Monday , July 13 2026
AWS

Less than10 Minutes: Hackers Gain AWS Admin Access Using AI

Sysdig Threat Research Team (TRT) observed an offensive cloud operation targeting an AWS environment in which the threat actor went from initial access to administrative privileges in less than 10 minutes. This incident was notable for its rapid execution and indications that the attacker used large language models (LLMs) to automate tasks, generate harmful code, and make on-the-spot decisions.

The attacker accessed the victim’s AWS account using credentials found in public S3 buckets. They quickly escalated their privileges via Lambda function code injection, spread across 19 AWS principals, misused Amazon Bedrock for LLM jacking, and started GPU instances for model training.

Ransomware Crisis in 2026: 5,064 Organizations Affected in 135 Countries

Global ransomware attacks stayed very high in the first seven months of 2026. There were 5,064 confirmed victims in 135...
Read More
Ransomware Crisis in 2026: 5,064 Organizations Affected in 135 Countries

Palo Alto Networks Addresses 13 Vulnerabilities

Palo Alto Networks shared warnings on Wednesday about over twelve security issues in its products. The new warnings include 13 security...
Read More
Palo Alto Networks Addresses 13 Vulnerabilities

Critical Dell BIOS & Zimbra Flaws Expose Enterprise Systems

A critical flaw with how Dell saves BIOS passwords lets anyone quickly recover these passwords from a flash dump without...
Read More
Critical Dell BIOS & Zimbra Flaws Expose Enterprise Systems

CoLoCity Launches New 1.0 MW Data Center Facility at Gulshan

CoLoCity is proud to launch a new Data Center in Gulshan-2. It is designed to meet the growing demand for...
Read More
CoLoCity Launches New 1.0 MW Data Center Facility at Gulshan

Daily Cyber security update for 10. 07. 2026

Cyberattacks are rising around the world, including ransomware, malware, data leaks, and hacked websites. These events show how complex and...
Read More
Daily Cyber security update for 10. 07. 2026

How Hacker Compromise AWS Cloud Environment Using AI in 72 Hours

A major AWS attack shows how attackers with AI can connect known cloud strategies to go from first access to...
Read More
How Hacker Compromise AWS Cloud Environment Using AI in 72 Hours

Mycelium Framework: First AI-as-a-Service Botnet

A new cybercrime ad is catching attention in the security world. It talks about a botnet that doesn't just get...
Read More
Mycelium Framework: First AI-as-a-Service Botnet

CrowdStrike Shows 5 New Prompt Injection Techniques for AI Agents

CrowdStrike has shared five new ways to inject prompts, showing the rising danger to AI agents as more organizations use...
Read More
CrowdStrike Shows 5 New Prompt Injection Techniques for AI Agents

Critical GCP Dialogflow Vulnerability Allows Malicious Code Injection

A critical flaw in Google Cloud Platform’s Dialogflow CX lets attackers add harmful code to a company's AI chatbot system....
Read More
Critical GCP Dialogflow Vulnerability Allows Malicious Code Injection

CIRT identified 153 publicly exposed FortiGate devices in Bangladesh

CIRT identified 153 publicly exposed FortiGate devices in Bangladesh. In an advisory CIRT said, the campaign has been observed globally,...
Read More
CIRT identified 153 publicly exposed FortiGate devices in Bangladesh

The threat actor accessed the victim’s systems using stolen test credentials from public S3 buckets, which held RAG data for AI models. The compromised credentials belonged to an IAM user with extensive permissions on AWS Lambda and limited permissions on AWS Bedrock.

Attack Stage Time to Execute Key Techniques
Initial Access < 1 minute Credential theft from public S3 buckets containing RAG data
Reconnaissance 2-3 minutes Enumeration across 10+ AWS services using ReadOnlyAccess policy
Privilege Escalation 4-5 minutes Lambda code injection targeting admin user “frick”
Lateral Movement 6-7 minutes Compromise of 19 AWS principals via role assumption
LLMjacking 8-9 minutes Invocation of 9 foundation models on Amazon Bedrock
Resource Abuse 9-10 minutes p4d.24xlarge GPU instance provisioning ($32.77/hour)

Attack timeline:

The following timeline reconstructs the complete two-hour attack sequence, beginning with credential theft, based on CloudTrail analysis:

0:00:00 – The threat actor extracted credentials for IAM user compromised_userfrom public S3 buckets.

