Type
Incident
Actors
Unknown
Pub. date
February 3, 2025
Initial access
End-user compromise
Impact
Data exfiltration
Observed techniques
Command execution via LambdaCloud key compromisePhishingOn-prem to cloud lateral movement
References
https://www.sygnia.co/blog/sygnia-2025-field-report-identity-based-attacks/
Status
Finalized
Last edited
May 12, 2025 11:41 AM
Researchers discovered a sophisticated attack initiated through social engineering on LinkedIn and WhatsApp, leading to credential theft via seemingly benign code downloads. With stolen session tokens and cloud access keys, the attackers authenticated into Microsoft 365 and AWS, bypassing MFA and other controls. They then modified a Lambda function to execute commands on EC2 instances—exploiting legitimate permissions to blend in with normal operations.