Ramblings of a CyberSecurity Nerd

Cyber Pulse: Technical Threat Deep Dives on Active CVEs — Russian and North Korean Threats Targeting AWS Infrastructure

Intro

Amazon’s internal security teams have confirmed a massive-scale campaign targeting AWS infrastructure from two fronts: Russia’s Sandworm (GRU-backed) and North Korean state-aligned operatives. These campaigns rely not on zero-day vulnerabilities but on misconfigurations, credential theft, and social engineering targeting Western critical infrastructure and remote jobs.

🔬 Exploitation Detail

Attackers leverage misconfigured edge devices hosted in customer AWS environments, especially those with exposed SSH, RDP, or web admin panels. North Korean operatives apply for remote jobs using stolen or falsified identities, often via verified dormant LinkedIn accounts and domestic laptop farms to evade detection.

ssh -i stolen_key.pem admin@ec2-[redacted].compute.amazonaws.com

📎 Attacker Behavior Snapshot

– Russian operators scan and brute exposed services, replay credentials, and establish persistent SSH access
– North Korean actors submit job applications using spoofed identities and U.S.-based laptop farms
– Systems leak metadata, credentials, cloud resource access, internal IPs, and IAM permissions

🧩 Why This Matters

This campaign highlights how misconfigurations and weak identity controls are becoming the preferred vector for advanced threat actors. Even hardened systems can fall when IAM policies, segmentation, and detection are neglected.

Exploitation results in:

  • Credential theft and persistent remote access
  • Invisible lateral movement via legitimate admin paths
  • Nation-state infiltration of critical infrastructure and corporate networks

🧩 MITRE ATT&CK Mapping

Initial Access: T1078 – Valid Accounts / T1190 – Exploit Public-Facing Application
Execution: T1059 – Command and Scripting Interpreter
Persistence: T1136 – Create Account / T1078.004 – Cloud Accounts
Defense Evasion: T1110.003 – Password Spraying / T1556.001 – Credential API Hooking
Command and Control: T1071 – Application Layer Protocol

🧪 Detection Rules

YARA Rule (Memory/Doc/PCAP)

rule Suspicious_SSH_Activity_AWS
{
    meta:
        description = "Detects known SSH brute-force and credential stuffing attempts"
    strings:
        $ssh_banner = "SSH-2.0-OpenSSH"
        $login_fail = "Permission denied"
    condition:
        $ssh_banner and $login_fail
}

Suricata or Zeek (Network)

alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"Possible SSH Credential Stuffing"; flow:to_server,established; content:"SSH-2.0"; depth:10; threshold:type threshold, track by_src, count 5, seconds 60; sid:1000002;)

Sigma Rule (SIEM/EDR)

title: AWS EC2 SSH Connection From Unusual Geo
logsource:
  product: aws
  service: cloudtrail
detection:
  selection:
    eventName: "AuthorizeSecurityGroupIngress"
    sourceIPAddress|outside_cidr_ranges:
      - "us-west-1"
      - "us-east-1"
      - "eu-central-1"
  condition: selection
fields:
  - userIdentity.arn
  - sourceIPAddress
  - requestParameters.groupId

🔎 Detection Strategies

✅ Network Detection:

  • Track abnormal access patterns to AWS-hosted services from IPs outside expected regions
  • Detect brute-force or repeated login failures to SSH, RDP, or exposed web panels
  • Flag account creation or privilege escalation outside standard change windows

✅ Endpoint Detection:

  • ssh.exe or PowerShell spawning from unauthorized user contexts
  • IAM or security group changes made via CLI
  • LinkedIn, Zoom, or Slack activity tied to job applicant behavior from suspect geos

⚡ Splunk Query


index=aws sourcetype="aws:cloudtrail"
eventName=ConsoleLogin OR eventName=AuthorizeSecurityGroupIngress
| stats count by sourceIPAddress, userIdentity.arn, eventName
| where count > 5

🛠️ SOC Detection Strategy

– Alert on credential use from non-whitelisted IP ranges
– Correlate IAM access logs with edge device exposure
– Tune for behavioral patterns linked to DPRK ops, such as job-hopping LinkedIn profiles or burst hiring activity from compromised applicant accounts
– Escalate lateral movement or unusual cloud control plane activity

🛠️ Tools & Techniques

Tool | Usage
AWS CloudTrail | Monitor IAM and EC2 access
GuardDuty | Threat detection and anomaly monitoring
Splunk | Log correlation and geo-based alerting
Zeek | Network protocol analysis
Sysmon | Endpoint process tracing
LinkedIn OSINT | Detect profile reuse or stolen identities

🛡️ Mitigation & Response

– Audit IAM roles and restrict access using federation
– Enforce MFA on all accounts including IAM and customer-facing services
– Rotate credentials exposed in public code or resume submissions
– Lock down all edge devices exposed via cloud
– Use secondary verification during remote hiring
– Identify and block laptop farms acting as domestic job fronts

📋 Incident Response Snippets

– grep for SSH/RDP brute-force IPs
– Splunk: trace IAM role activity pre/post connection
– IR questions: Was infrastructure exposed? Credentials reused? IAM logs manipulated?
– Cleanup: Disable suspicious IAM accounts, revoke keys, audit EC2 instances
– Lateral movement: Check VPC cross-access, S3 logs, CloudTrail for signs of exfiltration

📚 Suggested Reading & External References

Steve Schmidt on LinkedIn
CJ Moses post on Russian threat
Forbes analysis
– MITRE ATT&CK: T1078, T1059, T1136, T1190
FBI Advisory on DPRK Remote Workers

🗾️ Final Thoughts

These attacks exploit not software flaws, but human ones: misconfigured access, identity oversights, and trust in remote applicants. The battlefield has shifted into cloud management and HR pipelines.

Most effective action: Audit external services and enforce strict IAM and MFA policies now.

Published: December 19, 2025

Leave a comment