Inside the Crimson Collective Attack Chain—and How to Break It with Zero Standing Privileges

New details are emerging in recent weeks on how the Crimson Collective threat group has been conducting a large-scale campaign targeting Amazon Web Services cloud environments. Recent reports highlight how easily the attackers progressed once they obtained valid credentials.

The Crimson Collective claims to have exfiltrated ~570 GB across ~28,000 internal GitLab projects; Red Hat has confirmed access to a Consulting GitLab instance but hasn’t verified the full scope of those claims.

After the breach became public, Bleeping Computer reports that the threat actors partnered with headline-grabbing extortion group, Scattered Lapsus$ Hunters, to increase pressure on Red Hat.

In this post, we’ll break down how the hackers carried out their attack and how to keep your organization protected via a Zero Standing Privileges approach.

Breaking Down the Attackers’ Methodology 

According to the report from Rapid 7 in Bleeping Computer, the attackers took a tried but true course of action to compromise their targets and make off with their illicitly obtained data.

1. Find exposed keys — They used TruffleHog to scan target environments and discover secrets in repos, configs, or other leaks to gain initial access.
   
2. Establish persistence — Then they used the leaked keys to call AWS APIs and create highly privileged IAM users/login profiles and new access keys.
   
3. Privilege escalation — With their foot firmly in the door, they attached AdministratorAccess to their new users. Boom: full control.
   
4. Recon — Privileges in hand, they then hit the cloud running, enumerating users, EC2, S3 buckets, RDS clusters, EBS volumes, regions, and apps to map the prize.
   
5. Data collection — Next they started hoovering up data, changing RDS master passwords, taking snapshots of their targets’ DBs and EBS volumes.
   
6. Exfiltration — With the targets’ data collected, they moved the snapshots/objects to S3 buckets that they controlled or accessible storage; using EC2s that they spun up and attaching volumes under permissive security groups for faster transfers.
   
7. Extortion — Finally, they sent ransom notes from inside the AWS account using SES and to external contacts.

The Cloud Identity Challenge

This latest attack highlights a tough if not cliche truth in the cloud: attackers don’t need to break in if they can just log in. Once credentials with standing privileges are compromised, it gives them everything they need to move freely across environments.

The reality is that credential compromise is now a matter of when, not if. And as the number of Non-Human Identities (NHIs)—like service accounts, IAM roles, and API keys—continues to explode, the challenge keeps growing. In many organizations, NHIs now outnumber human users by roughly 200 to 1.

Things are getting even more complicated with the rise of Agentic AI tools. These systems operate at massive scale with unpredictable access needs, often without the visibility security teams rely on to monitor what’s actually being accessed.

Protecting against these kinds of attacks means focusing not just on preventing credential theft, but on minimizing what attackers can do after credentials are compromised. That’s why AWS told BleepingComputer that customers should “use short-term, least-privileged credentials and implement restrictive IAM policies.”

That advice perfectly captures the idea behind Zero Standing Privileges (ZSP), reducing the amount of always-on access available in your environment, so even if credentials are stolen, attackers have nowhere to go.

Of course, actually putting that into practice is the hard part. Manual access management is slow and painful, and cutting privileges too aggressively risks hurting productivity. And as cloud environments and NHIs multiply, keeping up manually just isn’t realistic anymore.

How Apono Helps

Apono makes it simple to put Zero Standing Privileges into action—without slowing anyone down.

Here’s how:

• Automatically discovers and remediates standing privileges across both human and non-human identities
  
• Delivers Just-in-Time (JIT) access, granting permissions only when needed and revoking them immediately after use
  
• Reduces Non-Human Identity (NHI) privileges safely, using automated rightsizing via quarantining and reversible remediation that preserves uptime and avoids breaking integrations
  
• Centralizes and automates governance, unifying policies across cloud, on-prem, and AI-driven systems
  
• Supports Zero Trust initiatives, enforcing short-lived, least-privileged access without adding friction for engineers

With Apono, security teams can close privilege gaps before attackers can exploit them, while developers and AI systems get access exactly when—and only when—they need it.

Ready to take a smarter approach to cloud access?

See how Apono can help your organization prevent credential-based attacks while keeping teams fast and productive. Visit apono.io/jit-and-jep/ to learn more about our platform or request a demo.