Rankiteo Logo
Rankiteo
Leader in Cyber Underwriting
Loading...
NEWRankiteo Cyber Underwriting Desktop - Score, price, and bind from your desktop
WindowsmacOSLinux
Download
Analyze » Aqua Security » AQUEUR1775299151

Incident Score: Analysis & Impact (AQUEUR1775299151)

The details regarding individual company incidents & reports gives you full view from every side.

Rankiteo Score Impact Analysis

Rankiteo Incident Impact-6
Company Score Before Incident577 / 1000
Company Score After Incident571 / 1000
Company LinkView Aqua Security Profile
INCIDENT NUMBERAQUEUR1775299151
Type of Cyber IncidentVulnerability
ATTACK VECTORSupply-chain attack (Trivy vulnerability scanning tool)
DATA EXPOSED350GB of data (emails, databases,...
INCIDENT DATE04/04/2026
STATUSOngoing

Key Highlights From The Incident Analysis

  • Timeline of Aqua Security's Vulnerability and lateral movement inside company's environment.
  • Overview of affected data sets, including SSNs and PHI, and why they materially increase incident severity.
  • How Rankiteo’s incident engine converts technical details into a normalized incident score.
  • How this cyber incident impacts Aqua Security Rankiteo cyber scoring and cyber rating.
  • Rankiteo’s MITRE ATT&CK correlation analysis for this incident, with associated confidence level.

Full Incident Analysis Transcript

In this Rankiteo incident briefing, we review the Aqua Security breach identified under incident ID AQUEUR1775299151.

The analysis begins with a detailed overview of Aqua Security's information like the linkedin page: https://www.linkedin.com/company/aquasecteam, the number of followers: 66228, the industry type: Computer and Network Security and the number of employees: 481 employees

After the initial compromise, the video explains how Rankiteo's incident engine converts technical details into a normalized incident score. The incident score before the incident was 577 and after the incident was 571 with a difference of -6 which is could be a good indicator of the severity and impact of the incident.

In the next step of the video, we will analyze in more details the incident and the impact it had on Aqua Security and their customers.

On 27 March 2026, European Commission disclosed Data Breach issues under the banner "European Commission Cloud Breach Exposes Data from 30 EU Entities, Linked to TeamPCP".

On March 27, 2026, CERT-EU disclosed a cybersecurity breach affecting the European Commission’s Amazon Web Services (AWS) cloud environment, exposing data from at least 30 EU entities.

The disruption is felt across the environment, affecting AWS cloud environment (Europa web hosting service), and exposing 350GB of data (emails, databases, contracts, personal information), with nearly Over 51,000 outbound emails records at risk.

In response, moved swiftly to contain the threat with measures like Investigation by Cybersecurity Operations Centre (CSOC), and stakeholders are being briefed through Notified affected parties; full impact assessment ongoing.

The case underscores how Ongoing, with advisories going out to stakeholders covering Affected parties notified.

Finally, we try to match the incident with the MITRE ATT&CK framework to see if there is any correlation between the incident and the MITRE ATT&CK framework.

The MITRE ATT&CK framework is a knowledge base of techniques and sub-techniques that are used to describe the tactics and procedures of cyber adversaries. It is a powerful tool for understanding the threat landscape and for developing effective defense strategies.

MITRE ATT&CK® Correlation Analysis

Rankiteo's analysis has identified several MITRE ATT&CK tactics and techniques associated with this incident, each with varying levels of confidence based on available evidence. Under the Initial Access tactic, the analysis identified Supply Chain Compromise: Compromise Software Supply Chain (T1195.002) with high confidence (95%), supported by evidence indicating supply-chain attack on Trivy, a vulnerability scanning tool and Valid Accounts: Cloud Accounts (T1078.004) with high confidence (90%), supported by evidence indicating initial access occurred via a compromised AWS API key. Under the Execution tactic, the analysis identified Command and Scripting Interpreter (T1059) with moderate to high confidence (70%), supported by evidence indicating deployed TruffleHog, a credential-scanning tool. Under the Persistence tactic, the analysis identified Account Manipulation: Additional Cloud Credentials (T1098.001) with high confidence (90%), supported by evidence indicating created additional access keys to evade detection. Under the Privilege Escalation tactic, the analysis identified Valid Accounts: Cloud Accounts (T1078.004) with moderate to high confidence (85%), supported by evidence indicating compromised AWS API key used for reconnaissance and data exfiltration. Under the Defense Evasion tactic, the analysis identified Valid Accounts: Cloud Accounts (T1078.004) with moderate to high confidence (80%), supported by evidence indicating used compromised AWS API key to evade detection and Account Manipulation: Additional Cloud Credentials (T1098.001) with moderate to high confidence (85%), supported by evidence indicating created additional access keys to evade detection. Under the Credential Access tactic, the analysis identified Unsecured Credentials: Cloud Instance Metadata API (T1552.005) with moderate to high confidence (80%), supported by evidence indicating aWS secret key stolen via supply-chain attack on Trivy and Unsecured Credentials: Credentials In Files (T1552.001) with moderate to high confidence (75%), supported by evidence indicating deployed TruffleHog, a credential-scanning tool. Under the Discovery tactic, the analysis identified Cloud Service Discovery (T1526) with moderate to high confidence (80%), supported by evidence indicating reconnaissance conducted in AWS cloud environment. Under the Collection tactic, the analysis identified Data from Cloud Storage (T1530) with high confidence (90%), supported by evidence indicating 350GB of data including emails, databases, contracts stolen. Under the Exfiltration tactic, the analysis identified Transfer Data to Cloud Account (T1537) with moderate to high confidence (85%), supported by evidence indicating 350GB of data stolen from AWS cloud environment and Exfiltration Over C2 Channel (T1041) with moderate to high confidence (70%), supported by evidence indicating data exfiltration conducted by TeamPCP. Under the Impact tactic, the analysis identified Data Encrypted for Impact (T1486) with lower confidence (10%), supported by evidence indicating no evidence of data encryption in the incident and Data Manipulation: Transmitted Data Manipulation (T1565.002) with lower confidence (20%), supported by evidence indicating no evidence of website tampering or device compromise. These correlations help security teams understand the attack chain and develop appropriate defensive measures based on the observed tactics and techniques.

Initial Access
Supply Chain Compromise: Compromise Software Supply Chain (95%)
Valid Accounts: Cloud Accounts (90%)
Execution
Command and Scripting Interpreter (70%)
Persistence
Account Manipulation: Additional Cloud Credentials (90%)
Privilege Escalation
Valid Accounts: Cloud Accounts (85%)
Defense Evasion
Valid Accounts: Cloud Accounts (80%)
Account Manipulation: Additional Cloud Credentials (85%)
Credential Access
Unsecured Credentials: Cloud Instance Metadata API (80%)
Unsecured Credentials: Credentials In Files (75%)
Discovery
Cloud Service Discovery (80%)
Collection
Data from Cloud Storage (90%)
Exfiltration
Transfer Data to Cloud Account (85%)
Exfiltration Over C2 Channel (70%)
Impact
Data Encrypted for Impact (10%)
Data Manipulation: Transmitted Data Manipulation (20%)

Sources & References