The code in the S3 bucket revealed that the breach involved discovery and exploitation, starting with AWS IP ranges expanded into domain lists via Shodan and SSL certificate analysis. Scans then targeted exposed endpoints and system types, extracting data like database credentials and AWS keys.
Attackers deployed custom scripts, including Python and PHP, to exploit open-source tools like Laravel to harvest credentials, including Git, SMTP, and cryptocurrency keys. Verified credentials were stored for later use, and remote shells were installed for deeper access when needed.
AWS keys were tested for access to IAM, SES, SNS, and S3 services, enabling attackers to establish persistence, send phishing emails, and steal sensitive data. AI service keys were notably excluded, likely due to outdated tools or limited value.
