Emerging Actor ‘Crimson Collective’ Targets AWS

Share:

The Crimson Collective is a newly identified cloud-focused cyber threat group that surfaced in September 2025, primarily targeting Amazon Web Services (AWS) environments. According to Rapid7 Labs, the group’s primary objectives are data exfiltration and extortion. They have publicly claimed responsibility for an attack against Red Hat, in which they allegedly stole private GitLab repositories. The threat actor demonstrates a deep understanding of cloud infrastructure operations and leverages legitimate tools to execute their campaigns covertly.

Severity: High

Threat Details

1. Initial Access

  • Vector: Compromise of long-term AWS access keys exposed in public or internal repositories.
  • Tool Used: TruffleHog, an open-source secret-scanning tool used maliciously to identify leaked credentials.
  • Once valid keys were identified, the attackers authenticated into AWS environments via API calls.

2. Establishing Persistence

  • Upon successful access, the group created new IAM users through API calls such as CreateUser and CreateLoginProfile.
  • Created new access keys for persistence and to ensure ongoing access even if initial credentials were revoked.

3. Privilege Escalation

  • Leveraged the AttachUserPolicy API call to grant AdministratorAccess to newly created users.
  • In environments with restricted permissions, they used SimulatePrincipalPolicy to test attached IAM policies and identify escalation opportunities.

4. Discovery

  • Performed wide-scale enumeration of AWS assets using API calls to map:
    • Compute: EC2 instances, EBS volumes, snapshots.
    • Networking: VPCs, route tables, security groups.
    • Databases: RDS instances and clusters.
    • Identity and Access: IAM roles, users, and permissions.
    • Monitoring: CloudWatch alarms and cost usage metrics.
  • This stage demonstrated methodical mapping of the cloud environment to identify valuable data sources and exfiltration pathways.

5. Data Collection & Exfiltration

  • Modified RDS master passwords using the ModifyDBInstance API to gain access to databases.
  • Created database and EBS snapshots (CreateDBSnapshot, CreateSnapshot), which were exported to S3 buckets via StartExportTask.
  • Data exfiltration was executed using the GetObject API, transferring sensitive files from S3 storage.
  • The group deployed EC2 instances with permissive security groups to facilitate outbound data movement.

6. Extortion Phase

  • After successful data theft, the Crimson Collective sent extortion emails via Amazon Simple Email Service (SES) hosted in the victim’s AWS environment and external accounts.
  • Victims received detailed messages outlining the extent of data exfiltrated, demanding payment to prevent public leaks.

Recommendations

  1. Replace static IAM keys with temporary credentials via AWS STS (Security Token Service). Enforce short expiration times for all session tokens.
  2. Mandate MFA for all IAM users, root accounts, and console logins.
  3. Set automated key rotation policies and revoke unused or stale access keys.
  4. Regularly scan public and private code repositories using tools like TruffleHog or git-secrets for exposed credentials.
  5. Centralize CloudTrail logs and ensure they cannot be modified by users.
  6. Trigger alerts on: IAM policy changes, large data transfers from S3 buckets (GetObject or ListBucket anomalies), & new EC2 instances or security groups with open ingress/egress.
  7. Disable public access to S3 buckets.
  8. Review CloudTrail logs for anomalies in API calls such as CreateUser, AttachUserPolicy, SimulatePrincipalPolicy, CreateAccessKey, CreateSnapshot, and StartExportTask.
  9. Block the IOCs at their respective controls
    https://www.virustotal.com/gui/collection/56ca3b0a1cd7246b302b5544b86b9099e724008bf3200f5eeb6de64c4c1ba79b/iocs.

Iocs

IP: 45.148.10[.]141
IP: 195.201.175[.]210
IP: 5.9.108[.]250

MITRE ATT&CK

TacticTechniqueID
Initial AccessValid Accounts: Cloud AccountsT1078.004
PersistenceCreate Account: Cloud AccountT1136.003
Defense EvasionModify Cloud Compute Infrastructure: Create SnapshotT1578.001
Defense EvasionModify Cloud Compute Infrastructure: Create Cloud InstanceT1578.002
Defense EvasionModify Cloud Compute Infrastructure: Modify Cloud Compute ConfigurationsT1578.005
DiscoveryAccount Discovery: Cloud AccountT1087.004
DiscoveryPermission Groups Discovery: Cloud GroupsT1069.003
DiscoveryCloud Infrastructure DiscoveryT1580
DiscoveryCloud Service DiscoveryT1526
DiscoveryCloud Storage Object DiscoveryT1619
Lateral MovementRemote Services: Cloud ServicesT1021.007
CollectionData from Cloud StorageT1530
CollectionData Staged: Remote Data StagingT1074.002
CollectionData from Information Repositories: Code RepositoriesT1213.003
ExfiltrationExfiltration Over Web ServiceT1567

Source:

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.

Ampcus Cyber
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.