Leaked Access Key Enables Cloud Intrusion, AWS Identity Center Abused for Persistence

A threat hunt conducted by Datadog uncovered a cloud intrusion traced to a leaked long-term AWS access key (AKIA*) associated with a management account. Threat activity proceeded quickly, as Datadog's senior detection engineer Martin McCloskey reported: "within a 150-minute window," five IP addresses were observed conducting actions using the compromised key, executing a range of cloud-native tactics. The actor’s objectives appeared to focus on enumeration, persistence, and privilege escalation. Among the most notable findings were the creation of “persistence-as-a-service” infrastructure, the provisioning of AWS Identity Center users, and the disabling of services at the organizational level.

Initial attacker activity included several standard enumeration API calls such as "GetAccount," "ListIdentities," and "GetSendQuota" for reconnaissance of the Simple Email Service (SES). The threat actor proceeded to create a security group labeled "Administratorsz" with the description "We Are There But Not Visible," which is linked to known TTPs of the JavaGhost group. Efforts to escalate privileges were observed with the creation of new IAM users, the attachment of administrative policies ("AttachUserPolicy" and "AttachGroupPolicy"), and the setup of login profiles. Temporary credentials were generated using the STS AssumeRole API, allowing access to the AWS console through short-lived sessions derived from the compromised long-term key.

In a separate segment of the intrusion, the attacker deployed a Lambda function named "buckets555" and connected it to an HTTP API Gateway. This function, equipped with execution rights via the "AWSLambdaBasicExecutionRole," was capable of dynamically creating IAM users upon external HTTP requests. According to McCloskey, "this effectively creates a 'persistence-as-a-service' mechanism," allowing continued unauthorized access beyond key revocation. Additionally, ConsoleLogin events from a Telegram ASN suggest the use of automated Telegram-based bots for credential usage or link generation.

Persistence was further reinforced through actions in AWS Identity Center (formerly AWS SSO). The attacker enumerated the environment before creating a new user and group, assigning permissions, disabling MFA requirements, and extending session durations. This was followed by a successful sign-in using password-only authentication for the newly created user. Concurrently, the attacker used the "DisableAWSServiceAccess" API to turn off trusted access for multiple organization-level services, including IAM Access Analyzer, CloudFormation StackSets, and Systems Manager. While the motivation for this remains unclear, the sequence suggests a possible effort to weaken centralized oversight or prepare the environment for additional lateral movement. Datadog's findings provide insight into how threat actors can establish resilient access in AWS environments, with compromised credentials often being the root of cloud intrusions.