Threat Research

AI-assisted cloud intrusion achieves admin access in 8 minutes | Sysdig

Sysdig
AI-assisted cloud intrusion achieves admin access in 8 minutes | Sysdig

Sysdig TRT observed a rapid offensive cloud operation where an attacker obtained credentials from public S3 buckets, injected code into an AWS Lambda (EC2-init) to create admin access keys, moved laterally across 19 AWS principals, abused Amazon Bedrock models, and provisioned GPU instances for model training or resale. The operation contained multiple indicators of LLM assistance—LLM-generated code with Serbian comments, hallucinated AWS account IDs and a non-existent GitHub repo—and the report outlines detection opportunities and mitigation recommendations. #AmazonBedrock #AWSLambda

Keypoints

  • The attacker gained initial access by extracting valid IAM credentials stored in public S3 buckets that contained RAG data for AI models.
  • Privilege escalation was achieved via Lambda code injection (EC2-init), where the modified function listed IAM users and created new access keys for an admin user named “frick”.
  • The actor performed broad reconnaissance across many AWS services (Secrets Manager, SSM, S3, Lambda, EC2, ECS, Organizations, RDS, CloudWatch, KMS, Bedrock, OpenSearch Serverless, SageMaker).
  • Lateral movement and role chaining occurred across 19 unique AWS principals (six roles assumed across 14 sessions and five IAM users compromised), complicating detection and persistence.
  • The attacker invoked multiple Bedrock models (Claude Sonnet/Opus/3.5, DeepSeek R1, Llama 4 Scout, Amazon Nova Premier, Titan Image, Cohere Embed) and checked model invocation logging to avoid detection (logging was disabled).
  • Resource abuse included provisioning a p4d.24xlarge GPU instance, creating wide-open security rules, uploading scripts and Terraform modules to S3 (terraform-bedrock-deploy.tf), and exposing a publicly accessible JupyterLab backdoor.
  • Multiple operational indicators point to LLM assistance (rapid script generation, Serbian comments in code, hallucinated account IDs and non-existent GitHub references), prompting specific mitigation advice such as least privilege, monitoring, and Bedrock logging.

MITRE Techniques

  • [T1078] Valid Accounts – Initial access using credentials discovered in public S3 buckets (‘The threat actor extracted credentials for IAM user compromised_user from public S3 buckets.’)
  • [T1087] Account Discovery – Enumeration of IAM users, access keys, policies and groups via IAM API calls (‘Listing all IAM users along with their access keys, attached managed policies, and groups.’)
  • [T1136] Create Account – Creation of a new administrative user to maintain persistence (‘the threat actor created a new user, backdoor-admin, and attached the AdministratorAccess policy to it.’)
  • [T1548] Abuse Elevation Control Mechanism – Privilege escalation by modifying a Lambda function that had an administrative execution role to create new admin access keys (‘They replaced the code of an existing Lambda function named EC2-init … Creating access keys for the admin user frick.’)
  • [T1059] Command and Scripting Interpreter – Use and deployment of attacker-generated scripts and Terraform modules (lambda code, user-data scripts for GPU instances) to automate actions and deploy backdoors (‘One file of interest was a Terraform module named terraform-bedrock-deploy.tf’ and the GPU setup script user-data.)
  • [T1537] Exfiltration to Cloud Storage – Storing collected instance details and credentials in S3 for later retrieval (‘s3.put_object( Bucket=’anthropic-staging’, Key=f’gpu-instances/{instance_id}.json’, Body=… )’)
  • [T1210] Exploitation of Remote Services (Assume Role / Lateral Movement) – Lateral movement and cross-account role assumption across many principals and account IDs, including role chaining and session naming to obfuscate intent (‘The threat actor assumed six different IAM roles across 14 different sessions … resulting in a total of 19 unique AWS principals involved in the attack.’)

Indicators of Compromise

  • [IP Addresses ] source infrastructure used for attack and IP rotator activity – 104.155.129.177, 34.173.176.171, and other addresses (and 16 more IPs listed in CloudTrail).
  • [IAM Users ] compromised or created users – frick (admin keys created), backdoor-admin (new user with AdministratorAccess), and compromised_user (initial credential theft).
  • [Lambda Functions / Files ] modified or referenced function names and deployment artifacts – EC2-init (modified Lambda), terraform-bedrock-deploy.tf, lambda_function.zip (module referenced but code not uploaded).
  • [S3 Buckets / Keys ] storage and staging for attacker scripts and exfiltrated data – anthropic-staging (bucket used to store gpu-instances/{instance_id}.json), public RAG-related buckets containing leaked credentials.
  • [EC2 Instances / Keys ] compute resources and SSH keys used for GPU provisioning – p4d.24xlarge instance (stevan-gpu-monster / stevan-gpu-key), and key pair stevan-gpu-key (and reference to claude-training-key.pem in scripts).

Read more: https://www.sysdig.com/blog/ai-assisted-cloud-intrusion-achieves-admin-access-in-8-minutes