A recent incident revealed attacker activity stemming from a leaked long-term AWS access key (AKIA*) belonging to a user in an organization’s AWS management account. Over a 150-minute period, five IP addresses abused the credentials to perform both well-known and novel cloud attack techniques. Common tactics included SES enumeration, IAM user creation with admin permissions, and generation of temporary STS credentials. However, several previously unreported methods were also observed, notably involving AWS Lambda, API Gateway, and AWS Identity Center (SSO), which the attackers used to establish long-term persistence even after the original credentials were revoked.
Key innovations included the creation of a "persistence-as-a-service" infrastructure, where the attacker deployed a Lambda function triggered by an API Gateway to dynamically generate new IAM users on demand. They also modified AWS Identity Center (SSO) configurations to bypass MFA and extend session lifetimes. Additionally, the attacker disabled integrations with several AWS organization-level services using DisableAWSServiceAccess, likely to weaken monitoring and policy enforcement.