Datadog researchers identified an intrusion targeting Amazon Simple Email Service (SES) in an AWS environment, where attackers employed advanced persistence techniques. The attack was notable for leveraging an external AWS account to assume roles within the victim's environment, enabling them to maintain access. The attackers obscured their activity by using temporary credentials, creating backdoored roles and users with high-privilege policies such as AdministratorAccess, and performing actions that appeared legitimate to evade detection.
The intrusion began with the use of a compromised long-term access key (AKIA), transitioning from CLI to console access via GetFederationToken API calls. After gaining console access, the attackers created a role named "SupportAWS" and allowed it to be assumed by their external AWS account. Further persistence was established through the creation of an IAM user, "supdev," with administrative access. The attackers also enumerated SES configurations, potentially preparing the environment for sending spam or phishing emails.