Full Report
During an investigation, Mandiant identified evidence that a threat actor had discovered cloud access keys stored in plain text on a compromised on-premises network. The threat actor was able to use the keys to access and steal data from the client’s cloud storage buckets. Whe...
Analysis Summary
# Incident Report: Cloud Data Theft via Plain-Text On-Premises Credentials
## Executive Summary
A threat actor leveraged a prior compromise of an on-premises environment to discover long-lived cloud access keys stored in plain text. Using these harvested credentials, the attacker pivoted to the organization's cloud infrastructure, bypassing traditional perimeters to exfiltrate sensitive data from storage buckets. The incident highlights the critical risk of credential sprawl and the lack of isolation between on-premises and cloud environments.
## Incident Details
- **Discovery Date:** Not explicitly disclosed (Per Mandiant investigation)
- **Incident Date:** Ongoing prior to investigation
- **Affected Organization:** Not disclosed (Mandiant client)
- **Sector:** Information Technology / General Corporate
- **Geography:** Global / Cloud-based
## Timeline of Events
### Initial Access
- **Date/Time:** Preceding the cloud breach.
- **Vector:** Compromised On-Premises Network.
- **Details:** The threat actor gained access to the internal on-premises network (initial vector likely via phishing or vulnerability exploitation) and conducted internal reconnaissance.
### Lateral Movement
- **Cloud Pivot:** While searching local file systems and developer environments, the actor discovered AWS/Azure/GCP access keys stored in configuration files and scripts in plain text.
- **Cross-Environment Migration:** The actor used these keys from their own infrastructure to authenticate to the client's cloud console and CLI.
### Data Exfiltration/Impact
- **Discovery:** The actor listed cloud storage buckets (e.g., S3, Azure Blobs, or GCS).
- **Exfiltration:** Large volumes of sensitive data were synchronized or downloaded from the cloud storage buckets to actor-controlled infrastructure.
### Detection & Response
- **How it was discovered:** Unusual API call patterns and data egress volumes were identified during a forensic investigation by Mandiant.
- **Response actions taken:** Revocation of compromised keys, implementation of IAM restrictions, and rotation of all secrets.
## Attack Methodology
- **Initial Access:** On-premises compromise (leading to credential discovery).
- **Persistence:** Use of long-lived, non-expiring cloud access keys.
- **Privilege Escalation:** Keys were often associated with high-level administrative or "Power User" service accounts.
- **Defense Evasion:** Use of legitimate credentials (Living off the Land) which do not trigger traditional malware alerts.
- **Credential Access:** Searching local disk for `.aws/credentials`, `.git`, or environment configuration files containing plain-text secrets.
- **Discovery:** Cloud resource enumeration (e.g., `Get-Bucket`, `ls`).
- **Lateral Movement:** Pivoting from on-premises servers to cloud-native APIs.
- **Collection:** Aggregating data within cloud storage buckets.
- **Exfiltration:** Direct transfer from cloud provider to actor's external IP addresses.
- **Impact:** Significant unauthorized data disclosure.
## Impact Assessment
- **Financial:** Costs associated with forensic investigation, legal notification, and potential regulatory fines.
- **Data Breach:** Exposure of sensitive corporate data stored in the cloud.
- **Operational:** Required a forced rotation of all cloud credentials and environment hardening.
- **Reputational:** Risk of loss of client trust due to the exposure of data.
## Indicators of Compromise
- **Network Indicators:**
- Access to cloud APIs from atypical IP addresses (e.g., [x].[x].[x].[x]).
- High-volume egress from storage subdomains (e.g., s3[.]amazonaws[.]com).
- **Behavioral Indicators:**
- Unusual `ListBuckets` or `GetBucketLocation` API calls.
- Use of credentials outside of expected geographic regions or business hours.
- Rapid "enumeration-then-download" patterns.
## Response Actions
- **Containment:** Deactivated the specific Access Key IDs identified in the logs.
- **Eradication:** Scanned on-premises environments for any remaining plain-text secret files and purged them.
- **Recovery:** Restored secure access using temporary, role-based credentials (STS) instead of long-lived keys.
## Lessons Learned
- **Credential Hygiene:** Storing keys in plain text on local machines is a single point of failure that bridges on-prem and cloud risk.
- **Monitoring Gaps:** Logging for cloud storage access (e.g., CloudTrail, Data Events) was either not enabled or not monitored for anomalies.
- **Least Privilege:** Service accounts used by developers often had broader permissions than necessary.
## Recommendations
- **Avoid Long-Lived Keys:** Transition to IAM Roles (for EC2/Compute) and OIDC-based authentication.
- **Secrets Management:** Deploy a dedicated secrets manager (e.g., HashiCorp Vault, AWS Secrets Manager) and ensure no keys are committed to code or stored in flat files.
- **Enable Cloud Logging:** Turn on S3 Data Events and execute regular "Threat Hunting" for anomalous user-agent strings or source IPs in cloud logs.
- **Identity Segmentation:** Ensure that a compromise of the on-premises AD environment does not automatically grant "Keys to the Kingdom" in the cloud.