The Crimson Collective is a newly identified cloud-focused cyber threat group that surfaced in September 2025, primarily targeting Amazon Web Services (AWS) environments. According to Rapid7 Labs, the group’s primary objectives are data exfiltration and extortion. They have publicly claimed responsibility for an attack against Red Hat, in which they allegedly stole private GitLab repositories. The threat actor demonstrates a deep understanding of cloud infrastructure operations and leverages legitimate tools to execute their campaigns covertly.
Severity: High
Threat Details
1. Initial Access
- Vector: Compromise of long-term AWS access keys exposed in public or internal repositories.
- Tool Used: TruffleHog, an open-source secret-scanning tool used maliciously to identify leaked credentials.
- Once valid keys were identified, the attackers authenticated into AWS environments via API calls.
2. Establishing Persistence
- Upon successful access, the group created new IAM users through API calls such as CreateUser and CreateLoginProfile.
- Created new access keys for persistence and to ensure ongoing access even if initial credentials were revoked.
3. Privilege Escalation
- Leveraged the AttachUserPolicy API call to grant AdministratorAccess to newly created users.
- In environments with restricted permissions, they used SimulatePrincipalPolicy to test attached IAM policies and identify escalation opportunities.
4. Discovery
- Performed wide-scale enumeration of AWS assets using API calls to map:
- Compute: EC2 instances, EBS volumes, snapshots.
- Networking: VPCs, route tables, security groups.
- Databases: RDS instances and clusters.
- Identity and Access: IAM roles, users, and permissions.
- Monitoring: CloudWatch alarms and cost usage metrics.
- This stage demonstrated methodical mapping of the cloud environment to identify valuable data sources and exfiltration pathways.
5. Data Collection & Exfiltration
- Modified RDS master passwords using the ModifyDBInstance API to gain access to databases.
- Created database and EBS snapshots (CreateDBSnapshot, CreateSnapshot), which were exported to S3 buckets via StartExportTask.
- Data exfiltration was executed using the GetObject API, transferring sensitive files from S3 storage.
- The group deployed EC2 instances with permissive security groups to facilitate outbound data movement.
6. Extortion Phase
- After successful data theft, the Crimson Collective sent extortion emails via Amazon Simple Email Service (SES) hosted in the victim’s AWS environment and external accounts.
- Victims received detailed messages outlining the extent of data exfiltrated, demanding payment to prevent public leaks.
Recommendations
- Replace static IAM keys with temporary credentials via AWS STS (Security Token Service). Enforce short expiration times for all session tokens.
- Mandate MFA for all IAM users, root accounts, and console logins.
- Set automated key rotation policies and revoke unused or stale access keys.
- Regularly scan public and private code repositories using tools like TruffleHog or git-secrets for exposed credentials.
- Centralize CloudTrail logs and ensure they cannot be modified by users.
- Trigger alerts on: IAM policy changes, large data transfers from S3 buckets (GetObject or ListBucket anomalies), & new EC2 instances or security groups with open ingress/egress.
- Disable public access to S3 buckets.
- Review CloudTrail logs for anomalies in API calls such as CreateUser, AttachUserPolicy, SimulatePrincipalPolicy, CreateAccessKey, CreateSnapshot, and StartExportTask.
- Block the IOCs at their respective controls
https://www.virustotal.com/gui/collection/56ca3b0a1cd7246b302b5544b86b9099e724008bf3200f5eeb6de64c4c1ba79b/iocs.
Iocs
IP: 45.148.10[.]141
IP: 195.201.175[.]210
IP: 5.9.108[.]250
MITRE ATT&CK
| Tactic | Technique | ID |
| Initial Access | Valid Accounts: Cloud Accounts | T1078.004 |
| Persistence | Create Account: Cloud Account | T1136.003 |
| Defense Evasion | Modify Cloud Compute Infrastructure: Create Snapshot | T1578.001 |
| Defense Evasion | Modify Cloud Compute Infrastructure: Create Cloud Instance | T1578.002 |
| Defense Evasion | Modify Cloud Compute Infrastructure: Modify Cloud Compute Configurations | T1578.005 |
| Discovery | Account Discovery: Cloud Account | T1087.004 |
| Discovery | Permission Groups Discovery: Cloud Groups | T1069.003 |
| Discovery | Cloud Infrastructure Discovery | T1580 |
| Discovery | Cloud Service Discovery | T1526 |
| Discovery | Cloud Storage Object Discovery | T1619 |
| Lateral Movement | Remote Services: Cloud Services | T1021.007 |
| Collection | Data from Cloud Storage | T1530 |
| Collection | Data Staged: Remote Data Staging | T1074.002 |
| Collection | Data from Information Repositories: Code Repositories | T1213.003 |
| Exfiltration | Exfiltration Over Web Service | T1567 |
Source:
Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn
No related posts found.