Introduction
Recent reports confirm that Braintrust, an AI-focused talent platform, suffered a security incident involving unauthorized access to one of its AWS accounts. The attackers successfully compromised AI provider secrets stored within the environment. While the initial vector is under investigation, the impact is clear: credentials for third-party AI services (potentially including OpenAI, Anthropic, or others) were exfiltrated.
For defenders, this is a classic identity and access management (IAM) failure with a modern twist. The breach doesn't just risk proprietary data; it creates a supply-chain risk where stolen AI API keys can be used to accrue fraudulent charges or scrape data from the compromised integrations. Immediate action is required to rotate credentials and audit cloud access logs.
Technical Analysis
Affected Platform: Amazon Web Services (AWS) Compromised Assets: AWS IAM credentials, Cloud Secrets Management (e.g., AWS Secrets Manager or Parameter Store) Threat Vector: Unauthorized access to AWS environment → Credential Access → Secret Exfiltration
Attack Chain
- Initial Access: Attackers gained access to an AWS account. In incidents like this, this is frequently achieved via phishing of IAM credentials, credential stuffing, or the use of exposed access keys found in public code repositories.
- Discovery & Privilege Escalation: Once inside the cloud environment, the actors likely enumerated IAM roles and permissions to locate where sensitive secrets were stored.
- Collection: The attackers targeted the storage mechanism for AI provider API keys. This typically involves API calls such as
GetSecretValue,GetParameters, orDescribeInstances(if keys were stored in EC2 User Data). - Exfiltration: The secrets were downloaded from the secure storage, providing the attackers with valid authentication tokens for external AI SaaS platforms.
Exploitation Status: Confirmed active exploitation.
Detection & Response
This breach highlights the need to monitor for anomalous access to secret management services and IAM console logins. The following detection logic focuses on identifying the retrieval of secrets and console access patterns indicative of compromise.
Sigma Rules
---
title: AWS CloudTrail - Access to Secrets Manager from New IP
id: 5e8f4a21-1d9c-4b5a-8f2d-9a3b4c5d6e7f
status: experimental
description: Detects when an AWS Secrets Manager secret is accessed (GetSecretValue) from a source IP address that has not been seen accessing the account in the last 30 days, indicating potential credential theft or data exfiltration.
references:
- https://docs.aws.amazon.com/secretsmanager/
author: Security Arsenal
date: 2025/04/06
tags:
- attack.credential_access
- attack.t1552.001
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventName: 'GetSecretValue'
eventSource: 'secretsmanager.amazonaws.com'
filter:
userIdentity.type:
- 'IAMUser'
- 'AssumedRole'
condition: selection and filter
falsepositives:
- Legitimate access from new developer office locations
level: high
---
title: AWS CloudTrail - Console Login Without MFA
id: 7f1a2b3c-4d5e-6f78-9a0b-1c2d3e4f5a6b
status: experimental
description: Detects successful AWS Management Console logins where Multi-Factor Authentication (MFA) was not used. This is a strong indicator of compromised credentials or brute-force success.
references:
- https://attack.mitre.org/techniques/T1078/
author: Security Arsenal
date: 2025/04/06
tags:
- attack.initial_access
- attack.t1078.004
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventName: 'ConsoleLogin'
eventSource: 'signin.amazonaws.com'
responseElements.ConsoleLogin: 'Success'
additionalEventData.MFAUsed: 'No'
condition: selection
falsepositives:
- IAM users intentionally exempt from MFA (high risk, should be rare)
level: critical
KQL (Microsoft Sentinel)
// Hunt for anomalous retrieval of AI API secrets from AWS
AWSCloudTrail
| where EventName in ("GetSecretValue", "GetParametersByPath", "GetParameter")
| where EventSource in ("secretsmanager.amazonaws.com", "ssm.amazonaws.com")
| project TimeGenerated, SourceIpAddress, UserIdentityArn, EventName, RequestParameters, ResponseElements
| extend SecretName = case(
EventName == "GetSecretValue", tostring(RequestParameters.SecretId),
EventName == "GetParameter", tostring(RequestParameters.Name),
""
)
// Filter for secrets potentially related to AI providers (OpenAI, Anthropic, etc.)
