Attackers Are Encrypting AWS S3 Data Without Using Ransomware
Summary:
The ransomware group Codefinger has been observed exploiting compromised AWS keys to encrypt data stored in Amazon S3 buckets, using AWS’s Server-Side Encryption with Customer-Provided Keys, cybersecurity firm Halcyon reports. This attack does not exploit vulnerabilities in AWS itself but rather depends on the acquisition of stolen credentials. Once inside, the group identifies keys with permissions to read and write S3 objects and begins the encryption process using a locally generated AES-256 key. While AWS processes this key during encryption, it does not store it, instead logging only a hash-based message authentication code in CloudTrail, which cannot be used to reconstruct the encryption key or decrypt the data.
The attackers leave a ransom note in each directory, demanding payment for the encryption key and warning victims against altering account permissions. To increase pressure, they use the S3 Object Lifecycle Management API to mark encrypted files for deletion within seven days, making timely payment essential for data recovery. The attackers’ reliance on AWS’s encryption infrastructure ensures that the encrypted data cannot be recovered without the AES-256 keys.
Security Officer Comments:
AWS, upon being informed of the attacks, noted its proactive measures, including alerting customers about exposed keys and investigating reports to mitigate risks quickly without causing disruptions. However, recovery from such attacks requires organizations to implement robust preventive measures, as the reliance on AWS’s encryption architecture makes post-incident data recovery nearly impossible. SecurityWeek has reached out to AWS for further comments and will update the details as additional information becomes available.
Suggested Corrections:
Halcyon advises organizations to mitigate such risks by configuring IAM policies to block the use of SSE-C for S3 buckets, restricting access to authorized users and data only. Regular reviews of AWS key permissions, removal of unused keys, and enabling detailed logging for S3 operations are also critical to detecting unusual activity and reducing exposure to these attacks.
Link(s):
https://www.securityweek.com/compromised-aws-keys-abused-in-codefinger-ransomware-attacks/
The ransomware group Codefinger has been observed exploiting compromised AWS keys to encrypt data stored in Amazon S3 buckets, using AWS’s Server-Side Encryption with Customer-Provided Keys, cybersecurity firm Halcyon reports. This attack does not exploit vulnerabilities in AWS itself but rather depends on the acquisition of stolen credentials. Once inside, the group identifies keys with permissions to read and write S3 objects and begins the encryption process using a locally generated AES-256 key. While AWS processes this key during encryption, it does not store it, instead logging only a hash-based message authentication code in CloudTrail, which cannot be used to reconstruct the encryption key or decrypt the data.
The attackers leave a ransom note in each directory, demanding payment for the encryption key and warning victims against altering account permissions. To increase pressure, they use the S3 Object Lifecycle Management API to mark encrypted files for deletion within seven days, making timely payment essential for data recovery. The attackers’ reliance on AWS’s encryption infrastructure ensures that the encrypted data cannot be recovered without the AES-256 keys.
Security Officer Comments:
AWS, upon being informed of the attacks, noted its proactive measures, including alerting customers about exposed keys and investigating reports to mitigate risks quickly without causing disruptions. However, recovery from such attacks requires organizations to implement robust preventive measures, as the reliance on AWS’s encryption architecture makes post-incident data recovery nearly impossible. SecurityWeek has reached out to AWS for further comments and will update the details as additional information becomes available.
Suggested Corrections:
Halcyon advises organizations to mitigate such risks by configuring IAM policies to block the use of SSE-C for S3 buckets, restricting access to authorized users and data only. Regular reviews of AWS key permissions, removal of unused keys, and enabling detailed logging for S3 operations are also critical to detecting unusual activity and reducing exposure to these attacks.
Link(s):
https://www.securityweek.com/compromised-aws-keys-abused-in-codefinger-ransomware-attacks/