This article details a cloud attack where a threat actor gained administrative access to an AWS environment in under 10 minutes, utilizing stolen credentials from public S3 buckets. The attacker leveraged large language models to automate tasks such as reconnaissance and malicious code generation, ultimately compromising multiple AWS principals.

TraderTraitor, a DPRK-affiliated threat actor, targets AWS environments and the cryptocurrency sector primarily for financial gain, executing significant cyber heists through tactics such as supply chain compromise and credential theft. Defenses against such attacks include enabling AWS logging, enforcing multi-factor authentication, and monitoring network traffic to mitigate risks associated with their sophisticated social engineering and cloud service abuse methods.