m.
  • Modified: May 21, 2025, 7:34 p.m.

Indicators

  • 1d7187a66f6e19b7d346c061d98c07292945e71c70ac08209621ecba80f73866
  • 1c03eaf4445e255102e602dabed73f832779bd9b5df5e894185f77dadd230716
  • 182.185.156.45
  • 149.154.161.235
  • 103.131.213.89
Download all indicators here!