Read Time:1 Minute, 57 Second

A new wave of ransomware attacks has emerged, targeting Amazon Web Services (AWS) by exploiting its Server-Side Encryption with Customer Provided Keys (SSE-C). This tactic allows threat actors to encrypt Amazon S3 buckets, effectively locking victims out of their own data and demanding ransom payments for decryption keys.

The attack mechanism

Discovered by cybersecurity firm Halcyon, the campaign is attributed to a group known as “Codefinger.” Initial reports indicate that at least two organizations have fallen victim to these attacks. The method employed is particularly insidious: attackers gain access to compromised AWS credentials, allowing them to locate and manipulate encryption keys with permissions such as ‘s3:GetObject’ and ‘s3:PutObject’. These permissions enable the attackers to encrypt files stored in S3 buckets using their own locally generated AES-256 encryption keys.One of the critical vulnerabilities in this scheme is that AWS does not retain the encryption keys provided by customers. This means that once the data is encrypted by the attackers, recovery becomes impossible without their cooperation. Halcyon notes, “By utilizing AWS native services, they achieve encryption in a way that is both secure and unrecoverable without their cooperation.”

Ransom demands and threats

After encrypting the data, Codefinger sets a seven-day deletion policy using AWS’s S3 Object Lifecycle Management API. They then leave ransom notes in affected directories, instructing victims to pay a specified amount in Bitcoin in exchange for the decryption key. The ransom note includes stern warnings against altering account permissions or attempting any unauthorized file modifications, threatening immediate termination of negotiations and leaving victims with no recourse for recovery.

Recommendations for AWS users

In light of these developments, Halcyon has urged AWS users to adopt stricter security measures. Amazon has stated that it strives to notify customers promptly when their keys are compromised. To mitigate risks, users are advised to:

  • Implement restrictive policies: avoid using SSE-C on S3 buckets unless absolutely necessary.
  • Manage AWS Keys: disable unused keys and rotate active ones frequently.
  • Minimize permissions: ensure that account permissions are limited to only what is essential for operation.

As ransomware tactics continue to evolve, organizations must remain vigilant and proactive in securing their cloud environments against such sophisticated threats. The Codefinger campaign serves as a stark reminder of the potential vulnerabilities in cloud storage solutions and the critical importance of robust security practices.

Leave a Reply

Your email address will not be published. Required fields are marked *