Type
Incident
Actors
Unknown
Pub. date
January 19, 2024
Initial access
Exposed secret
Impact
Data exfiltration
Observed techniques
Create new cloud userSSH propagationData exfiltration from cloud storage
References
https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/
Status
Finalized
Last edited
Jun 2, 2024 8:02 AM
Datadog observed an attacker leveraging a compromised IAM user access key to gain initial access to an AWS environment, at which point they checked SES quotes and enumerated cloud identities. The threat actor proceeded to create a new admin user. The above was quick and therefore most likely automated via scripting. The attacker then manually enumerated VMs and other resources, and attempted to use EC2 Instance Connect to gain access to VMs. The actor downloaded data from S3 buckets, attempted to spin up new VMs, and created additional admin users.