A new threat group calling itself Crimson Collective has emerged as a significant cybersecurity concern, targeting Amazon Web Services (AWS) cloud environments with sophisticated data exfiltration and extortion campaigns.
The group has recently claimed responsibility for attacking Red Hat, asserting they successfully compromised and stole private repositories from Red Hat’s GitLab infrastructure.
This development represents a concerning escalation in cloud-focused cybercrime, highlighting the evolving landscape of threats facing organizations operating in cloud environments.
The Crimson Collective employs a methodical approach to breach AWS infrastructure, beginning with the exploitation of leaked long-term access keys before escalating privileges through IAM account manipulation.
Their operations demonstrate advanced knowledge of AWS services and security configurations, enabling them to navigate complex cloud architectures while maintaining persistence across compromised environments.
The group’s activities have been concentrated on collecting and exfiltrating databases, project repositories, and other valuable organizational data, placing both corporate intellectual property and customer information at significant risk.
Over recent weeks, security researchers have documented increased activity from this threat actor across multiple AWS environments, with documented cases occurring throughout September.
The group operates from multiple IP addresses and maintains presence across several compromised accounts within the same target environment, suggesting a coordinated multi-operator structure.
.webp)
Their extortion notes reference themselves using plural pronouns, indicating multiple individuals collaborate in these operations, though the precise composition and structure of the group remains unclear.
Rapid7 analysts identified the malware and its operational patterns through comprehensive analysis of CloudTrail logs and behavioral indicators across affected environments.
Their research revealed that Crimson Collective consistently employs the open-source tool TruffleHog as their primary method for discovering compromised AWS credentials in code repositories and storage locations.
Technical Exploitation Methods
The group’s technical methodology centers on leveraging TruffleHog, a legitimate security tool designed to identify exposed credentials in various storage locations.
When TruffleHog discovers valid AWS credentials, it authenticates using the GetCallerIdentity API call to verify credential validity.
Analysis of CloudTrail logs consistently shows the TruffleHog user agent as the initial indicator across all compromised accounts, providing security teams with a clear detection opportunity.
Following successful credential validation, Crimson Collective establishes persistence through systematic user creation and privilege escalation.
They execute CreateUser API calls followed by CreateLoginProfile to establish password authentication, then generate additional access keys using CreateAccessKey calls.
The group attempts these persistence mechanisms across every compromised account, though accounts lacking sufficient privileges are either abandoned or subjected to SimulatePrincipalPolicy calls to assess available permissions.
When successful in creating new users, the threat actors immediately escalate privileges by attaching the arn:aws:iam::aws:policy/AdministratorAccess policy through AttachUserPolicy API calls.
This AWS-managed policy grants comprehensive access to all AWS services and resources, providing attackers with unrestricted control over the compromised environment for subsequent data exfiltration operations.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
