Crimson Collective is actively targeting AWS cloud environments to exfiltrate data and extort organizations, notably attacking Red Hat and GitLab repositories. Their tactics involve compromising IAM accounts, privilege escalation, and utilizing AWS services for data theft and extortion, highlighting the need for stricter security measures. #CrimsonCollective #AWS #RedHat #GitLab #IAM
Keypoints
- Crimson Collective has been targeting AWS cloud environments for data theft and extortion.
- They use TruffleHog to discover exposed AWS credentials and escalate privileges via IAM account manipulation.
- The attackers exfiltrate data by accessing and modifying RDS, EBS, and creating snapshots for export.
- Extended attack includes sending extortion notes through AWS SES to victims and external contacts.
- Experts recommend minimal privilege policies, credential rotation, and environment scans to prevent breaches.