In a recent threat hunt, Datadog Security Labs uncovered sophisticated attacker activity stemming from a leaked, long-term AWS access key (AKIA*). Within a mere 150-minute window, five distinct IP addresses were observed attempting to leverage this compromised key, executing various malicious techniques, tactics, and procedures (TTPs). This incident brought to light several previously unreported tactics, highlighting the evolving nature of cloud-based attacks.
The exposed access key, associated with an IAM user in an AWS organization management account, facilitated a range of malicious activities. Beyond common attacker techniques like creating IAM users and granting administrative privileges, Datadog observed novel approaches to persistence and evasion.
One groundbreaking tactic involved the creation of “persistence-as-a-service” infrastructure. The attacker deployed a Lambda function (e.g., buckets555) and linked its execution role to a newly created policy. An HTTP API Gateway was then configured to trigger this Lambda function upon an external HTTP request to a specific URL. This Lambda function was capable of dynamically creating new malicious IAM users on demand. This innovative mechanism ensures persistence even after the initial compromised credentials are revoked; the attacker can simply make an HTTP request to the API Gateway to re-establish a foothold by generating fresh malicious IAM users.
Another intriguing observation was the occurrence of ConsoleLogin events originating from Telegram IP addresses. This suggests that a portion of the attacker’s operations might be orchestrated via Telegram. Datadog hypothesizes that after compromising the long-lived credentials, the attacker could be using a Telegram bot to automatically generate sign-in URLs for the AWS console. The Telegram preview service, in turn, would then follow these links, inadvertently generating the ConsoleLogin events, thus providing a covert method for initial access or reconnaissance.
Furthermore, the attacker attempted to disable trusted access for several organization-level AWS services by calling DisableAWSServiceAccess. Services targeted included IAM Access Analyzer, AWS Account Management, CloudFormation StackSets, AWS Systems Manager, and Tag Policies. While the attacker’s precise intent behind this action remains unclear, as it primarily affects new AWS accounts, one theory is that it was an attempt to evade security controls for future account additions to the organization. The order in which these services were disabled mirrored their presentation in the AWS console, suggesting a methodical approach.
This incident underscores the critical importance of robust cloud security practices, particularly around the management and rotation of long-term access keys. It also highlights the need for continuous threat hunting and the development of advanced detection mechanisms to counter novel and evasive attacker techniques in dynamic cloud environments. The “persistence-as-a-service” model and the use of Telegram IP addresses for console logins are significant developments in the cloud threat landscape, demanding immediate attention from security teams. Organizations must adopt a proactive stance, continuously monitoring for unusual activity and implementing comprehensive security controls to mitigate the risks posed by such sophisticated adversaries.