Crimson Collective
Crimson Collective is an emerging cyber extortion group specializing in cloud-focused intrusions, primarily targeting AWS environments to steal sensitive data and pressure victims through public exposure and ransom demands.
The Origin of the Crimson Collective
The Crimson Collective is an emerging threat group conducting targeted attacks against AWS cloud environments with the goal of data exfiltration and extortion. The group first gained attention after claiming responsibility for an attack on Red Hat, where they allegedly stole private GitLab repositories. Their operations reflect a deep understanding of AWS architecture, IAM configurations, and cloud-native services—leveraging these legitimate components to stay undetected until exfiltration occurs.
Crimson Collective is a newly surfaced extortion-motivated actor targeting AWS cloud estates with a strong focus on data theft over encryption. The group publicly claimed responsibility for breaching a Red Hat Consulting GitLab instance and exfiltrating a large trove of internal repositories; Red Hat confirmed unauthorized access to that consulting GitLab but has not validated the most sensational theft claims. Open-source reporting links Crimson Collective activity to systematic AWS reconnaissance and export of cloud data, consistent with Rapid7’s observations of recent AWS-focused intrusions.
There are indications of collaboration or alignment with broader cyber-extortion ecosystems (e.g., ShinyHunters/“Scattered Lapsus$ Hunters”), though the exact operational relationship is fluid and not conclusively defined.
Countries targeted by Crimson Collective
Impact appears global, with coverage and notifications spanning US and European organizations (including a risk advisory by Belgium’s national cybersecurity authority tied to the incident).
Industries targeted by Crimson Collective
So far, entities with sizable cloud footprints and valuable source code or customer artifacts have been name-checked in reporting—software vendors and their consulting arms are prominent; media mentions also reference large enterprise and public-sector CERs as alleged exposure, but those specific claims remain unverified by Red Hat.
Crimson Collective's Victims
Red Hat Consulting’s private GitLab instance suffered unauthorized access and data copying. Unverified but claimed by the actor: massive repository/CER theft and downstream compromises of consulting clients.
Attack Stages & Activities
The actors harvest and validate leaked long-term AWS access keys using TruffleHog (visible via the GetCallerIdentity call and “TruffleHog” user-agent in CloudTrail). They then create IAM users (CreateUser, CreateLoginProfile, CreateAccessKey) for persistence. Where creation fails, they probe entitlements with SimulatePrincipalPolicy.
They attach AdministratorAccess to new users (AttachUserPolicy) and extensively inventory the environment: IAM, EC2/EBS/S3, VPC/Route53/ELB, RDS, CloudWatch/Costs, SES/SNS quotas, and application inventories (a long list of Describe*, List*, and Get* calls across services).
They spin up permissive EC2 instances (RunInstances, CreateSecurityGroup) and attach volumes (AttachVolume) to mount copied data for processing or onward transfer.
They reset RDS master passwords (ModifyDBInstance), take RDS snapshots (CreateDBSnapshot) and export them to S3 (StartExportTask). They create EBS snapshots (CreateSnapshot) as data staging.
Exfiltration occurs via S3 object access (GetObject) and potentially from attacker-controlled EC2 instances.
Impact is extortionary: victims receive emails (including via the victim’s own SES) detailing stolen data and demanding payment; public pressure is amplified through media and leak-site posts by allied groups.
The actors harvest and validate leaked long-term AWS access keys using TruffleHog (visible via the GetCallerIdentity call and “TruffleHog” user-agent in CloudTrail). They then create IAM users (CreateUser, CreateLoginProfile, CreateAccessKey) for persistence. Where creation fails, they probe entitlements with SimulatePrincipalPolicy.
They attach AdministratorAccess to new users (AttachUserPolicy) and extensively inventory the environment: IAM, EC2/EBS/S3, VPC/Route53/ELB, RDS, CloudWatch/Costs, SES/SNS quotas, and application inventories (a long list of Describe*, List*, and Get* calls across services).
They spin up permissive EC2 instances (RunInstances, CreateSecurityGroup) and attach volumes (AttachVolume) to mount copied data for processing or onward transfer.
They reset RDS master passwords (ModifyDBInstance), take RDS snapshots (CreateDBSnapshot) and export them to S3 (StartExportTask). They create EBS snapshots (CreateSnapshot) as data staging.
Exfiltration occurs via S3 object access (GetObject) and potentially from attacker-controlled EC2 instances.
Impact is extortionary: victims receive emails (including via the victim’s own SES) detailing stolen data and demanding payment; public pressure is amplified through media and leak-site posts by allied groups.
Crimson Collective's TTPs
How To Detect Crimson Collective with Vectra AI
FAQs
Is the Crimson Collective a ransomware group?
Crimson Collective is an Extorsion Group, they do not use ransomware to encrypt the data. Their primary play is data theft + extortion (“double extortion” without locker).
What is their first move inside AWS?
They validate leaked long-term keys with TruffleHog; CloudTrail shows GetCallerIdentity with a TruffleHog user-agent, followed by attempts to create IAM users and access keys.
How do they escalate privileges?
By attaching AWS managed AdministratorAccess to freshly created users (AttachUserPolicy). If blocked, they probe effective permissions with SimulatePrincipalPolicy.
What data do they value most?
Live databases (RDS), EBS volume contents, S3 buckets, and source code / CER-like engagement artifacts that reveal environment details and access tokens. (Red Hat confirms access to the consulting GitLab; the scope of CER exposure remains actor-claimed.)
How is data staged and exfiltrated?
RDS → CreateDBSnapshot + StartExportTask to S3; EBS → CreateSnapshot then attach to attacker-controlled EC2; S3 → GetObject for direct grabs.
Do they impact email/SMS?
They enumerate SES/SNS quotas and could misuse them for extortion delivery or spam from the victim environment.
What immediate containment should we apply if suspected?
Revoke any long-term AWS keys; disable/rotate compromised principals; block the IOCs you shared; quarantine attacker-created IAM users and access keys; stop in-flight StartExportTask; lock down S3 bucket policies; snapshot forensics, then rotate database master creds. (General best practice aligned with incident write-ups.)
How to harden against repeat attempts?
Kill long-term user keys in favor of short-lived role creds; enforce least privilege; restrict console/API access by source IP / VPC endpoints; enable GuardDuty, CloudTrail lake queries, and budget/CUR anomaly alerts; scan repos and object stores for secrets (TruffleHog/GGShield et al.) and gate with pre-commit/CI.
Are they linked to “Scattered Lapsus$ Hunters”?
Reports suggest coordination/association (e.g., extortion amplification and leaks), but the operational depth is not firmly established; treat as ecosystem adjacency rather than proven command-and-control.
Is Crimson Collective linked to The Com?
Since Crimson Collective associates with Scattered Lapsus$ Hunters, we can argue they might be part of their larger community called The Com.