Insights from practical experience
Our cloud incident response trainings are now available!
Background
Recently we were engaged by a company after they were targeted by a ransomware attack in their AWS environment. In this blog we want to show you what happened and how we were able to piece together the picture based on available logging.
Due to confidentiality we will be using censored screenshots to protect our client’s information. They approved the publication of this blog, to prevent other companies from becoming a victim to a similar attack.
Attack overview
The overall attack activity is mapped to the MITRE ATT&CK steps as shown in the figure below:
Incident timeline
Initial Access
The threat actor was able to get into the environment due to accidentally exposed long-term credentials. The first malicious activity happened outside of the 90-day retention period of CloudTrail. However, based on analysis of subsequent events and open-source analysis we were able to determine that a specific access key was used which was publicly exposed. Luckily the access key was for an account that only had rights to a specific S3 bucket.