Rankiteo Logo
Rankiteo
Leader in Cyber Underwriting
Loading...
NEWRankiteo Cyber Underwriting Desktop - Score, price, and bind from your desktop
WindowsmacOSLinux
Download
Analyze » Amazon Web Services (AWS) » AMAORAMIC1770695748

Incident Score: Analysis & Impact (AMAORAMIC1770695748)

The details regarding individual company incidents & reports gives you full view from every side.

Rankiteo Score Impact Analysis

Rankiteo Incident Impact-8
Company Score Before Incident709 / 1000
Company Score After Incident701 / 1000
Company LinkView Amazon Web Services (AWS) Profile
INCIDENT NUMBERAMAORAMIC1770695748
Type of Cyber IncidentCyber Attack
ATTACK VECTORExposed Docker APIs, Kubernetes clusters, Ray dashboards, Leaked secrets (.env files), React2Shell vulnerability (CVE-2025-29927)
DATA EXPOSEDOver two million records (personal...
INCIDENT DATE25/12/2025
STATUSpublished

Key Highlights From The Incident Analysis

  • Timeline of Amazon Web Services (AWS)'s Cyber Attack and lateral movement inside company's environment.
  • Overview of affected data sets, including SSNs and PHI, and why they materially increase incident severity.
  • How Rankiteo’s incident engine converts technical details into a normalized incident score.
  • How this cyber incident impacts Amazon Web Services (AWS) Rankiteo cyber scoring and cyber rating.
  • Rankiteo’s MITRE ATT&CK correlation analysis for this incident, with associated confidence level.

Full Incident Analysis Transcript

In this Rankiteo incident briefing, we review the Amazon Web Services (AWS) breach identified under incident ID AMAORAMIC1770695748.

The analysis begins with a detailed overview of Amazon Web Services (AWS)'s information like the linkedin page: https://www.linkedin.com/company/amazon-web-services, the number of followers: 10600547, the industry type: IT Services and IT Consulting and the number of employees: 153837 employees

After the initial compromise, the video explains how Rankiteo's incident engine converts technical details into a normalized incident score. The incident score before the incident was 709 and after the incident was 701 with a difference of -8 which is could be a good indicator of the severity and impact of the incident.

In the next step of the video, we will analyze in more details the incident and the impact it had on Amazon Web Services (AWS) and their customers.

JobsGO recently reported "TeamPCP Exploits Cloud Misconfigurations in Large-Scale Cybercrime Operation", a noteworthy cybersecurity incident.

A threat actor known as TeamPCP (also operating under aliases like PCPcat and ShellForce) is conducting automated, worm-like attacks on misconfigured and exposed cloud management services, compromising at least 60,000 servers worldwide since late December.

The disruption is felt across the environment, affecting 60,000+ servers worldwide, and exposing Over two million records (personal IDs, employment records, résumés), with nearly Over two million records at risk.

Formal response steps have not been shared publicly yet.

The case underscores how teams are taking away lessons such as The incident underscores the risks of unsecured cloud control planes, leaked credentials, and poor access controls, highlighting the need for robust cloud security practices, and recommending next steps like Secure exposed Docker APIs, Kubernetes clusters, and Ray dashboards, Implement strict access controls and secrets management and Monitor for leaked credentials and misconfigurations.

Finally, we try to match the incident with the MITRE ATT&CK framework to see if there is any correlation between the incident and the MITRE ATT&CK framework.

The MITRE ATT&CK framework is a knowledge base of techniques and sub-techniques that are used to describe the tactics and procedures of cyber adversaries. It is a powerful tool for understanding the threat landscape and for developing effective defense strategies.