0:06:00 – Following initial enumeration, they failed to assume admin roles (admin, Administrator) but successfully assumed existing roles sysadmin, netadmin, and account.

0:08:00 – They replaced the code of the Lambda function EC2-init and increased the timeout from 3 to 30 seconds. The function was modified three times, first targeting adminGH (which lacked admin privileges), then successfully compromising the admin user frick.

0:11:00 – Using the admin user frick, they created a new user backdoor-adminand attached the AdministratorAccess policy.

0:58:00-1:51:00 – They invoked Bedrock models 13 times, including Claude Sonnet 4, Claude Opus 4, Claude 3.5 Sonnet, Claude 3 Haiku, DeepSeek R1, Llama 4 Scout, Amazon Nova Premier, Amazon Titan Image Generator, and Cohere Embed v3. Invoking certain Claude models required calling AcceptAgreementRequest. They leveraged cross-Region inference throughout.

1:00:00 – They created access keys for usersrocker (which had BedrockFullAccess policy) and AzureADRoleManager.

1:05:00-1:35:00 – Extensive reconnaissance across Secrets Manager, SSM, S3, ECS, Organizations, RDS, CloudWatch, Bedrock, OpenSearch Serverless, SageMaker, and KMS.

1:21:00 – Successfully assumed roles of sysadmin,developer, and external. Failed to assume EKS-access.

1:42:00 – Using backdoor-admin, they failed to run p5.48xlarge instances due to capacity constraints, then successfully launched a p4d.24xlarge instance. The instance was terminated after 5 minutes. They also shared its snapshot (SharedSnapshotVolumeCreated).

1:51:00 – The threat actor’s access was terminated and the attack ended.

Indicators of Compromise

IP address VPN
104.155.129[.]177 Yes
104.155.178[.]59 Yes
104.197.169[.]222 Yes
136.113.159[.]75 Yes
34.173.176[.]171 Yes
34.63.142[.]34 Yes
34.66.36[.]38 Yes
34.69.200[.]125 Yes
34.9.139[.]206 Yes
35.188.114[.]132 Yes
35.192.38[.]204 Yes
34.171.37[.]34 Yes
204.152.223[.]172 Yes
34.30.49[.]235 Yes
103.177.183[.]165 No
152.58.47[.]83 No
194.127.167[.]92 No
197.51.170[.]131 No

Mitigation recommendations:

Organizations should implement the following controls to defend against similar attacks:

  • Apply the principle of least privilege to all IAM users and roles, including execution roles used by Lambda functions. An overly permissive execution role enabled the threat actor to escalate privileges in this attack.
    * Restrict UpdateFunctionConfiguration and PassRolepermissions carefully. Threat actors may attempt to replace a Lambda function’s execution role with a more privileged one, which requires both permissions.
    * Limit UpdateFunctionCode permissions to specific functions and assign them only to principals that genuinely need code deployment capabilities.
    * Enable Lambda function versioning to maintain immutable records of the code running at any point. Use function aliases to point to specific versions, requiring a threat actor to both modify code and update the alias to affect production.
    * Ensure S3 buckets containing sensitive data, including RAG data and AI model artifacts, are not publicly accessible.
    * Enable model invocation logging for Amazon Bedrock to detect unauthorized usage.
    * Monitor for IAM Access Analyzer enumeration, as this provides threat actors with valuable reconnaissance data about your environment.

Check Also

Apple

New Apple Exploit Bypasses Boot Defenses, Possibly Affects Millions of iPhones Worldwide

Researchers at cybersecurity firm Paradigm Shift found a new flaw called usbliter8. This flaw can …