Type
Incident
Actors
Pub. date
April 23, 2025
Initial access
Exposed cloud secret in on-premise networkExposed secretValid account
Impact
Data exfiltration
Observed techniques
Status
Finalized
Last edited
Apr 29, 2025 9:36 AM
During an investigation, Mandiant identified evidence that a threat actor had discovered cloud access keys stored in plain text on a compromised on-premises network. The threat actor was able to use the keys to access and steal data from the client’s cloud storage buckets. When the actor transferred the data they were stealing from the cloud buckets, they used a destination cloud bucket they controlled, which was hosted on the same platform. According to Mandiant, this helped the activity blend in with legitimate activity in the platform monitoring logs.