Type
Campaign
Actors
Unknown
Pub. date
July 8, 2025
Initial access
Software misconfig
Impact
RansomOpData exfiltration
Observed techniques
Exposed resource abuse
References
https://www.darktrace.com/blog/defending-the-cloud-stopping-cyber-threats-in-azure-and-aws-with-darktrace
Status
Finalized
Last edited
Aug 4, 2025 10:29 AM
AWS customer faced a compromise through a SonicWall SMA 500v EC2 instance that was improperly exposed to the internet. The attacker connected via multiple Vultr VPS endpoints, performed network scans, and moved laterally between EC2 instances using RDP. Over 700 GB of data was exfiltrated to a GTHost VPS endpoint, alongside large SMB file transfers. The attacker replicated this behavior across instances, using uncommon network ports for data transfer. The attackers ultimately deployed ransomware within the compromised VPC.