From CI/CD to Cloud Data: How Shai Hulud Persistence Leads to Redshift Breach

From CI/CD to Cloud Data: How Shai Hulud Persistence Leads to Redshift Breach
Shai Hulud is a supply chain worm attributed to TeamPCP that targets npm and PyPI packages to steal CI/CD credentials and pivot into cloud environments such as AWS. FortiCNAPP linked compromised Jenkins runner activity to AWS abuse, where attackers escalated privileges, accessed Amazon Redshift and Aurora resources, staged S3 exfiltration, and prepared SES-based outbound email operations. #ShaiHulud #TeamPCP #Jenkins #AmazonRedshift #AWS #FortiCNAPP

Keypoints

  • Shai Hulud is a supply chain worm tied to TeamPCP that injects malicious npm and PyPI packages during installs or CI jobs.
  • The worm steals build and cloud secrets such as package tokens, GitHub tokens, AWS credentials, Kubernetes secrets, and SSH keys.
  • FortiCNAPP identified AWS estates affected by suspicious Jenkins runner activity and matched it to Shai Hulud’s credential-harvesting pattern.
  • Attackers used stolen Jenkins instance credentials from external IPs, then escalated to administrator access through a new IAM user named cloudops-monitor.
  • The intrusion included reconnaissance, security-group manipulation, Aurora and Redshift targeting, Secrets Manager enumeration, and Redshift Data API queries consistent with data theft.
  • Exfiltration tradecraft included S3 policies named exfil-s3-write and exfil-s3-full, plus STS sessions named exfil, exfil10, and exfil12.
  • FortiCNAPP’s “Potentially Compromised Keys” alert correlated host and cloud evidence, helping analysts reconstruct the attack timeline and scope.

MITRE Techniques

  • [T1195.002 ] Supply Chain Compromise – The malicious packages were introduced through poisoned dependencies and executed during installs or CI jobs (‘malicious package versions execute during installations or CI jobs’).
  • [T1078.004 ] Valid Accounts: Cloud Accounts – The Jenkins instance role was reused from outside AWS to authenticate into cloud services (‘the Jenkins instance role used from external IPs’).
  • [T1098 ] Account Manipulation – The attacker created a new IAM user, attached admin privileges, and issued access keys (‘Created IAM user cloudops-monitor and attached AWS managed AdministratorAccess’).
  • [T1580 ] Cloud Infrastructure Discovery – The actor enumerated cloud resources such as S3, VPC, RDS, and Redshift (‘S3, VPC, RDS, Redshift, Secrets enumeration’).
  • [T1526 ] Cloud Service Discovery / IAM Discovery – The attacker explored IAM and related cloud services to map the environment (‘S3, VPC, RDS, Redshift, Secrets enumeration’).
  • [T1578 ] Modify Cloud Compute Infrastructure – Security groups and EC2 staging infrastructure were modified to maintain access and enable pivoting (‘Security groups, EC2, cluster SG attachment’).
  • [T1552.005 ] Unsecured Credentials: Cloud Instance Metadata API – The compromised runner queried IMDS to retrieve instance role credentials (‘curl …169[.]254[.]169[.]254/latest/meta-data/iam/security-credentials/’).
  • [T1555 ] Credentials from Password Stores – Secrets Manager was queried to obtain warehouse credentials and other sensitive secrets (‘Secrets Manager; GetClusterCredentials’).
  • [T1530 ] Data from Cloud Storage – The actor used Redshift Data API activity to collect data from the warehouse (‘Redshift Data API ExecuteStatement (high volume)’).
  • [T1537 ] Transfer Data to Cloud Account – S3 policy staging and AssumeRole sessions were used to move or prepare data transfer (‘S3 policy staging; AssumeRole sessions named exfil’).
  • [T1496 ] Resource Hijacking – SES identity verification and quota staging suggest abuse of cloud resources for secondary purposes (‘SES identity verification staging’).

Indicators of Compromise

  • [IP address ] External operator infrastructure and initial role abuse – 185[.]204[.]1[.]225, 89[.]22[.]231[.]63
  • [IAM user ] Attacker-created cloud identity used for escalation – cloudops-monitor
  • [STS session names ] Privileged and follow-on sessions used for command execution – exfil, exfil10
  • [IAM inline policy names ] Attacker policy names used for S3 access and exfiltration staging – exfil-s3-write, exfil-s3-full
  • [User-agent strings ] Toolchain fingerprints associated with the external operators – aws-cli/2.31.35 … md/distrib#ubuntu.26, aws-cli/2.34.29 … md/distrib#fedora.42
  • [URLs / IMDS paths ] Instance metadata requests from the compromised Jenkins runner – hxxp://169[.]254[.]169[.]254/latest/meta-data/iam/security-credentials/, hxxp://169[.]254[.]169[.]254/latest/meta-data/iam/security-credentials/jenkins


Read more: https://feeds.fortinet.com/~/958459373/0/fortinet/blog/threat-research~From-CICD-to-Cloud-Data-How-Shai-Hulud-Persistence-Leads-to-Redshift-Breach