threat actor group Bling Libra (the group behind the ShinyHunters ransomware)
Write-up of a full AWS attack chain
Found IAM creds in a publicly-accessible log file
Creds had AmazonS3FullAccess policy
Enumeration
iam:ListUsers (failed)
s3:ListBuckets
Then use of S3 Browser and WinSCP
Accessed all S3 buckets
Deleted a few buckets (probably some objects were removed before, but no data events enabled)
Threat actor created a large number of S3 buckets to catch the victim’s attention / mock them
https://unit42.paloaltonetworks.com/shinyhunters-ransomware-extortion/