CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Crimson Collective targets Red Hat and AWS cloud environments for data theft

First reported
Last updated
2 unique sources, 5 articles

Summary

Hide ▲

The Crimson Collective has been targeting AWS cloud environments to steal data and extort companies, including Red Hat. The group claims to have breached Red Hat's private GitLab repositories, stealing nearly 570GB of data across 28,000 internal projects. The stolen data allegedly includes 800 Customer Engagement Reports (CERs), which contain sensitive information about customer networks and platforms. The breach occurred approximately two weeks prior to the announcement. The hackers claim to have accessed downstream customer infrastructure using authentication tokens and other private information found in the stolen data. The affected organizations span various sectors, including finance, healthcare, government, and telecommunications. Red Hat has initiated remediation steps and stated that the security issue does not impact its other services or products. The hackers published a complete directory listing of the allegedly stolen GitLab repositories and a list of CERs from 2020 through 2025 on Telegram. The Centre for Cybersecurity Belgium (CCB) has issued an advisory stating there is a high risk to Belgian organizations that use Red Hat Consulting services. The CCB also warns of potential supply chain impact if service providers or IT partners worked with Red Hat Consulting. The CCB advises organizations to rotate all tokens, keys, and credentials shared with Red Hat or used in any Red Hat integrations, and to contact third-party IT providers to assess potential exposure. The ShinyHunters gang has now joined the extortion attempts against Red Hat, partnering with the Crimson Collective. ShinyHunters has released samples of stolen CERs on their data leak site and has set an October 10th deadline for Red Hat to negotiate a ransom demand to prevent the public leak of stolen data. The breach is part of a series of supply chain threats involving compromised code repositories. In May 2024, threat actors exploited a critical vulnerability (CVE-2023-7028) to take over GitLab accounts. GitLab disclosed and patched two similar vulnerabilities (CVE-2024-5655 and CVE-2024-6385) that jeopardized customers' CI/CD pipelines.

Timeline

  1. 08.10.2025 20:33 1 articles · 6d ago

    Crimson Collective targets AWS cloud environments for data theft

    The Crimson Collective has been targeting AWS cloud environments to steal data and extort companies. The attackers use the open-source tool TruffleHog to discover exposed AWS credentials and create new IAM users and login profiles via API calls. They attach the 'AdministratorAccess' policy onto newly created users, granting full AWS control. The attackers enumerate users, instances, buckets, locations, database clusters, and applications to plan data collection and exfiltration. They modify the RDS master passwords to gain database access, create snapshots, and export them to S3 for exfiltration. The attackers observed snapshots of EBS volumes, followed by the launching of new EC2 instances. The attackers send extortion notes via AWS Simple Email Service (SES) within the breached cloud environment and to external email accounts. The attackers utilized multiple IP addresses in their data theft operations and reused some IP addresses across incidents. The Crimson Collective partnered with Scattered Lapsus$ Hunters to increase the extortion pressure on Red Hat. In January 2025, Halcyon reported ransomware attacks targeting AWS environments by a threat actor named 'Codefinger'.

    Show sources
    Open in new tab
  2. 07.10.2025 00:08 1 articles · 8d ago

    ShinyHunters joins extortion efforts with Crimson Collective

    The ShinyHunters gang has partnered with the Crimson Collective to extort Red Hat, releasing samples of stolen Customer Engagement Reports (CERs) on their data leak site. ShinyHunters has set an October 10th deadline for Red Hat to negotiate a ransom demand to prevent the public leak of stolen data. ShinyHunters operates as an extortion-as-a-service (EaaS), collaborating with other threat actors to extort companies. The breach is part of a series of supply chain threats involving compromised code repositories. The Centre for Cybersecurity Belgium (CCB) has issued an advisory warning of potential supply chain impact and advising organizations to rotate all tokens, keys, and credentials shared with Red Hat or used in any Red Hat integrations.

