AI-Assisted Attack Takes AWS Environment Eight Minutes To Escalate Privileges To Admin

by Justin Erickson

Researchers from Sysdig’s Threat Research Team observed an intruder gaining full administrative control of an Amazon Web Services environment in about eight minutes by using a single exposed credential in a public S3 bucket and AI. The attacker started with valid AWS access keys left in a public S3 bucket, then promptly enumerated the AWS services and escalated privileges across the account, moving across 19 AWS principals until they had access and control over an admin user. According to the research, large language models were used to automate the attack – reducing the amount of time taken into about eight minutes. The attacker not only stole data, but they also engaged in LLMjacking (using the victims’ account to run their own AI models). This was not an error in the cloud web service itself, but in the negligence to properly secure credentials. According to Sisdig, “To prevent this… companies must stop leaving access keys in public areas and should use ‘IAM roles,’ which provide temporary access instead. Watching for massive enumeration, where a user suddenly tries to list every single file in an account, is one of the best ways to catch these hackers before they finish.”