Crimson Collective is using the open source scanner TruffleHog to hunt exposed AWS credentials, enabling data theft, network mapping, and extortion after its Red Hat breach.
Crimson Collective, the threat actor behind a major Red Hat breach, has shifted focus to Amazon Web Services (AWS) cloud environments. The group aims to establish persistence, steal sensitive data, and extort victims for money.
Cybersecurity researchers at Rapid7 observed that the attackers are using the open‑source secrets scanner TruffleHog to locate exposed AWS credentials. Once validated, these credentials are used to create new IAM users and access keys via API, escalate privileges by attaching policies such as AdministratorAccess, and map the victim’s network. Subsequent steps include modifying RDS passwords, creating snapshots, exporting data to S3, and exfiltrating objects before sending extortion demands, sometimes via AWS SES.
The group previously breached Red Hat’s private GitLab repositories, exfiltrating approximately 570GB of data from 28,000 internal projects, including 800 Customer Engagement Records (CERs) containing infrastructure, authentication, and operational insights. Such sensitive records amplify the risk for follow-up attacks against Red Hat clients.
AWS advises: “Use short‑term, least‑privileged credentials and implement restrictive IAM policies. In the event a customer suspects their credentials may have been exposed, they can start by following the steps listed in this post. If customers have any questions about the security of their accounts, they are advised to contact AWS support.”
Rapid7 recommends: “Avoid long‑term credentials, use temporary roles, implement least‑privilege access, monitor suspicious activity, and proactively scan code repositories for secrets.”
This case highlights the dual-use nature of open source tools: TruffleHog, designed to protect organisations by detecting leaked secrets, is now being exploited to compromise them, underscoring the need for proactive secret management and restrictive IAM policies.
