Tales from the cloud trenches: The Attacker doth persist too much, methinks
NetmanageIT OpenCTI - opencti.netmanageit.com
SUMMARY :
A leaked AWS access key led to malicious activities over a 150-minute period, involving five distinct IP addresses. The attackers employed both common and innovative tactics, including creating 'persistence-as-a-service' infrastructure, manipulating AWS Identity Center, and disabling organization-level services. Notable techniques involved creating Lambda functions for dynamic IAM user creation, using Telegram for operations, disabling trusted access for AWS services, and exploiting AWS Identity Center for persistence. The attack encompassed initial access, discovery, persistence, credential access, and impact tactics, highlighting the need for enhanced cloud security measures and detection strategies.
OPENCTI LABELS :
telegram,aws,persistence,cloud-security,api-gateway,identity-center,iam,lambda
Open in NetmanageIT OpenCTI Public Instance with below link!
Use public read only username and password on login page.
NOTE : Use Public READ only user credentials on login page banner.
Tales from the cloud trenches: The Attacker doth persist too much, methinks