While cloud-based infrastructure is largely viewed as less susceptible to cybercrime than on premise servers, use of the cloud comes with its own security concerns. Serverless architectures can fall victim to cryptominers, lateral movement attempts, denial of service attacks, and even extortion attacks. The most prevalent initial access method into cloud environments is credential-based attacks, but misconfiguration also represents many compromises and data exposures. As these misconfigurations and exploitation of weak credentials allow relatively low-skilled threat actors to easily access cloud environments, some extortion groups specifically target these environments. One notable threat actor observed by Arete focuses solely on the exfiltration and extortion of cloud-based environments and self-identifies as Mr. Anazon.
Who is Mr. Anazon?
Mr. Anazon is an extortionist presumed to be operating alone and is likely a native English speaker. Although Mr. Anazon claims to have over 15 years of experience, the Arete Cyber Threat Intelligence team found no evidence of a threat actor with that name on underground or Dark Web forums. Mr. Anazon communicates via email using a Titan email hosted on Amazon Web Services (AWS) infrastructure as their mail server. The webpage for the domain from the email address provided in the ransom note typically displays an image with the message: “Do As You Are Told! You And Your Clients Will Be Safe And Your Business Reputation Will Be Intact.”
Mr. Anazon exploits vulnerabilities in software applications and operates multiple domains, pre-staging them for up to two months prior to using them to communicate with victims. In one engagement, a lack of session validation allowed the threat actor to gain access to the victim’s Amazon S3 bucket and use automated scanning tools and crawlers to index sensitive data.
Analyst Comments
Threat actors abusing cloud infrastructure will likely continue to be a challenge moving forward. They will likely abuse cloud infrastructure for nefarious purposes, including the distribution of malware, hosting phishing pages, and exfiltrating data to extort ransom payments from victims.
Sources
Threat Horizons H2 2024 Threat Horizons Report
Arete CTI Team
Related Resources
![]()
The Return of Bumblebee Loader
After its disruption in May 2024, Bumblebee is back in the cyber ecosystem, using a new infection chain with LNK, PowerShell, and MSI files to drop additional malware.
Read more![]()
Red Team Tool Used to Disrupt Endpoint Security Solutions
Researchers observed criminals using the red-team tool EDRSilencer in cyberattacks. This open-source tool, designed for penetration testing, can detect EDR processes and monitor, modify, or block their outbound network communications.
Read more![]()
Recent Sanctions Reveal LockBit and Evil Corp Links
The US Department of the Treasury’s Office of Foreign Assets Control sanctioned seven individuals for their association with the Evil Corp cybercriminal group.
Read more
