An attacker leveraged leaked long-term AWS access keys to automate the enumeration of victims’ secrets, S3 buckets, and even S3 Glacier vaults, where the attacker masked their location using a mix of residential proxies and Cloudflare Warp VPN.
Their custom user agent suggests they signed AWS API requests directly, a previously unseen tactic. While the attacker successfully listed objects in S3 buckets, no data exfiltration attempts were observed, despite enabled S3 data events.
They used a potentially compromised residential proxy IP to enumerate secrets and vaults in a customer’s AWS environment, which was then linked to another AWS environment where the attacker performed automated enumeration of S3 buckets and their contents.
While no data exfiltration was observed, the attacker’s behavior suggests reconnaissance for valuable secrets or credential testing to assess potential value on the black market.
An attacker attempted to enumerate S3 Glacier vaults, a rare occurrence targeting backup data storage, by using CloudFlare WARP VPN, likely to mask their location and make the API calls appear less suspicious coming from Cloudflare’s network.
The attempt failed due to missing IAM permissions for the action, highlighting the importance of proper IAM policy configurations to secure S3 Glacier storage.
The user agent string suggests the attacker used the requests-auth-aws-sigv4 library to manually sign AWS API requests, which is uncommon in automated attacks where tools like AWS CLI or Boto3 (which handle signing automatically) are typically used.
The reason for this manual approach is unclear, but it highlights suspicious activity if such a library is not expected in your environment.
An attacker likely used enumeration techniques to discover cloud resources, as evident by T1580 (Cloud Infrastructure Discovery) and T1619 (Cloud Storage Object Discovery) tactics, which, especially for popular services, can be challenging to detect with certainty.
Security teams can find people more easily if they look for signs of compromise (IOCs), strange API call behavior (like making a lot of List calls in a short amount of time across multiple regions), and increases in AccessDenied errors for certain API calls (like ListSecrets or ListBuckets) that show someone is trying to get in without permission.
According to DataDog Security Labs, security professionals can actively hunt for enumeration attempts on AWS S3 and Secrets Manager by analyzing API call patterns. Specifically, they should look for rapid sequences of “List*” calls (e.g., ListSecrets, ListBuckets) across multiple regions within a short timeframe.
It suggests an automated attempt to identify and map resources, and the sudden increase in “AccessDenied” errors for these “List*” calls may indicate unauthorized enumeration efforts. By monitoring these API call patterns, security professionals can identify suspicious activity even in the absence of specific Indicators of Compromise (IoCs).
Also Read: