A newly identified threat group called Crimson Collective has emerged as a significant security concern for organizations using Amazon Web Services (AWS), employing sophisticated techniques to steal sensitive data and extort victims.
The Crimson Collective demonstrates remarkable proficiency in exploiting AWS cloud environments through a methodical approach that begins with compromising long-term access keys.
Cybersecurity firm Rapid7 has documented increased activity from this group, which recently claimed responsibility for breaching Red Hat’s private GitLab repositories.
Security researchers have observed the group’s operations across multiple incidents in September, revealing a pattern of systematic privilege escalation and data theft.
The threat actors initiate their attacks using TruffleHog, a legitimate open-source security tool designed to detect leaked AWS credentials in code repositories.
While security teams typically use this tool defensively to identify forgotten access keys, Crimson Collective weaponizes it for malicious reconnaissance.
Once TruffleHog validates compromised credentials through the GetCallerIdentity API, the attackers know they have a viable entry point into the target environment.
Following initial access, the group establishes persistence by creating new user accounts through the CreateUser and CreateLoginProfile API calls.
This technique allows them to maintain access even if the original compromised credentials are discovered and revoked.
The attackers consistently attempt user creation across all compromised accounts, demonstrating the systematic nature of their operations.
Systematic Privilege Escalation
Once establishing a foothold, Crimson Collective focuses on privilege escalation through the AttachUserPolicy API, specifically targeting the highly permissive AdministratorAccess policy.
This AWS-managed policy grants comprehensive access to all AWS services and resources, effectively giving attackers complete control over the victim’s cloud infrastructure.
The group’s discovery phase reveals extensive technical sophistication, involving comprehensive mapping of AWS infrastructure components.
They systematically enumerate EC2 instances, EBS volumes, RDS databases, VPCs, and IAM roles using dozens of API calls across multiple AWS services.
Particularly concerning is their reconnaissance of Amazon SES and SMS service quotas, which could enable large-scale phishing campaigns using the victim’s own infrastructure.
Security analysts have documented the group’s use of API calls spanning Identity and Access Management (ListRoles, GetUser), Elastic Compute Cloud (DescribeHosts, DescribeInstanceTypes), Elastic Block Store (DescribeSnapshots, DescribeVolumes), and Relational Database Service (DescribeDBInstances, DescribeDBClusters).
This comprehensive enumeration allows them to identify the most valuable targets for data exfiltration.
Multi-Vector Data Exfiltration Methodology
The data collection and exfiltration phase demonstrates Crimson Collective’s advanced understanding of AWS services.
They target RDS databases by modifying master user passwords through ModifyDBInstance API calls, granting administrative access to live database systems.
Subsequently, they create database snapshots using CreateDBSnapshot and export them to S3 buckets via StartExportTask, preparing sensitive data for theft.
The group also creates snapshots of existing EBS volumes containing potentially valuable information from virtual machines.
They then deploy their own EC2 instances with permissive security groups using RunInstances and CreateSecurityGroup API calls.
These newly created instances serve as staging environments where attackers attach the compromised EBS snapshots through AttachVolume calls, effectively gaining access to victim data through their controlled infrastructure.
For final exfiltration, Crimson Collective leverages GetObject API calls to download selected data from S3 buckets. This technique allows them to selectively steal the most valuable information while potentially avoiding detection through bulk data transfers.
Following successful data theft, Crimson Collective delivers extortion demands through multiple channels, including the victim’s own AWS Simple Email Service infrastructure and external email accounts.
This dual-channel approach increases the likelihood of victim notification while demonstrating their control over compromised systems.
The threat group’s operational security suggests a well-organized criminal enterprise rather than individual actors.
They consistently use the same IP addresses across multiple compromises and refer to themselves collectively as “we” in extortion communications. However, the exact composition and geographic location of the group remains unclear to security researchers.
Their primary targets include databases, project repositories, and proprietary data that could significantly impact both corporate operations and customer privacy.
The successful breach of Red Hat’s GitLab repositories exemplifies the potential scope of damage these attacks can inflict on software development organizations.
Security Implications
Security experts emphasize that Crimson Collective’s success largely depends on inadequate credential management and overly permissive IAM configurations.
Organizations can significantly reduce their attack surface by eliminating long-term access keys in favor of temporary credentials through IAM roles.
Implementation of the principle of least privilege remains crucial for limiting the impact of credential compromises.
Additionally, organizations should deploy comprehensive monitoring and alerting systems to detect suspicious API activity, particularly unusual patterns of user creation, policy attachment, and data access.
Proactive security measures should include regular scanning for exposed credentials in code repositories, implementation of IP address restrictions for sensitive resources, and continuous monitoring of CloudTrail logs for indicators of compromise.
The emergence of Crimson Collective underscores the evolving threat landscape facing cloud-native organizations and the critical importance of robust cloud security practices.
The sophistication demonstrated by this threat group suggests that cloud-focused cybercriminal operations will continue evolving, requiring organizations to maintain vigilance and implement comprehensive security frameworks to protect their AWS environments from similar attacks.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
