Full Report
Researchers discovered a sophisticated attack initiated through social engineering on LinkedIn and WhatsApp, leading to credential theft via seemingly benign code downloads. With stolen session tokens and cloud access keys, the attackers authenticated into Microsoft 365 and AW...
Analysis Summary
# Incident Report: Sophisticated Cloud Compromise via Social Engineering and Code Misuse
## Executive Summary
A sophisticated attack chain was initiated via social engineering on LinkedIn and WhatsApp, culminating in the theft of credentials and cloud access keys. The attackers successfully compromised both Microsoft 365 and AWS environments, bypassing MFA, and achieved impact by exploiting legitimate permissions to execute commands via modification of an AWS Lambda function, leading to data exfiltration.
## Incident Details
- Discovery Date: Prior to February 3, 2025 (Reported Date)
- Incident Date: Unknown (Initial access occurred before discovery of command execution)
- Affected Organization: Undisclosed
- Sector: Undisclosed (Implied use of Microsoft 365 and AWS suggests technology or large enterprise)
- Geography: Undisclosed
## Timeline of Events
### Initial Access
- Date/Time: Unknown
- Vector: Social Engineering (LinkedIn and WhatsApp)
- Details: Attackers engaged victims via LinkedIn and WhatsApp, employing social engineering tactics to prompt the download of seemingly benign code, leading to credential theft (including session tokens and cloud access keys).
### Lateral Movement
- Date/Time: Following initial access
- Vector: Compromised Credentials/Tokens
- Details: Attackers authenticated into both Microsoft 365 and AWS using stolen session tokens and cloud access keys, effectively bypassing MFA controls. On-premise to cloud lateral movement was observed.
### Data Exfiltration/Impact
- Date/Time: Following Lateral Movement
- Vector: Legitimate Cloud Service Abuse
- Details: Attackers modified an AWS Lambda function to execute commands on underlying EC2 instances, exploiting existing permissions to blend with normal activity. Primary impact appears to be data exfiltration leveraging this command execution capability.
### Detection & Response
- Date/Time: Prior to February 3, 2025
- Vector: Researcher Discovery
- Details: The full scope was discovered by external researchers analyzing threat reports. Specific response actions taken by the targeted organization are not detailed in the context provided.
## Attack Methodology
- Initial Access: Social engineering via LinkedIn/WhatsApp leading to code download and credential/token theft.
- Persistence: Implied by maintaining access to M365 and AWS via stolen tokens/keys.
- Privilege Escalation: Bypassing MFA using stolen session tokens/keys.
- Defense Evasion: Exploiting legitimate execution paths via Lambda modification; blending in with normal operations.
- Credential Access: Theft of session tokens and cloud access keys via malicious code execution from social engineering engagement.
- Discovery: Initial reconnaissance likely occurred via authentication into M365/AWS environments.
- Lateral Movement: On-premise to cloud movement observed.
- Collection: Implicitly related to the data exfiltration goal.
- Exfiltration: Achieved via command execution on EC2 instances resulting from Lambda modification.
- Impact: Command execution and potential data exfiltration.
## Impact Assessment
- Financial: Not detailed.
- Data Breach: Credential theft (session tokens, cloud keys) confirmed; data exfiltration potential high due to EC2 command execution capability.
- Operational: Command execution capability in the cloud environment represents severe operational risk.
- Reputational: Not detailed.
## Indicators of Compromise
*No specific IoCs were provided in the context, thus this section remains blank.*
- Network indicators - defanged: N/A
- File indicators: Malicious code/scripts leading to credential theft.
- Behavioral indicators: Unusual Lambda function modification; authentication to cloud services using session tokens bypassing standard MFA prompts.
## Response Actions
*Specific organizational response actions were not detailed.*
- Containment measures: N/A
- Eradication steps: N/A
- Recovery actions: N/A
## Lessons Learned
- Social engineering remains a highly effective initial access vector, even against users in technical roles, if the payload appears benign (e.g., development code).
- The reliance on session tokens and cloud keys presents a significant bypass risk for traditional MFA controls.
- Misconfiguration or over-permissioning in serverless functions (like Lambda) can provide a direct pathway to executing commands on underlying infrastructure (EC2).
## Recommendations
- Implement stronger verification processes for code received via non-corporate channels, even if it appears benign or relates to legitimate development work.
- Enforce session revocation policies and use stronger authentication methods (e.g., FIDO2 keys) that cannot be captured via simple session token theft.
- Apply the principle of least privilege rigorously to IAM roles, especially those attached to serverless functions, limiting their ability to execute arbitrary system commands or reach sensitive resources like EC2 instances.