Forensics and Cyber Threat Research Area

Threat Intelligence | Insider Threat Detection | User Behavior Analytics | Cyber Threat Management | Data Security Intelligence | Cloud Security Intelligence Application Security Intelligence | Anomaly & Pattern Detection |  Security Information Event Management | Digital Forensics | Data Recovery | Malware Investigation | Packet Analytics | Packet Forensics | security operations and analytics platform architecture (SOAPA)

AWS_ Attack_Summary

Home » Blog » AWS Cloud Attack Summary

 Posted in Cyber Threat

AWS Cloud Attack Summary

   14th July 2025  Leave a Comment on AWS Cloud Attack Summary 0 206

In today’s cloud landscape, attackers are increasingly targeting misconfigured AWS services and exposed credentials. This blog highlights the top 15 AWS attack techniques—from privilege escalation and IAM abuse to data exfiltration and persistence mechanisms. Each attack is mapped to relevant MITRE ATT&CK tactics and includes real-world hunting tips. By understanding these techniques, security teams can strengthen detection logic and response strategies. Stay ahead by knowing how adversaries operate in the cloud.

Author :- VIVEK SATSANGI

1.    AMBERSQUID (AWS Serverless Cryptojacking)

  • Threat Type: -Serverless Cryptojacking
  • How It Works: –  Exploits under-monitored services like AWS Amplify, Fargate and SageMaker. Launches crypto mining tasks using serverless compute to avoid detection – Bypasses traditional threat detection focused on EC2 or Lambda.
  • Mitigation:-  Monitor cost anomalies and unusual usage of Amplify, Fargate, and SageMaker.  Apply least privilege IAM policies for serverless service access. Enable CloudTrail and GuardDuty to monitor low-visibility services.

2.    SCARLETEEL (Cryptojacking & IAM Credential Theft)

  • Threat Type: Container Exploitation & Credential Theft.
  • How It Works: –  Targets AWS ECS, EKS, and Faregate containers. Exploits vulnerabilities to extract IAM credentials from metadata APIs. Installs crypto miners in workloads to generate unauthorized profits.
  • Mitigation:-  Restrict IAM roles assigned to containers.  Enable GuardDuty to detect abnormal behavior. Monitor CloudTrail and VPC flow logs for lateral movement.

3.    DENOMINATOR (DNS Hijacking)

  • Threat Type: Route 53 Exploitation & Data Theft
  • How It Works:– Targets AWS Route 53 misconfigurations.  Changes DNS settings to redirect traffic to attacker-controlled servers.  Used for phishing attacks or stealing sensitive data.  
  • Mitigation:– Enable Route 53 Change Tracking in AWS Config.  Use AWS IAM SCP policies to block unauthorized DNS modifications. Monitor Route 53 logs for unexpected changes.

4.    THUNDERSTRIKE (Serverless Malware via Step Functions)

  • Threat Type: Covert Serverless Execution
  • How It Works: –  Uses AWS Step Functions to orchestrate malicious payloads.  Executes without spinning up EC2 or Lambda functions directly. Avoids detection by sidestepping compute-related monitoring tools.
  • Mitigation:-  Restrict sfn:StartExecution to trusted roles. Audit Step Function definitions and executions. Enable CloudTrail for detailed logging of Step Function activity.

5.    BLACKHATCH (S3 Bucket Data Exfiltration)

  1. Threat Type: S3 Misconfiguration Exploitation.
  2. How It Works: –  Exploits misconfigured public S3 buckets. Steals or modifies stored data.  Can be used to host malware or ransomware payloads.
  3. Mitigation:-  Enable Block Public Access for all S3 buckets.  Use Macie to detect sensitive data exposure.  Audit S3 access logs and bucket policies regularly.

6.    STORMCLOUD (IAM Privilege Escalation & Lateral Movement)

  • Threat Type: IAM Misuse & Account Takeover
  • How It Works: –  Exploits overly permissive IAM policies. Assumes high-privilege roles using sts:AssumeRole. Moves laterally within AWS organizations.
  • Mitigation:–  Limit AssumeRole permissions using conditions.  Enable MFA for all IAM users.  Monitor IAM role assumption via CloudTrail.

7.    SHADOWFLEET (AWS Lambda Persistence)

  • Threat Type: Persistent Lambda Backdoors
  • How It Works: –  Creates hidden Lambda functions during an intrusion. Uses them to maintain persistent access or re-establish after removal. Often disguised under innocuous function names.
  • Mitigation:-  Enforce naming standards and audits on Lambda functions. Use AWS Config to track Lambda deployments. Restrict CreateFunction permission to admin roles only.

8.     SILOCLOUD (CloudShell & CLI Exploitation)

  • Threat Type: CLI-Based Exploitation.
  • How It Works: – Attackers use AWS CloudShell or CLI with stolen credentials.
  • Executes unauthorized actions within AWS account. Avoids traditional EDR monitoring.
  • Mitigation:-  Disable CloudShell in production accounts. Monitor IAM activities for CLI anomalies. Enforce IAM policies limiting CLI tool access.

