Threat actors identifying as the “Crimson Collective” have been targeting Amazon Web Services cloud environments in recent weeks to steal data and extort companies. The group claimed responsibility for a recent breach at Red Hat in which it said it had exfiltrated about 570 GB from thousands of private GitLab repositories and pressured the vendor for a ransom, and later partnered with Scattered Lapsus$ Hunters to increase extortion pressure after that disclosure.
An analysis by researchers at Rapid7 found the attackers focusing on long‑term AWS access keys and identity and access management (IAM) accounts to escalate privileges. Rapid7 said the group used the open‑source tool TruffleHog to discover exposed AWS credentials, created new IAM users and login profiles via API calls, generated access keys and then attached the “AdministratorAccess” policy to gain full control of compromised AWS accounts.
With elevated privileges, the attackers enumerated users, instances, buckets, locations, database clusters and applications to plan data collection and exfiltration, Rapid7 reported. The researchers observed the modification of RDS master passwords to gain database access, creation of snapshots exported to S3 via API calls, snapshots of EBS volumes, and the launching of new EC2 instances to which EBS volumes were attached under permissive security groups to facilitate data transfer.
Rapid7 also said the group sent extortion notes from compromised environments using AWS Simple Email Service (SES) and to external email accounts after exfiltration. The researchers noted the actors used multiple IP addresses in operations and sometimes reused addresses across incidents, which they said could aid tracking efforts.
AWS said that customers should “use short-term, least-privileged credentials and implement restrictive IAM policies.” The company advised customers who suspect exposed credentials to follow the steps in its post and to contact AWS support with account security questions.
To mitigate similar attacks, the article recommends scanning environments for unknown exposure with open‑source tools and other scanners; Rapid7 cautioned that the size and composition of Crimson Collective remain unknown but said the group’s activity and extortion tactics warrant attention.