Ddos Security researchers at Rapid7 have identified a newly emerging cybercriminal group known as Crimson Collective, which has been actively attacking Amazon Web Services (AWS) environments to exfiltrate sensitive data and extort victims. According to Rapid7, “Over the past few weeks, Rapid7 has observed increased activity of a new threat group attacking AWS cloud environments with the goal of data exfiltration and subsequent extortion of the victim.”
The group, which publicly claimed responsibility for breaching Red Hat’s private GitLab repositories, has demonstrated a sophisticated understanding of AWS cloud operations and Identity and Access Management (IAM) mechanisms. Rapid7’s analysis paints a picture of a methodical, cloud-savvy adversary capable of compromising corporate infrastructure through misconfigured credentials and weak access controls.
The Crimson Collective’s attacks begin with the abuse of leaked AWS access keys—long-term credentials often left behind in repositories or development environments. Rapid7 found that the group uses an open-source reconnaissance tool, TruffleHog, to scan for such credentials.
“Based on the evidence from the available cloud logs, the Crimson Collective is using an open source tool called TruffleHog to find leaked AWS credentials.”
TruffleHog is typically used by security professionals to identify secrets accidentally committed to code repositories. However, in the hands of Crimson Collective, it becomes a potent credential-harvesting weapon. Once valid AWS keys are found, the group executes the GetCallerIdentity API to verify the credentials.
Rapid7 notes, “Analysis of CloudTrail logs confirmed usage of user agent TruffleHog as the initial step for all compromised accounts.”
After gaining an initial foothold, Crimson Collective quickly moves to establish persistence and escalate privileges. The attackers create new IAM users and access keys through AWS API calls such as CreateUser, CreateLoginProfile, and CreateAccessKey, ensuring continued access even if the original credentials are revoked.
When operating in environments with limited permissions, the attackers test IAM configurations using the SimulatePrincipalPolicy API to understand privilege boundaries. In successful cases, they attach the AdministratorAccess policy to newly created accounts, granting complete control over the victim’s AWS environment.
“In an environment where the threat group successfully created a new user, they proceeded to elevate privileges via AttachUserPolicy API call, attaching arn:aws:iam::aws:policy/AdministratorAccess policy to the newly created account.”
This level of privilege allows the attackers to enumerate and manipulate nearly every AWS resource—ranging from compute and storage to network and monitoring services.
With administrative access secured, Crimson Collective performs deep reconnaissance across the compromised environment. The group systematically enumerates cloud assets by executing a wide range of AWS API calls to gather information about EC2 instances, RDS databases, S3 buckets, VPC configurations, and CloudWatch alarms.
Rapid7 observed commands like DescribeInstances, DescribeDBSnapshots, and GetCostAndUsage, which provide insight into the victim’s architecture and operational scope. The attackers even scoped Amazon SES and SMS quotas, suggesting potential misuse for phishing or spam campaigns.
“The threat group was observed to gather information about EC2 instances and their Security Groups, EBS volumes and snapshots, VPCs, Route Tables, Databases, Cost and Usage metrics for the account, Alarms, information about the account, and IAM roles.”
This exhaustive discovery phase enables the attackers to identify high-value data repositories and potential exfiltration channels.
The group’s endgame centers on data exfiltration and extortion. Once valuable assets are identified, Crimson Collective modifies RDS configurations to steal database contents. Using the ModifyDBInstance API, they reset the master user password, granting themselves administrative access to live production databases.
Rapid7 reports, “The threat group used an API call ModifyDBInstance to modify the master user password for the database instance.”
The attackers then create database snapshots using CreateDBSnapshot and export them to Amazon S3 via StartExportTask, making the data easy to download and conceal within legitimate AWS operations. Similarly, they take EBS snapshots and attach them to newly created EC2 instances using permissive Security Groups to facilitate exfiltration.
“Following this, the threat actor attached previously created snapshots of EBS to the newly created EC2 instance via AttachVolume API call, making the compromised data available through an EC2 instance with permissive security groups.”
Finally, using the victim’s own AWS Simple Storage Service (S3), the attackers perform GetObject API calls to extract sensitive data externally.
Once data exfiltration is complete, Crimson Collective delivers extortion notices—often using the victim’s own AWS infrastructure to send them. Rapid7 observed the group utilizing Amazon Simple Email Service (SES) to deliver ransom emails directly from the victim’s compromised account.
“In the case of successful exfiltration of data, Crimson Collective sends an extortion note informing the victim about the extent of exfiltrated data. To send this note, the threat group was observed to be leveraging Simple Email Service on the victim’s AWS infrastructure as well as an external email.”
The messages, written in collective language (“we”), reinforce the group’s organized nature and collaborative composition, though Rapid7 notes that “the group’s composition remains unclear.”
Rapid7 concludes that Crimson Collective represents a new, cloud-native threat actor focused primarily on data theft, extortion, and reputational damage rather than direct ransomware deployment.
Related Posts:
- AWS IAM Roles Anywhere: A Potential Backdoor for Attackers?
- Chinese State-Sponsored Hackers Target Southeast Asian Government in Operation Crimson Palace
- Crimson Palace Returns: Chinese State-Sponsored Cyber Espionage Operation Escalates with New Tools and Targets
- AWS IAM Authenticator for Kubernetes Privilege Escalation flaw
- North Korea’s Lazarus Group: A Persistent Threat to the Defense Sector
Donate