This security threat describes a sophisticated and multi-faceted attack campaign targeting AWS cloud environments, initiated by the compromise of a leaked AWS access key. Over a 150-minute period, attackers utilized five distinct IP addresses to conduct a series of coordinated actions that leveraged both conventional and innovative cloud attack techniques. The attackers established a 'persistence-as-a-service' infrastructure within the victim's AWS environment, enabling ongoing unauthorized access and control. Key tactics included the deployment of AWS Lambda functions programmed to dynamically create IAM users, facilitating automated privilege escalation and lateral movement while evading detection. The attackers exploited AWS Identity Center (formerly AWS Single Sign-On) to maintain persistence by manipulating its authentication and authorization mechanisms, thereby bypassing standard security controls. Additionally, they disabled trusted access for AWS services at the organizational level, impairing security monitoring and response capabilities that rely on these services. Communication and command-and-control operations were conducted via Telegram, an encrypted off-platform messaging service, complicating detection and attribution. The attack lifecycle encompassed initial access through the leaked key, environment discovery, persistence establishment, credential access via dynamic IAM user creation, and impactful actions such as disabling critical security controls. This campaign highlights the evolving threat landscape in cloud environments, emphasizing the need for enhanced cloud-native security measures, continuous monitoring of Lambda function deployments, stringent identity and access management controls, and improved detection strategies focused on AWS Identity Center and organizational service configurations.

European organizations face significant risks from this threat due to the widespread adoption of AWS cloud services across critical sectors including finance, manufacturing, healthcare, and government. Unauthorized access enabled by leaked AWS keys can lead to severe data breaches, operational disruptions, and regulatory non-compliance under GDPR and other stringent data protection frameworks. The attackers' ability to disable organization-level AWS services and manipulate AWS Identity Center complicates timely detection and response, potentially allowing prolonged unauthorized activities and extensive data exfiltration. The use of Lambda functions for dynamic IAM user creation accelerates privilege escalation and lateral movement within cloud environments, increasing the scale and depth of compromise. The reliance on Telegram for command-and-control further hinders incident response and attribution efforts. Organizations with complex multi-account AWS environments or insufficient cloud security posture management are particularly vulnerable. The medium severity rating reflects that while no zero-day vulnerabilities are exploited, the combination of persistence mechanisms and cloud-native service manipulation can cause substantial operational, financial, and reputational damage if not properly mitigated.

Implement strict AWS credential management policies including the use of short-lived credentials (e.g., AWS STS tokens), enforce regular key rotation, and immediately revoke any unused or exposed access keys. Enforce multi-factor authentication (MFA) for all AWS Identity Center users and administrators to reduce the risk of credential misuse and unauthorized access. Continuously monitor AWS Lambda function deployments and executions for anomalous behavior, particularly functions that create or modify IAM users dynamically; establish automated alerts for such suspicious activities. Audit and restrict permissions related to AWS Identity Center and organization-level service configurations to prevent unauthorized disabling of trusted access and other critical security controls. Leverage AWS CloudTrail and AWS Config to maintain comprehensive logs and configuration histories, enabling rapid detection of anomalous changes and facilitating forensic investigations. Integrate threat intelligence feeds to detect and block known malicious IP addresses and file hashes associated with this campaign; incorporate these indicators into network and endpoint defenses. Utilize AWS Security Hub and GuardDuty to automate detection of suspicious activities, focusing on unusual API calls, unexpected changes in IAM policies, and disabled security services. Conduct regular cloud security posture assessments and penetration testing to identify and remediate misconfigurations or vulnerabilities that could be exploited by attackers. Provide targeted training for cloud administrators and security teams on emerging attack techniques targeting AWS Identity Center and Lambda functions to improve incident detection and response capabilities. Implement network-level controls to detect and restrict unauthorized outbound communications to platforms like Telegram, which may be used for command-and-control, including DNS filtering and proxy restrictions.