To minimize the traces left behind, the attacker attempted to disable CloudTrail logs in the compromised AWS account. Additionally, Sysdig’s report indicates that the attacker retrieved Terraform state files from the S3 buckets containing IAM user access keys and a secret key for a second AWS account. This account was eventually used for lateral movement within the organization’s cloud network.
In order to effectively address the risks introduced by cloud facing threats, organizations are highly recommended to address threats often deemed lower priority, such as crytpominers, infostealers, and malware bot loaders as these increasingly are used by threat groups to provide initial access for more disruptive attacks such as ransomware or data extortion. In addition, to secure their cloud services, organizations should:
• Keep all software up to date.
• Use IMDS v2 instead of v1, which prevents unauthorized metadata access.
• Adopt principles of least privilege on all user accounts.
• Scope read-only access on resources that may contain sensitive data like Lambda.
• Remove old and unused permissions.
• Use key management services like AWS KMS, GCP KMS, and Azure Key Vault.
https://www.bleepingcomputer.com/news/security/scarleteel-hackers-use-advanced-cloud-skills-to-steal-source-code-data/
