A pattern that GitGuardian had anticipated for years is now a reality: highly organized criminal organizations are executing systematic and meticulous cloud attacks focused entirely on hardcoded credentials and over-permissive IAM configurations. This news is in line with threat intelligence gathered by GitGuardian, which indicates that the group behind the GhostAction supply-chain attack has attempted to exploit AWS credentials.

From Red Hat Breach to Coordinated Extortion

Since the Red Hat breach was made public about ten days ago, the situation has evolved rapidly, and groups have collectively organized to work together.

Crimson Collective claimed responsibility for a significant breach of Red Hat’s private GitLab repositories. It exposed 570GB of data from 28,000 repositories, affecting 800+ organizations, containing Customer Engagement Reports containing credentials, API keys, and infrastructure details from major enterprises.

Following the breach, the situation intensified when the notorious ShinyHunters gang joined forces with the Crimson Collective to escalate the extortion efforts against Red Hat. This alliance also involves a group calling itself Scattered Lapsus$ Hunters.

The newly formed coalition declared its intention to coordinate future attacks and data releases via ShinyHunters' recently launched data leak and extortion platform. They threatened to publish all stolen Red Hat data unless ransom negotiations began, and subsequently started releasing samples of the stolen customer data, including sensitive CERs.

Data Harvesting Playbook

The magnitude of the Secrets Sprawl issue GitGuardian has been warning about for the past years gives attackers an unfair advantage in attacking companies. The recent breaches, from the S1ngularity attack to the AWS exploitation campaign by the Crimson Collective, highlight an attack strategy where leaked secrets are used as the initial access vector.

Threat actors rely on open-source tools to quickly identify those secrets at scale. At the moment, cloud credentials, and especially AWS access keys, as showcased in the Crimson Collective campaign, are the main focus of the groups. Those credentials can easily be tested for validity, a capability that is often provided by open-source secrets detection tools, allowing them to quickly focus on the most sensitive secrets.

Apart from the original secret harvesting vector, the follow-up of the cloud attack uses classical TTPs organized in classical steps:

  • Persistence: The actors create new user accounts with high privileges for later access.
  • Discovery: Once authenticated on the AWS account of the victims, the actors enumerate available resources, especially databases and volumes.
  • Collection: Discovered assets are snapshotted, backed up, or have their access passwords changed.
  • Exfiltration: Collected data is exfiltrated from the AWS environment via S3 buckets or EC2 instances created directly in the victim’s environment. External access to databases is also used to collect previously backdoored database instances.

More details about this process, along with IoCs,  can be found in Rapid7’s comprehensive analysis of the campaign.

An interesting point is that the threat actors only focus on highly privileged leaked credentials. It highlights the need to better control and understand the entitlements of Non-Human Identities, especially in cloud environments.

Secrets Aggregation Risk

This consolidation of players once again underscores the danger of valid secrets as initial attack vectors. Moreover, the Red Hat breach highlights an underestimated critical security blind spot: consulting firms act as credential aggregation points. Based on GitGuardian's analysis of similar consulting firm breaches, internal repositories often contain 8–10 times more secrets than public repositories.

When a single consulting firm is compromised, the harvested credentials allow attackers to pivot laterally into hundreds of customer environments, demonstrating the cascading impact of secrets sprawl.

A similar principle drove the Scattered Lapsus$ Hunters attack on Salesloft, where initial phished GitHub access led to the discovery of embedded AWS credentials and the exfiltration of valid Salesforce OAuth tokens, in turn used to discover more valid secrets. This transforms legitimate integration credentials into valuable attackers targets, which valid secrets concentration calls for efficient lateral movement across affected client organizations.

While we track the ongoing developments, the broader implications are crystal clear: the proliferation of secrets across modern infrastructures requires a fundamental shift in how we approach security and how we track secret usages. The crucial question is whether your organization possesses the necessary visibility and response capabilities to anticipate these threats.