Red Hat hackers Crimson Collective are now going after AWS instances

4 hours ago 6

(Image credit: Avast)

Crimson Collective hackers target AWS using exposed credentials to escalate privileges and exfiltrate data
Attackers use TruffleHog to find secrets, then create IAM users and access keys via API
Red Hat breach yielded 570GB of sensitive files, including 800 infrastructure-rich consulting records

Crimson Collective, the threat actor behind the recent breach at Red Hat, is now going after Amazon Web Services (AWS) cloud environments, looking to establish persistence, steal data, and extort the victims for money.

Cybersecurity researchers Rapid7 found the attackers are using TruffleHog, an open source security tool designed to search for secrets, credentials, and API keys that may have been accidentally exposed in code repositories or other sources. After finding exposed AWS credentials, the attackers create new IAM users and login profiles via API calls, and create new access keys, as well as escalating privileges by attaching new policies.

Finally, they use their access to map out their victim’s network and plan for data exfiltration and extortion.

Crimson Collective

Speaking to BleepingComputer, the company said its users should use short-term, least-privileged credentials, and implement restrictive IAM policies, to combat the threat.

"In the event a customer suspects their credentials may have been exposed, they can start by following the steps listed in this post," AWS explained. “If customers have any questions about the security of their accounts, they are advised to contact AWS support.

Crimson Collective recently turned heads when it broke into Red Hat’s private GitLab environment repositories and exfiltrated approximately 570GB of different files from 28,000 internal projects.

Among the files were 800 Customer Engagement Records (CER) - internal consulting documents that Red Hat created to support enterprise clients, and typically include detailed infrastructure information (network architecture, system configuration, etc), authentication and access data (credentials, access tokens, and more), and operational insights (recommendations, troubleshooting notes, and similar).

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

This makes them extremely valuable, since they can easily be leveraged in follow-up attacks.

Via BleepingComputer

Red Hat confirms major data breach after hackers claim mega haul
Take a look at our guide to the best authenticator app
We've rounded up the best password managers

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read Entire Article