A newly surfaced threat actor, calling itself Crimson Collective, has been observed targeting Amazon Web Services, AWS, environments to steal valuable data and pressure organizations with extortion. Recent claims by the group allege they breached Red Hat, taking private repositories from Red Hat’s GitLab instance. This activity signals a worrying shift toward cloud-centric attacks, and organizations running workloads in AWS should take note.
Background, scope of activity
Crimson Collective focuses on discovering and abusing exposed long-term AWS credentials, then expanding access inside the environment through identity and access management, IAM, manipulation. Reports show the actor concentrates on extracting databases, source repositories, and other sensitive assets that hold intellectual property and customer data. Activity increased through September, and incidents span multiple AWS accounts, originating from several IP addresses, which suggests a coordinated, multi-operator operation.
Tactics, techniques, and procedures
The group relies heavily on TruffleHog, an open-source credential-finding tool, to scan code repositories and storage for leaked secrets. When TruffleHog finds credentials, the attackers validate them with the GetCallerIdentity API call, which confirms the credentials are active.
Once validated, the threat actors pursue persistence by creating new users and enabling password access, using CreateUser and CreateLoginProfile, then issuing additional access keys via CreateAccessKey. If an account lacks sufficient privileges, the actors may run SimulatePrincipalPolicy to map what actions are allowed, or they simply move on to other compromised accounts.
When they can create and configure new users, Crimson Collective escalates privileges by attaching the AdministratorAccess managed policy, arn:aws:iam::aws:policy/AdministratorAccess, using AttachUserPolicy. This grants full control across AWS services, enabling large-scale data access and exfiltration.
CloudTrail records frequently show TruffleHog as the initial user agent in intrusions, offering a consistent detection signal for defenders who monitor audit logs.
Indicators, detection, and forensic signals
Key indicators include, but are not limited to:
- TruffleHog user agent entries in CloudTrail logs, especially around GetCallerIdentity calls,
- Unexpected CreateUser, CreateLoginProfile, CreateAccessKey, AttachUserPolicy, and SimulatePrincipalPolicy API calls,
- New users with AdministratorAccess attached, and immediate use of those credentials to access S3, RDS, ECR, or other data stores,
- Multiple distinct IP addresses interacting with several accounts inside the same tenant.
Security teams should prioritize CloudTrail and CloudWatch log analysis, look for unusual IAM changes, and hunt for sequences beginning with credential validation, followed by user creation and privilege escalation.
Impact and risks
If successful, the actor can copy databases, repositories, container images, and other sensitive assets, then threaten organizations with disclosure or sale of stolen data. The operational pattern, use of common tools, and rapid escalation make these intrusions especially dangerous for organizations that rely on long-term access keys or lack least-privilege IAM controls.
Recommendations, short-term and long-term controls
Immediate actions:
- Rotate and revoke any exposed long-term credentials, and enable credential use alerts,
- Enforce least-privilege permissions, remove AdministratorAccess from users and roles that do not need it,
- Require MFA for console access and for sensitive administrative operations,
- Enable AWS Config rules and GuardDuty detection where available,
- Monitor CloudTrail for TruffleHog activity patterns, and set alerts for unusual CreateUser and AttachUserPolicy calls.
Long-term measures:
- Move away from long-term access keys toward short-lived credentials, for example using AWS STS or roles for service access,
- Implement secrets scanning in CI/CD pipelines to prevent credential leaks in code,
- Harden repository access, enable branch protections, and scan committed history for past leaks,
- Adopt centralized logging and continuous threat hunting focusing on IAM changes and lateral activity.