    Show sources
    Open in new tab
  3. 02.10.2025 09:15 5 articles · 13d ago

    Red Hat confirms security incident affecting consulting business

    The Crimson Collective has been targeting AWS cloud environments to steal data and extort companies, including Red Hat. The attackers use the open-source tool TruffleHog to discover exposed AWS credentials and create new IAM users and login profiles via API calls. They attach the 'AdministratorAccess' policy onto newly created users, granting full AWS control. The attackers enumerate users, instances, buckets, locations, database clusters, and applications to plan data collection and exfiltration. They modify the RDS master passwords to gain database access, create snapshots, and export them to S3 for exfiltration. The attackers observed snapshots of EBS volumes, followed by the launching of new EC2 instances. The attackers send extortion notes via AWS Simple Email Service (SES) within the breached cloud environment and to external email accounts. The attackers utilized multiple IP addresses in their data theft operations and reused some IP addresses across incidents. The Crimson Collective partnered with Scattered Lapsus$ Hunters to increase the extortion pressure on Red Hat.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Discord User Data Compromised in Third-Party Breach

Hackers claim to have stolen data from 5.5 million unique Discord users after compromising a third-party customer service provider. The attack occurred on September 20, 2025, affecting users who interacted with Discord’s customer support and/or Trust and Safety teams. The breach appears to be financially motivated, with hackers demanding a ransom. The Scattered Lapsus$ Hunters (SLH) threat group claimed responsibility for the attack, stating they breached a Zendesk instance used by Discord for customer support. The compromised data includes real names, usernames, email addresses, contact details, IP addresses, messages, attachments, photos of government-issued identification documents, partial billing information, and purchase history. Discord took immediate action to isolate the support provider from its ticketing system and launched an investigation with the help of a forensics firm and law enforcement. The hackers also accessed corporate data, including training materials and internal presentations. Discord has notified law enforcement and relevant data protection authorities about the incident. No full credit card numbers, CVV codes, passwords, or authentication data were compromised. Additionally, no messages or activity on Discord outside of communication with customer support were obtained by the attackers.

Open in new tab

Clop extortion campaign targets Oracle E-Business Suite

The Clop ransomware gang has been exploiting multiple vulnerabilities in Oracle E-Business Suite since at least August 2025, including the zero-day vulnerability CVE-2025-61882. The gang has been sending extortion emails to executives at multiple organizations, claiming to have stolen sensitive data. The campaign involves a high-volume email blast from hundreds of compromised accounts, some previously linked to the FIN11 threat group. The emails contain contact addresses known to be listed on the Clop ransomware gang's data leak site. CrowdStrike attributes the exploitation of CVE-2025-61882 to the Cl0p ransomware gang with moderate confidence, and the first known exploitation occurred on August 9, 2025. The exploit involves an HTTP request to /OA_HTML/SyncServlet, resulting in an authentication bypass. Oracle has released an emergency patch for the zero-day vulnerability and shared indicators of compromise. The exploit was leaked by a group called Scattered Lapsus$ Hunters, raising questions about their potential collaboration with Clop. Oracle has confirmed that known vulnerabilities in its E-Business Suite, patched in July 2025, may have been exploited in these attacks. The July 2025 Critical Patch Update addressed 309 vulnerabilities across Oracle's product range, including nine for E-Business Suite. Three of these vulnerabilities are critical and three others are exploitable remotely without authentication. The extortion emails are part of a broader campaign, with the attackers sending messages from compromised accounts, some previously associated with the FIN11 threat group. The emails contain contact addresses known to be listed on the Clop ransomware gang's data leak site. Mandiant and GTIG are investigating the claims and recommend that organizations receiving these emails investigate their environments for unusual access or compromise in their Oracle E-Business Suite platforms. The UK’s National Cyber Security Centre (NCSC) has advised Oracle EBS customers to patch the critical vulnerability CVE-2025-61882, which is being exploited by the Clop ransomware group. The NCSC has urged customers to apply an emergency security update from Oracle, published over the weekend, to address the zero-day vulnerability CVE-2025-61882. The vulnerability impacts Oracle EBS versions 12.2.3-12.2.14 and allows unauthenticated attackers to send specially crafted HTTP requests to the affected component, resulting in full system compromise. The NCSC has warned that the Scattered Lapsus$ Hunters group has leaked the exploit used by the Clop gang, increasing the risk of opportunistic attacks on Oracle customers. Rapid7 has advised customers of affected Oracle EBS instances to conduct threat hunting to detect any potential malicious activity, given that exploitation in-the-wild may have occurred since August 2025. CISA has added CVE-2025-61882 to the Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to apply the fixes by October 27, 2025. WatchTowr Labs warns of potential mass, indiscriminate exploitation from multiple groups within days. Harvard University is the first confirmed victim of the recent cybercrime campaign targeting customers of Oracle’s E-Business Suite (EBS) solution. The hackers have made available over 1.3 TB of archive files that allegedly contain Harvard data. The organization believes the incident impacts a limited number of parties associated with a small administrative unit. The vulnerability exploited by the hackers has been patched and there is no evidence of other systems being compromised. Google’s Threat Intelligence Group (GTIG) and Mandiant believe dozens of organizations have been targeted. The cybercriminals behind the Oracle EBS campaign sent out extortion emails to executives at the targeted organizations on behalf of the Cl0p ransomware group, likely due to the reputation it has built after conducting similar campaigns in the past. Those campaigns targeted customers of Cleo, MOVEit, Fortra and Accellion file transfer products. The attacks targeting Oracle EBS customers appear to have involved the exploitation of known and zero-day vulnerabilities, as well as the deployment of sophisticated malware. CrowdStrike reported that exploitation of the software flaws appears to have started on August 9, but Google has seen some indication that the attacks may have begun as early as July 10.

