Full Report
LLMs automated most phases of the attack A digital intruder broke into an AWS cloud environment and in just under 10 minutes went from initial access to administrative privileges, thanks to an AI speed assist.…
Analysis Summary
# Incident Report: AI-Accelerated AWS Cloud Compromise
## Executive Summary
An unauthorized intrusion into an AWS cloud environment resulted in an attacker achieving administrative privileges in under 10 minutes, heavily utilizing Large Language Models (LLMs) to automate reconnaissance and lateral movement. The compromise led to the exfiltration of sensitive secrets and data, and the abuse of cloud-hosted LLM services (Bedrock). The incident underscores the accelerating threat posed by AI-assisted attacks.
## Incident Details
- **Discovery Date:** Not explicitly stated, but reported by the Sysdig Threat Research Team.
- **Incident Date:** November 28, 2026 (Observation Date).
- **Affected Organization:** Undisclosed victim organization using AWS.
- **Sector:** Technology/Cloud Infrastructure (Inferred).
- **Geography:** Undisclosed.
## Timeline of Events
### Initial Access
- **Date/Time:** Shortly before 21:09 UTC on Feb 4, 2026 (Date of reporting/observation).
- **Vector:** Exposure of long-term AWS access keys in a public Amazon S3 bucket.
- **Details:** The exposed credentials belonged to an IAM user with broad read/write permissions for AWS Lambda and restricted access to AWS Bedrock. The S3 bucket also contained Retrieval-Augmented Generation (RAG) data for AI models.
### Lateral Movement
- **Date/Time:** Minutes following initial access.
- **Vector:** Abuse of compromised IAM user permissions via AWS Lambda function injection.
- **Details:** The attacker iterated through escalation targets ("adminGH") before successfully compromising the target administrative user, "frick." This was achieved by abusing `UpdateFunctionCode` and `UpdateFunctionConfiguration` permissions to replace the code of an existing Lambda function named `EC2-init` multiple times.
### Data Exfiltration/Impact
- **Date/Time:** Occurred during the rapid elevation phase.
- **Impact:** The attacker gained access to 19 distinct AWS principals (including 6 roles and 5 users), compromised secrets from Secrets Manager, SSM parameters, CloudWatch logs, Lambda source code, S3 bucket contents, and CloudTrail events. The attacker also engaged in "LLMjacking," invoking multiple cloud-hosted LLMs (Claude, DeepSeek, Llama, etc.) via Amazon Bedrock. Furthermore, compute resources were provisioned for potential ML training, including launching a publicly accessible JupyterLab server.
### Detection & Response
- **How it was discovered:** Observed and analyzed by the Sysdig Threat Research Team.
- **Response actions taken:** The specific internal response by the victim is not detailed, but Sysdig noted that one launched compute instance was terminated by the attacker after only five minutes.
## Attack Methodology
- **Initial Access:** Credential harvesting from public S3 bucket hosting credentials.
- **Persistence:** New access keys were created for the admin user `frick`. Backdoor access established via launching a publicly accessible JupyterLab server on an EC2 instance.
- **Privilege Escalation:** Lambda function code injection, specifically abusing `UpdateFunctionCode` and `UpdateFunctionConfiguration` permissions on the `EC2-init` function.
- **Defense Evasion:** The attacker wrote sophisticated, LLM-generated code including comprehensive exception handling and adjusted Lambda execution timeouts (from 3s to 30s) to evade standard execution limits.
- **Credential Access:** Listed all IAM users and their access keys post-privilege escalation.
- **Discovery:** Attempted to assume `OrganizationAccountAccessRole` across multiple, potentially external, AWS accounts, including fabricated account IDs.
- **Lateral Movement:** Assumed compromised roles and users across 14 different sessions.
- **Collection:** Stole secrets, parameters, logs, and S3 data.
- **Exfiltration:** Data exfiltration occurred based on the access gained to internal systems.
- **Impact:** Compromise of 19 principals, exfiltration of configuration and secrets data, and unauthorized use of GPU compute and LLM invocation services.
## Impact Assessment
- **Financial:** Not quantified, but inferred costs associated with compromised compute time and data recovery.
- **Data Breach:** Sensitive data including secrets from Secrets Manager, SSM parameters, CloudTrail logs, and S3 contents were accessed.
- **Operational:** Significant operational disruption due to compromise of administrative functions and core services (Lambda, Bedrock).
- **Reputational:** Unknown public impact, though the analysis was publicly released by Sysdig researchers.
## Indicators of Compromise
- **Network indicators:** Attempts to contact/invoke Bedrock models not used by the organization. Publicly accessible JupyterLab server launched on port 8888.
- **File indicators:** LLM-generated code utilizing Serbian comments. Script containing hallucinated GitHub repository references.
- **Behavioral indicators:** Rapid progression (under 10 minutes) from initial access to admin privileges. Iterative privilege escalation attempts using Lambda injection. Invocation of multiple external/unusual LLM models via Bedrock.
## Response Actions
*(Based on recommended actions, as specific victim actions are not detailed)*
- **Containment measures:** (Implied) Immediate revocation of compromised IAM credentials, isolation of the compromised Lambda function, and disabling unauthorized GPU/Compute workloads.
- **Eradication steps:** (Implied) Review and remove newly created access keys for user `frick`, and delete the backdoored EC2 instance.
- **Recovery actions:** (Implied) Rotation of all relevant IAM credentials, audit of AWS environment configuration, review of public S3 buckets.
## Lessons Learned
- The use of LLMs drastically reduces the time an attacker needs to navigate complex cloud environments by automating code writing, recon, and privilege escalation.
- Long-term credentials stored unprotected in public S3 buckets remain a critical, high-speed initial access vector.
- Over-permissive IAM policies, especially allowing broad actions like `UpdateFunctionCode` within Lambda, enable fast path privilege escalation.
## Recommendations
- **Credential Management:** Enforce the use of temporary credentials (IAM Roles) instead of long-term credentials for IAM users. If long-term credentials must be used, enforce strict, frequent rotation policies.
- **S3 Security:** Ensure S3 buckets containing sensitive data (including RAG data and configuration artifacts) are never publicly accessible.
- **Least Privilege for Lambda:** Restrict permissions granularly. Specifically, limit `UpdateFunctionConfiguration` and `PassRole` permissions, and restrict `UpdateFunctionCode` only to identities requiring code deployment capabilities for specific functions.
- **Monitoring:** Enable model invocation logging for Amazon Bedrock to easily detect unauthorized or unusual usage patterns.