This article details three separate cloud environment intrusions targeting Microsoft Azure and Amazon Web Services (AWS) customers, involving stolen credentials, unauthorized access, data exfiltration, and ransomware deployment. It emphasizes the importance of anomaly detection, autonomous response, and continuous monitoring to mitigate such threats effectively. #MicrosoftAzure #AmazonWebServices #Darktrace #Rclone #AkiraRansomware
Keypoints
- In early 2024, an attacker compromised a customerās Azure environment by stealing access tokens from a third-party consultant, creating rogue VMs, and modifying security rules to establish persistence.
- Darktraceās AI-driven detection and autonomous investigations flagged unusual SaaS resource creation and user activity, enabling early identification of the Azure compromise.
- In 2025, two separate AWS compromises involved credential abuse, internal reconnaissance, data exfiltration using the Rclone tool, lateral movement via RDP, and ultimately ransomware detonation in one case.
- Darktraceās Autonomous Response successfully blocked SSH-based data exfiltration and internal scanning activities in one AWS incident but was not configured to block activity during the ransomware incident, allowing escalation.
- Threat actors leveraged cloud resources for lateral movement, data staging, and persistent access by exploiting misconfigurations such as open ports and vulnerable instances (e.g., SonicWall SMA 500v EC2).
- Indicators of compromise included rare external IP addresses associated with known malicious infrastructure used for command-and-control and data exfiltration.
- The incidents illustrate the critical need for continuous visibility, behavioral analytics, and machine-speed intervention in hybrid cloud environments to prevent large-scale damage.
MITRE Techniques
- [T1578] Modify Cloud Compute Infrastructure ā The attacker created rogue cloud instances and modified security rules in Azure to maintain access (āā¦creating or modifying an Azure disk associated with a virtual machineā¦ā).
- [T1098] Account Manipulation ā Registration of new multi-factor authentication details was used by the attacker to sustain persistence in Azure (āā¦registered new multi-factor authentication (MFA) informationā).
- [T1133] External Remote Services ā Compromised credentials were leveraged to access multiple AWS instances via VPN and other remote services (āā¦use of two likely compromised credentials to connect to the customerās Virtual Private Networkā).
- [T1552] Unsecured Credentials ā Attackers exploited stolen access tokens and credentials to gain unauthorized access (āā¦stealing access tokens belonging to a third-party external consultantā).
- [T1083] File and Directory Discovery ā Internal reconnaissance and data discovery in AWS using scanning tools and file access (āā¦performing internal reconnaissance activities and staged the Rclone toolā¦ā).
- [T1021] Remote Services ā Use of Remote Desktop Protocol (RDP) and SMB to move laterally within AWS environments (āā¦unusual internal RDP connections to a likely AWS printer instanceā).
- [T1041] Exfiltration Over C2 Channel ā Data exfiltration observed via SSH connections to external VPS endpoints (āā¦SSH connections with the Rclone SSH clientā¦to a RockHoster Virtual Private Serverā).
- [T1071] Application Layer Protocol ā Command-and-control communications through rare external IPs over various ports (āā¦outbound SSH communication to known threat infrastructureā¦ā).
- [T1486] Data Encrypted for Impact ā Ransomware was detonated in one AWS environment after exfiltration activity (āā¦they detonated ransomware within the compromised VPC networksā).
Indicators of Compromise
- [IP Address] Possible exfiltration and command-and-control servers ā 193.242.184[.]178 (RockHoster VPS used for exfiltration), 23.150.248[.]189 (GTHost VPS receiving large data uploads), and 67.217.57[.]252 (Host Department VPS linked to Akira ransomware activity).
- [IP Address] Potential C2 infrastructure ā 45.32.205[.]52, 45.32.90[.]176, 207.246.74[.]166 (rare Vultr VPS endpoints initiating inbound traffic to AWS EC2 instances).