Open in new tab

GhostAction GitHub supply chain attack steals 3,325 secrets

The GhostAction supply chain attack compromised 3,325 secrets from GitHub repositories. The attack, discovered by GitGuardian on September 2, 2025, involved malicious commits to GitHub Actions workflows that exfiltrated secrets to an external domain. The first signs of compromise were detected in the FastUUID project. The attack affected at least 817 repositories and targeted multiple package ecosystems, including PyPI, npm, DockerHub, and AWS keys. The exfiltration endpoint was taken down shortly after the campaign's discovery. The compromised secrets included PyPI tokens, npm tokens, DockerHub tokens, GitHub tokens, Cloudflare API tokens, AWS access keys, and database credentials. The attack impacted at least nine npm and 15 PyPI packages, potentially allowing for the release of malicious or trojanized versions. The Python Software Foundation invalidated all PyPI tokens stolen in the attack, confirming that the threat actors did not abuse them to publish malware. GitGuardian notified the security teams of GitHub, npm, and PyPI and opened issues in 573 impacted repositories. A hundred repositories had already detected and reverted the malicious changes before the full scope of the campaign was uncovered. GitGuardian notified PyPI on September 5, 2025, but the email ended up in the spam folder, delaying the response until September 10, 2025. PyPI advised maintainers to replace long-lived tokens with short-lived Trusted Publishers tokens and review their security history for any suspicious activity.

Open in new tab

GPUGate Malware Campaign Targets IT Firms in Western Europe

A sophisticated malware campaign, codenamed GPUGate, targets IT and software development companies in Western Europe, with recent expansions to macOS users. The campaign leverages Google Ads, SEO poisoning, and fake GitHub commits to deliver malware, including the Atomic macOS Stealer (AMOS). The attack began in December 2024 and uses a 128 MB Microsoft Software Installer (MSI) to evade detection. The malware employs GPU-gated decryption and various techniques to avoid analysis and detection. The end goal is information theft and delivery of secondary payloads. The threat actors have native Russian language proficiency and use a cross-platform approach. The campaign has expanded to target macOS users through fake GitHub repositories. These repositories impersonate popular tools and use SEO poisoning to distribute the Atomic Stealer malware. The threat actors use multiple GitHub usernames to evade takedowns and deploy malware via Terminal commands. Similar tactics have been observed in previous campaigns using malicious Google Ads and public GitHub repositories. The AMOS malware now includes a backdoor component for persistent, stealthy access to compromised systems. The campaign impersonates over 100 software solutions, including 1Password, Dropbox, Confluence, Robinhood, Fidelity, Notion, Gemini, Audacity, Adobe After Effects, Thunderbird, and SentinelOne. The fake GitHub pages were created on September 16, 2025, and were immediately submitted for takedown. The campaign has been active since at least April 2023, with previous similar campaigns observed in July 2025.

Open in new tab

Supply Chain Attack on Drift via OAuth Token Theft

A supply chain attack targeted the Drift chatbot, a marketing software-as-a-service product, resulting in the mass theft of OAuth tokens from multiple companies. Salesloft, the parent company, took Drift offline on September 5, 2025, to review and enhance security. Affected companies include Cloudflare, Google Workspace, PagerDuty, Palo Alto Networks, Proofpoint, SpyCloud, Tanium, Tenable, and Zscaler. The threat actor, tracked as UNC6395 and GRUB1, exploited OAuth tokens to access Salesforce data. The attack underscores the risks associated with third-party integrations and the importance of robust security measures in enterprise defenses.

Open in new tab