Hackers Target AWS Accounts for Data Theft

Over the past few weeks, a threat group known as Crimson Collective has been actively targeting Amazon Web Services (AWS) environments, with the aim of stealing sensitive data and pressuring organisations into paying ransoms.

The group recently claimed responsibility for a high-profile attack on a major software vendor, where they reportedly stole over half a terabyte of data from thousands of private GitLab repositories. To increase pressure on the victim, Crimson Collective linked up with another extortion group to amplify their demands.

How the attacks unfold

Researchers monitoring the campaign report that the attackers are exploiting long-term AWS access keys and Identity and Access Management (IAM) accounts to escalate their privileges. Using publicly available tools such as TruffleHog, they scan for exposed AWS credentials before creating new IAM users and access keys via API calls.

Once inside, the attackers grant themselves full administrative control by attaching the powerful AdministratorAccess policy to newly created users. This level of access allows them to:

1. Enumerate users, cloud instances, storage buckets, and databases.

2. Modify master passwords in AWS Relational Database Service (RDS).

3. Create and export database snapshots to AWS S3 for exfiltration.

4. Launch new EC2 instances and attach compromised storage volumes under permissive security groups to transfer stolen data.

After harvesting data, Crimson Collective delivers ransom demands directly from within the compromised AWS environment. Victims receive extortion emails via AWS’s own Simple Email Service (SES), alongside messages sent to external accounts.

Traces left behind

The group’s operations make use of multiple IP addresses, though analysts noted that some of these are reused across incidents, an oversight that has made tracking their activity somewhat easier.

AWS response

AWS has urged customers to reduce risk by relying on short-term, least-privileged credentials and by implementing strict IAM policies. Where there’s suspicion of exposed credentials, AWS recommends following their published security guidance and contacting support for further help.

Wider context

This isn’t the first time AWS environments have come under attack. Earlier this year, another group, unrelated to Crimson Collective, targeted AWS customers but focused on encrypting S3 buckets rather than exfiltrating data. The shift in tactics highlights the evolving nature of cloud-focused extortion.

Staying protected

The rise of these campaigns shows how costly leaked cloud credentials can be. Organisations are strongly advised to:

1. Regularly audit AWS accounts for unused or overly permissive keys.

2. Employ least-privilege access controls and rotate credentials frequently.

3. Use open-source tools such as S3crets Scanner to detect exposed secrets.

4. Monitor for unusual API activity or sudden privilege escalations.

While the size and structure of Crimson Collective remain uncertain, the group’s methods demonstrate just how much damage a single set of leaked credentials can cause. Their combination of data theft and extortion tactics is a reminder that cloud environments, if left unchecked, can become prime targets for attackers.