Incident Score: Analysis & Impact (HUNAWS1772735373)

Rankiteo's analysis has identified several MITRE ATT&CK tactics and techniques associated with this incident, each with varying levels of confidence based on available evidence. Under the Initial Access tactic, the analysis identified Exploit Public-Facing Application (T1190) with high confidence (90%), supported by evidence indicating exploiting CVE-2025-55182, a vulnerability in the React2Shell framework and Steal Application Access Token (T1528) with high confidence (90%), supported by evidence indicating leveraging stolen AWS access tokens to bypass initial exploitation. Under the Execution tactic, the analysis identified Command and Scripting Interpreter (T1059) with moderate to high confidence (80%), supported by evidence indicating grep searches to extract sensitive files like .pem, .key, and .ppk credentials and Container Administration Command (T1609) with moderate to high confidence (70%), supported by evidence indicating compromised Docker container images contained hardcoded database credentials. Under the Persistence tactic, the analysis identified Account Manipulation (T1098) with moderate to high confidence (70%), supported by evidence indicating pivoted into Kubernetes clusters by updating kubeconfig files and Server Software Component: Web Shell (T1505.003) with moderate to high confidence (80%), supported by evidence indicating deployed VShell on port 8082 for command-and-control. Under the Privilege Escalation tactic, the analysis identified Abuse Elevation Control Mechanism: Setuid and Setgid (T1548.001) with moderate confidence (60%), supported by evidence indicating access to Kubernetes Secrets and ConfigMaps in plaintext and Valid Accounts (T1078) with high confidence (90%), supported by evidence indicating stolen AWS access tokens used to infiltrate cloud infrastructure. Under the Defense Evasion tactic, the analysis identified Protocol Tunneling (T1572) with high confidence (90%), supported by evidence indicating used FRP as a tunneling proxy over port 53 (DNS), Proxy: Multi-hop Proxy (T1090.003) with moderate to high confidence (80%), supported by evidence indicating connections to primary VPS routed over IPv6 to bypass IPv4 detection, and Masquerading (T1036) with moderate to high confidence (70%), supported by evidence indicating vShell deployed on port 8082, evading standard network monitoring. Under the Credential Access tactic, the analysis identified Unsecured Credentials: Credentials In Files (T1552.001) with high confidence (90%), supported by evidence indicating stole .env files with hardcoded private keys, .pem, .key, and .ppk credentials, Unsecured Credentials: Cloud Instance Metadata API (T1552.005) with moderate to high confidence (70%), supported by evidence indicating broad enumeration of AWS EC2 instances, RDS databases, and S3 buckets, and Steal Application Access Token (T1528) with high confidence (90%), supported by evidence indicating stolen AWS access tokens used to directly infiltrate cloud infrastructure. Under the Discovery tactic, the analysis identified Account Discovery (T1087) with moderate to high confidence (80%), supported by evidence indicating broad enumeration of AWS EC2, RDS, S3, Lambda, and EKS clusters, File and Directory Discovery (T1083) with high confidence (90%), supported by evidence indicating grep searches to extract sensitive files like .pem, .key, and .ppk credentials, and Cloud Storage Object Discovery (T1619) with moderate to high confidence (80%), supported by evidence indicating downloaded Terraform state files storing infrastructure secrets. Under the Collection tactic, the analysis identified Data from Cloud Storage (T1530) with high confidence (90%), supported by evidence indicating exfiltrated ConfigMaps, Kubernetes Secrets, and Docker container images and Data from Local System (T1005) with moderate to high confidence (80%), supported by evidence indicating stole proprietary source code and private keys from compromised systems. Under the Command and Control tactic, the analysis identified Application Layer Protocol: Web Protocols (T1071.001) with moderate to high confidence (80%), supported by evidence indicating deployed VShell on port 8082 for command-and-control, Proxy: External Proxy (T1090.002) with high confidence (90%), supported by evidence indicating used FRP as a tunneling proxy over port 53 (DNS), and Non-Application Layer Protocol (T1095) with moderate to high confidence (70%), supported by evidence indicating connections routed over IPv6 to bypass IPv4 detection tools. Under the Exfiltration tactic, the analysis identified Transfer Data to Cloud Account (T1537) with moderate to high confidence (80%), supported by evidence indicating exfiltrated Kubernetes Secrets, ConfigMaps, and Docker images in plaintext and Exfiltration Over C2 Channel (T1041) with high confidence (90%), supported by evidence indicating theft of proprietary source code, private keys, and cloud-stored secrets. Under the Impact tactic, the analysis identified Resource Hijacking (T1496) with moderate to high confidence (70%), supported by evidence indicating 52.6 TRX transferred during exploitation window (potential crypto theft). These correlations help security teams understand the attack chain and develop appropriate defensive measures based on the observed tactics and techniques.