9.    TERRAGRAB (Terraform State File Exposure)

  • Threat Type: Infrastructure Secrets Leakage
  • How It Works: –  Unencrypted Terraform state files expose IAM keys, secrets, and architecture. Attackers extract credentials for further exploitation. Common in misconfigured S3 buckets.
  • Mitigation:- Always encrypt Terraform state files. Use remote state with S3 + DynamoDB locking. Limit S3 access to CI/CD systems only.

10. BLUECHIP (IAM Role Exploitation in AWS Organizations)

  • Threat Type: Cross-Account Privilege Escalation
  • How It Works: – Abuses trust relationships across AWS Organizations. Uses iam:PassRole and organizations:CreateAccount for persistence. Moves laterally between accounts.
  • Mitigation:- Use SCPs to restrict sensitive API actions. Audit cross-account IAM roles and trust policies. Monitor Org-level events in AWS CloudTrail.

11.    CODEJACKER (AWS CodeBuild & CI/CD Pipeline Exploitation)

  • Threat Type: Pipeline Poisoning
  • How It Works: – Injects malicious code into AWS CodeBuild or CodePipeline stages. Gains execution control during build or deploy processes. Common in weakly secured CI/CD environments.
  • Mitigation:- Require signed artifacts and integrity checks. Restrict CodeBuild permissions to limited roles. Monitor build logs and artifact integrity.

12.    REDCLOUD (AWS EC2 Metadata API Exploitation)

  • Threat Type: Instance Metadata Theft
  • How It Works: – Exploits access to the EC2 Instance Metadata Service (IMDS). Extracts temporary credentials from exposed metadata endpoint.  Used for privilege escalation and credential theft.
  • Mitigation:-  Enforce IMDSv2 for all EC2 instances. Limit outbound access to metadata IP.  Monitor EC2 access patterns.

13.    KUBELEECH (Kubernetes Secrets Exposure in AWS EKS)

  • Threat Type: Secrets Disclosure
  • How It Works: –  Accesses Kubernetes secrets due to misconfigured RBAC. Steals sensitive credentials and tokens. Exploits lack of secret encryption or access boundaries.
  • Mitigation:-  Store sensitive data in AWS Secrets Manager.  Use Kubernetes RBAC strictly.  Enable audit logging in EKS clusters.

14.    IAMSHADOW (IAM Policy Manipulation)

  • Threat Type: IAM Backdoor Creation
  • How It Works: –  Modifies IAM policies to create stealthy backdoor access.  Escalates privileges silently via inline policies.  Commonly done post-compromise.
  • Mitigation:-  Use IAM Access Analyzer for continuous policy auditing. Monitor IAM changes via CloudTrail.  Restrict who can edit IAM policies.

15.    FIRESTORM (AWS WAF Bypass & DDoS Evasion)

  • Threat Type: WAF Evasion & App-Layer Attacks
  • How It Works: –  Uses encoded payloads and logic flaws to bypass AWS WAF rules. Launches application-layer DDoS attacks or payload delivery. Exploits weak regex patterns or misconfigured WAF rules.
  • Mitigation:-  Enable AWS Shield Advanced. Use rate-based WAF rules. Regularly test and update WAF rule sets.

Key Takeaways

  • Cryptojacking Threats: AmberSquid, Scarleteel
  • IAM & Privilege Escalation: StormCloud, BlueChip, IAMShadow
  • Data Exfiltration: BlackHatch, Denominator, TerraGrab
  • Serverless & CI/CD Attacks: Thunderstrike, ShadowFleet, CodeJacker  Infrastructure Exploits: RedCloud, Kubeleech, Firestorm

AWS #CloudSecurity #CyberSecurity #MITREATTACK #ThreatDetection #AWSSecurity #SecOps #Infosec #BlueTeam #AWSTactics #MITRE #CyberDefense #ThreatHunting #CyberThreats #Cryptojacking #CloudShell #KUBELEECH #CODEJACKER #IAMSHADOW #AMBERSQUID #SCARLETEEL #DENOMINATOR #THUNDERSTRIKE #BLACKHATCH #STORMCLOUD #SHADOWFLEET #SILOCLOUD #TERRAGRAB

Author: Rohit Sadgune
Core Working Areas :- Threat Intelligence, Digital Forensics, Incident Response, Fraud Investigation, Web Application Security Technical Certifications :- Computer Hacking Forensics Investigator | Certified Ethical Hacker | Certified Cyber crime investigator | Certified Professional Hacker | Certified Professional Forensics Analyst | Redhat certified Engineer | Cisco Certified Network Associates | Certified Firewall Solutions | Certified Network Monitoring Solution | Certified Proxy Solutions
Website

Leave a Reply

Your email address will not be published. Required fields are marked *

Enter Captcha Here : *

Reload Image

Indicator of Attacks | Indicator of Compromise

Top SIEM Use Cases | Threat Hunting Hypothesis | Deep Packet Inspection | Insider Threat Hunting | Hunting Data Exfiltration | Banking Fraud | ATM Use Cases | Cross Channel Data Exfiltration | Hunting Endpoint Anomaly | Denial-of-service | Man-in-the-middle (MitM) attack | Spear phishing attacks | Drive-by attack | Eavesdropping attack | Birthday attack