Wiz Threat Research discovered a malicious campaign where attackers are using leaked or stolen cloud access keys to access cloud environments and deploy ECS clusters. The attacker was observed abusing accidentally exposed AWS access keys and trying to gain a permanent foothold in their victims' cloud environments, attempting to create additional users and importing their own SSH keys. In some cases they also tried to deploy multiple ECS clusters, which could have been used for a plethora of malicious activities, such as crypto-mining or network vulnerability scanning.
These attackers appear to be targeting leaked AWS API keys, commonly exposed through client-side scripts, overly accessibleĀ .envĀ files, or uploads to public code repositories. After obtaining such keys, the attacker typically initiates a series of API calls, often starting with calls to test the key's validity, such asĀ GetCallerIdentity. In most cases, we observed the attackers attempting to create an ECS cluster using theĀ CreateClusterĀ API, likely for purposes such as crypto-mining or other malicious activities. These newly created clusters were consistently named eitherĀ bapak1Ā orĀ entot1, which are Indonesian words, further suggesting the groupās possible origin in Indonesia.