Type
Campaign
Actors
Pub. date
July 8, 2025
Initial access
Software misconfig
Impact
RansomOpData exfiltration
Observed techniques
Status
Finalized
Last edited
Jul 16, 2025 1:37 PM
AWS customer faced a compromise through a SonicWall SMA 500v EC2 instance that was improperly exposed to the internet. The attacker connected via multiple Vultr VPS endpoints, performed network scans, and moved laterally between EC2 instances using RDP. Over 700 GB of data was exfiltrated to a GTHost VPS endpoint, alongside large SMB file transfers. The attacker replicated this behavior across instances, using uncommon network ports for data transfer. Without Autonomous Response configured on these devices, the attackers ultimately deployed ransomware within the compromised VPC.