A newly identified hacker group, known as the Crimson Collective, has emerged as a significant threat to cloud infrastructure, particularly targeting Amazon Web Services (AWS) environments.
According to Rapid7’s latest research, the group specializes in data theft and extortion operations, leveraging compromised long-term access credentials and overly permissive IAM policies to infiltrate corporate systems.
Their attack chain demonstrates a deep understanding of AWS operations and cloud resource manipulation, marking them as a formidable adversary in the growing field of cloud-based cyber threats.
Compromised Access Keys and Privilege Escalation
Rapid7’s investigation revealed that the Crimson Collective initiates its attacks term access keys, which are often obtained from exposed repositories or misconfigured environments.
The attackers utilize TruffleHog, a legitimate open-source tool designed to discover secrets in source code, to locate and validate usable credentials. Once a key is verified via the GetCallerIdentity, an API call becomes the gateway for the group to initiate unauthorized access.
From there, the group establishes persistence using several IAM API calls, including. CreateUser, CreateLoginProfile, and CreateAccessKey. These actions create new users and credentials under the attackers’ control.
To elevate privileges, Crimson Collective attaches the AWS -managed AdministratorAccess policy to these newly created accounts through the AttachUserPolicy call, granting complete administrative control of the victim’s cloud environment.
In cases where administrative rights are not immediately available, the group executes the SimulatePrincipalPolicy API to analyze and exploit existing policy permissions for escalation.
Such carefully orchestrated privilege escalation enables complete operational freedom within the compromised AWS instance, a point from which extensive reconnaissance and exploitation activity can be launched.
Cloud Reconnaissance and Data Manipulation
Once established within the environment, Crimson Collective conducts deep reconnaissance across multiple AWS services.
CloudTrail logs reviewed 7 identified widespread usage of enumeration commands, including. ListRoles, ListBuckets, DescribeInstances, and DescribeDBInstances.
This mapping phase helps the attackers inventory EC2 instances, databases, Elastic Block Store (EBS) volumes, and key network components such as subnets and security groups.
They also query account cost and usage metrics, possibly to assess the environment’s scale and identify high-value targets, such as production databases or development repositories.
Following reconnaissance, the group proceeds to manipulate cloud resources to extract valuable information:
- Using the ModifyDBInstance API, they reset master passwords to gain direct database access
- CreateDBSnapshot and StartExportTask are executed to copy databases from Amazon RDS into S3 storage for later theft
- CreateSnapshot and AttachVolume actions are issued to clone EBS volumes and mount them onto attacker-controlled EC2 instances
- These instances are configured with permissive security rules
Data Exfiltration and Extortion Threat
Crimson Collective’s final phase involves exfiltration of gathered data followed . The attackers retrieve sensitive data from S3 storage using GetObject calls, moving it to external locations.
Once data theft is complete, victims often receive extortion emails, which are frequently sent through Amazon Simple Email Service (SES) on the compromised account, threatening public exposure unless payments are made.
Rapid7 notes that this operation model mirrors the emerging “cloud extortion” trend, where attackers exploit cloud-native mechanisms for both intrusion and communication.
The company advises AWS customers to replace permanent access keys with short-lived credentials, enforce the principle of least privilege, restrict API usage from unknown IP sources, and monitor for anomalous user creation or snapshot activity.
Rapid7’s InsightIDR and MDR solutions currently include detection coverage for behaviors consistent with the Crimson Collective’s tactics, providing customers a layer of defense against this evolving cloud-based threat.
