Type
Incident
Actors
Unknown
Pub. date
October 7, 2022
Initial access
Impact
None
Observed techniques
Cloud API enumerationCreate new cloud user
References
https://twitter.com/jhencinski/status/1578371249792724992?t=6oYeGYgGZq1B-LXFZzIqhQ
Status
Stub
Last edited
Jun 2, 2024 8:02 AM
Impacted organization discovered that long-lived AWS creds had leaked. Initially alerted to the following suspicious activity:
- Successful authentication to AWS API from unusual location (outside AWS) and/or with suspicious user agent ('aws-cli/kali').
- Attempted CreateUser API call and user account enumeration resulting in "access denied”.
Follow-up investigation into CloudTrail logs showed compromise of multiple IAM accounts and evidence of leakage of long-lived access keys.