Mass Ransomware Campaign Hits S3 Buckets Using Stolen AWS Keys
Summary:
A significant security incident involving Amazon Web Services has been uncovered, revealing an ongoing ransomware campaign leveraging approximately 1,200 compromised AWS access keys. Attackers are targeting AWS S3 buckets, encrypting the stored files, and leaving ransom notes demanding 0.3 Bitcoin (around $25,000). The attackers are exploiting the Server-Side Encryption with Customer-Provided Keys (SSE-C) feature, using their own AES-256 encryption keys to encrypt data without the knowledge of the data owners. This "silent compromise" bypasses typical security alerts and doesn't alter the storage bucket structure. Some affected accounts were found to be running normally, suggesting some victims may not realize their data has been encrypted.
While data exfiltration hasn't been observed, the possibility of automated deletion schedules adds urgency for victims. The compromised access keys, numbering over 1,200 out of 158 million discovered records, likely originated from various sources, including exposed secrets in public code repositories on GitHub, vulnerabilities in CI/CD tools like Jenkins, misconfigured web application files, breaches of developer tools or password managers, and outdated IAM accounts or hardcoded secrets in mobile apps. Cybersecurity researchers have alerted AWS to this automated ransomware campaign, which solely relies on stolen keys.
Security Officer Comments:
This ransomware campaign targeting AWS S3 buckets through compromised access keys represents a concerning evolution in cloud security threats. The scale, with over a thousand unique access keys involved, indicates a potentially widespread operation. The exploitation of the SSE-C feature for "silent compromise" is particularly noteworthy, as it allows attackers to encrypt data without triggering typical alarms, highlighting a critical blind spot for many organizations relying on this encryption method without comprehensive key management and monitoring. The lack of data exfiltration in this campaign underscores that single-extortion methods like threatening data deletion can still be as effective as double extortion.
The suggested origins of these stolen keys highlight the persistent challenges in securing the software development lifecycle and managing access controls in complex cloud environments. The ongoing investigation by AWS is crucial to fully understand the scope and impact of this campaign and to implement effective countermeasures. This incident should serve as a reminder for all AWS users to proactively review and strengthen their cloud security posture. Recommendations to mitigate this risk include immediate auditing and updating of IAM credentials, implementing AWS security services, scanning for exposed secrets, enforcing short-lived tokens and least privilege, and carefully restricting SSE-C usage with thorough logging.
Suggested Corrections:
Cybernews researchers’ recommendations for hardening AWS environments:
https://hackread.com/mass-ransomware-campaign-s3-buckets-stolen-aws-keys/
https://cybernews.com/security/aws-cloud-storage-bucket-ransomware-attacks/
A significant security incident involving Amazon Web Services has been uncovered, revealing an ongoing ransomware campaign leveraging approximately 1,200 compromised AWS access keys. Attackers are targeting AWS S3 buckets, encrypting the stored files, and leaving ransom notes demanding 0.3 Bitcoin (around $25,000). The attackers are exploiting the Server-Side Encryption with Customer-Provided Keys (SSE-C) feature, using their own AES-256 encryption keys to encrypt data without the knowledge of the data owners. This "silent compromise" bypasses typical security alerts and doesn't alter the storage bucket structure. Some affected accounts were found to be running normally, suggesting some victims may not realize their data has been encrypted.
While data exfiltration hasn't been observed, the possibility of automated deletion schedules adds urgency for victims. The compromised access keys, numbering over 1,200 out of 158 million discovered records, likely originated from various sources, including exposed secrets in public code repositories on GitHub, vulnerabilities in CI/CD tools like Jenkins, misconfigured web application files, breaches of developer tools or password managers, and outdated IAM accounts or hardcoded secrets in mobile apps. Cybersecurity researchers have alerted AWS to this automated ransomware campaign, which solely relies on stolen keys.
Security Officer Comments:
This ransomware campaign targeting AWS S3 buckets through compromised access keys represents a concerning evolution in cloud security threats. The scale, with over a thousand unique access keys involved, indicates a potentially widespread operation. The exploitation of the SSE-C feature for "silent compromise" is particularly noteworthy, as it allows attackers to encrypt data without triggering typical alarms, highlighting a critical blind spot for many organizations relying on this encryption method without comprehensive key management and monitoring. The lack of data exfiltration in this campaign underscores that single-extortion methods like threatening data deletion can still be as effective as double extortion.
The suggested origins of these stolen keys highlight the persistent challenges in securing the software development lifecycle and managing access controls in complex cloud environments. The ongoing investigation by AWS is crucial to fully understand the scope and impact of this campaign and to implement effective countermeasures. This incident should serve as a reminder for all AWS users to proactively review and strengthen their cloud security posture. Recommendations to mitigate this risk include immediate auditing and updating of IAM credentials, implementing AWS security services, scanning for exposed secrets, enforcing short-lived tokens and least privilege, and carefully restricting SSE-C usage with thorough logging.
Suggested Corrections:
Cybernews researchers’ recommendations for hardening AWS environments:
- Audit all IAM credentials immediately. Disable unused keys and rotate active ones.
- Implement AWS Config and GuardDuty to detect suspicious access patterns.
- Use automated tools to scan public repos for leaked secrets.
- Enforce short-lived tokens and remove hardcoded credentials from apps.
- Apply least privilege principles for all IAM roles.
- Monitor for new or unknown files like warning.txt in buckets.
- Configure policies to restrict SSE-C usage and enable detailed logging to detect unusual activity.
https://hackread.com/mass-ransomware-campaign-s3-buckets-stolen-aws-keys/
https://cybernews.com/security/aws-cloud-storage-bucket-ransomware-attacks/