MITRE ATT&CK® Correlation Analysis

Rankiteo's analysis has identified several MITRE ATT&CK tactics and techniques associated with this incident, each with varying levels of confidence based on available evidence. Under the Initial Access tactic, the analysis identified Exploit Public-Facing Application (T1190) with high confidence (90%), with evidence including exploiting well-documented vulnerabilities and misconfigurations, and react2Shell vulnerability (CVE-2025-29927), Valid Accounts: Cloud Accounts (T1078.004) with moderate to high confidence (80%), with evidence including leaked secrets (.env files), and leaked credentials, and External Remote Services (T1133) with moderate to high confidence (80%), supported by evidence indicating exposed Docker APIs, Kubernetes clusters, Ray dashboards. Under the Execution tactic, the analysis identified Command and Scripting Interpreter: Python (T1059.006) with high confidence (90%), supported by evidence indicating deploys malicious Python and Shell scripts and User Execution: Malicious File (T1204.002) with moderate to high confidence (70%), supported by evidence indicating automated, worm-like attacks on misconfigured services. Under the Persistence tactic, the analysis identified Server Software Component: Web Shell (T1505.003) with moderate to high confidence (70%), supported by evidence indicating converting compromised infrastructure into a self-propagating botnet and Create or Modify System Process: Windows Service (T1543.003) with moderate confidence (60%), supported by evidence indicating install proxies, tunneling software, and persistence mechanisms. Under the Privilege Escalation tactic, the analysis identified Exploitation for Privilege Escalation (T1068) with moderate to high confidence (80%), supported by evidence indicating react2Shell vulnerability (CVE-2025-29927) allows remote command execution. Under the Defense Evasion tactic, the analysis identified Valid Accounts: Cloud Accounts (T1078.004) with moderate to high confidence (80%), supported by evidence indicating leaked credentials and misconfigurations used to blend in and Impair Defenses: Disable or Modify Tools (T1562.001) with moderate confidence (60%), supported by evidence indicating automated exploitation of known vulnerabilities. Under the Credential Access tactic, the analysis identified Unsecured Credentials: Credentials In Files (T1552.001) with high confidence (90%), with evidence including leaked secrets (.env files), and leaked credentials. Under the Discovery tactic, the analysis identified Cloud Service Discovery (T1526) with moderate to high confidence (80%), supported by evidence indicating scanning for exposed Docker APIs, Kubernetes clusters, Ray dashboards. Under the Lateral Movement tactic, the analysis identified Remote Services: Cloud Services (T1021.007) with moderate to high confidence (80%), supported by evidence indicating self-propagating botnet across cloud environments. Under the Collection tactic, the analysis identified Data from Cloud Storage (T1530) with high confidence (90%), supported by evidence indicating data theft and extortion, over two million records exfiltrated and Data from Local System (T1005) with moderate to high confidence (70%), supported by evidence indicating personal IDs, employment records, résumés compromised. Under the Command and Control tactic, the analysis identified Proxy: External Proxy (T1090.002) with moderate to high confidence (80%), supported by evidence indicating install proxies, tunneling software and Ingress Tool Transfer (T1105) with moderate to high confidence (70%), supported by evidence indicating malicious Python and Shell scripts deployed. Under the Exfiltration tactic, the analysis identified Transfer Data to Cloud Account (T1537) with high confidence (90%), supported by evidence indicating data exfiltration, over two million records published on leak site and Exfiltration Over C2 Channel (T1041) with moderate to high confidence (80%), supported by evidence indicating react2Shell vulnerability allows data exfiltration. Under the Impact tactic, the analysis identified Resource Hijacking (T1496) with high confidence (90%), supported by evidence indicating cryptocurrency mining using hijacked compute resources, Data Encrypted for Impact (T1486) with moderate to high confidence (70%), supported by evidence indicating ransomware deployment leveraging infected systems, and Account Access Removal (T1531) with moderate confidence (60%), supported by evidence indicating selling access to compromised systems for further attacks. These correlations help security teams understand the attack chain and develop appropriate defensive measures based on the observed tactics and techniques.

Initial Access
Exploit Public-Facing Application (90%)
Valid Accounts: Cloud Accounts (80%)
External Remote Services (80%)
Execution
Command and Scripting Interpreter: Python (90%)
User Execution: Malicious File (70%)
Persistence
Server Software Component: Web Shell (70%)
Create or Modify System Process: Windows Service (60%)
Privilege Escalation
Exploitation for Privilege Escalation (80%)
Defense Evasion
Valid Accounts: Cloud Accounts (80%)
Impair Defenses: Disable or Modify Tools (60%)
Credential Access
Unsecured Credentials: Credentials In Files (90%)
Discovery
Cloud Service Discovery (80%)
Lateral Movement
Remote Services: Cloud Services (80%)
Collection
Data from Cloud Storage (90%)
Data from Local System (70%)
Command and Control
Proxy: External Proxy (80%)
Ingress Tool Transfer (70%)
Exfiltration
Transfer Data to Cloud Account (90%)
Exfiltration Over C2 Channel (80%)
Impact
Resource Hijacking (90%)
Data Encrypted for Impact (70%)
Account Access Removal (60%)

Sources & References