The attackers first scanned AWS IP ranges to identify misconfigured endpoints using tools like Shodan for reverse lookups on IP addresses. They correlated these findings with SSL certificates to ...