| where SecretName contains "openai" or SecretName contains "anthropic" or SecretName contains "ai-" or SecretName contains "llm"
| summarize count() by SourceIpAddress, UserIdentityArn, bin(TimeGenerated, 1h)
| where count_ > 10 // Threshold for bulk exfiltration or repeated access
Velociraptor VQL
-- Hunt for exposed AWS credentials or AI Keys in environment variables
-- This helps identify if the root cause was a compromised developer workstation
SELECT Pid, Name, CommandLine, Username, Envy
FROM pslist()
WHERE Name =~ 'node' OR Name =~ 'python' OR Name =~ 'java'
LET exposed_env_vars <= SELECT
Name,
Value
FROM foreach(
row=
SELECT parse_string_with_regex(string=Envy, regex='(?P<name>[^=]+)=(?P<value>[^ ]+)') as EnvRecord
FROM pslist()
WHERE Envy,
query={
SELECT
get(member=EnvRecord, field="name") as Name,
get(member=EnvRecord, field="value") as Value
FROM scope()
}
)
WHERE Name =~ "AWS" OR Name =~ "OPENAI" OR Name =~ "ANTHROPIC" OR Name =~ "API_KEY"
Remediation Script (PowerShell)
# Script to audit local environment for hardcoded AI/AWS keys
# This should be run on developer workstations and build servers
$envVars = [System.Environment]::GetEnvironmentVariables("User") + [System.Environment]::GetEnvironmentVariables("Machine")
$highRiskPatterns = @("AKIA", "sk-ant-", "sk-proj-", "OPENAI_API_KEY", "AWS_SECRET_ACCESS_KEY")
Write-Host "[+] Auditing Environment Variables for High-Risk Keys..." -ForegroundColor Cyan
Foreach ($var in $envVars.GetEnumerator()) {
$value = $var.Value
if ($value -is [string]) {
foreach ($pattern in $highRiskPatterns) {
if ($value -match $pattern) {
Write-Host "[ALERT] Found potential exposed key in variable: " -NoNewline -ForegroundColor Red
Write-Host $var.Name
# Do not output the value itself to prevent logging secrets
}
}
}
}
# Check .aws/credentials file if it exists
$awsCredsPath = "$env:USERPROFILE\.aws\credentials"
if (Test-Path $awsCredsPath) {
Write-Host "[ALERT] AWS Credentials file found at: $awsCredsPath" -ForegroundColor Yellow
Write-Host "Review this file to ensure no long-lived keys are present." -ForegroundColor Yellow
}
Remediation
Immediate Actions:
- API Key Rotation: Immediately rotate all API keys for third-party AI providers (OpenAI, Anthropic, etc.) stored in the Braintrust environment. This renders the exfiltrated keys useless.
- AWS Credential Rotation: Rotate all AWS Access Keys and IAM User credentials that had access to the compromised AWS account.
- Audit CloudTrail: Review AWS CloudTrail logs for the timeframe surrounding the breach to identify specific
GetSecretValuecalls and theuserIdentityused. Revoke permissions for any identified rogue actors.
Hardening Measures:
- Enforce MFA: Ensure Multi-Factor Authentication (MFA) is mandatory for all IAM users, specifically focusing on the root account and console logins.
- Least Privilege: Implement strict IAM policies. Ensure that only specific roles requiring access to AI secrets have
secretsmanager:GetSecretValuepermissions. - Secrets Rotation: Enable automatic secret rotation for AWS Secrets Manager.
- Source IP Restriction: Restrict access to the AWS Management Console and API endpoints to known corporate IP ranges using VPC endpoints or IAM Condition keys.
Official Vendor Advisory: Refer to the Braintrust security notice for the specific timeline and confirm if any customer data was directly impacted. If utilizing Braintrust services, verify if your integration keys were among those compromised.
Related Resources
Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.