While cloud-based infrastructure is largely viewed as less susceptible to cybercrime than on premise servers, use of the cloud comes with its own security concerns. Serverless architectures can fall victim to cryptominers, lateral movement attempts, denial of service attacks, and even extortion attacks. The most prevalent initial access method into cloud environments is credential-based attacks, but misconfiguration also represents many compromises and data exposures. As these misconfigurations and exploitation of weak credentials allow relatively low-skilled threat actors to easily access cloud environments, some extortion groups specifically target these environments. One notable threat actor observed by Arete focuses solely on the exfiltration and extortion of cloud-based environments and self-identifies as Mr. Anazon.
Who is Mr. Anazon?
Mr. Anazon is an extortionist presumed to be operating alone and is likely a native English speaker. Although Mr. Anazon claims to have over 15 years of experience, the Arete Cyber Threat Intelligence team found no evidence of a threat actor with that name on underground or Dark Web forums. Mr. Anazon communicates via email using a Titan email hosted on Amazon Web Services (AWS) infrastructure as their mail server. The webpage for the domain from the email address provided in the ransom note typically displays an image with the message: “Do As You Are Told! You And Your Clients Will Be Safe And Your Business Reputation Will Be Intact.”
Mr. Anazon exploits vulnerabilities in software applications and operates multiple domains, pre-staging them for up to two months prior to using them to communicate with victims. In one engagement, a lack of session validation allowed the threat actor to gain access to the victim’s Amazon S3 bucket and use automated scanning tools and crawlers to index sensitive data.
Analyst Comments
Threat actors abusing cloud infrastructure will likely continue to be a challenge moving forward. They will likely abuse cloud infrastructure for nefarious purposes, including the distribution of malware, hosting phishing pages, and exfiltrating data to extort ransom payments from victims.
Sources
Threat Horizons H2 2024 Threat Horizons Report
Arete CTI Team