New Ransomware Uses an Amazon AWS Feature to Encrypt S3 Buckets

A new ransomware campaign, attributed to a threat actor known as “Codefinger,” has begun to exploit Amazon Web Services’ (AWS) Server-Side Encryption with Customer-Provided Keys (SSE-C) feature to encrypt data stored in S3 buckets. This attack forces victims to pay a ransom to obtain the necessary decryption keys, according to a report from Halcyon.

What is the SSE-C feature and how are attackers using it?

Amazon S3 (Simple Storage Service) is a widely used cloud storage service provided by companies to store files, backups, logs, and other data. The SSE-C feature allows customers to manage their own encryption keys, utilizing the AES-256 algorithm to protect stored data.

However, in recent attacks, cybercriminals have exploited compromised AWS credentials to locate keys associated with ‘s3:GetObject’ and ‘s3:PutObject’ permissions, allowing them to encrypt the data stored in S3 buckets using their own locally generated encryption keys.

Once encrypted, the data becomes inaccessible to the victims, as AWS does not store the encryption keys used with SSE-C. This means that even if victims report unauthorized activity to AWS, there is no way to recover the data without the attackers’ cooperation.

Attack Method

1. Initial Compromise: Attackers obtain valid AWS credentials with specific permissions to access and modify data in S3 buckets.
2. Data Encryption: They use SSE-C to encrypt the data stored in the buckets, generating a custom key that only they possess.
3. Ransom Note: They place payment instructions in the affected directories, demanding a ransom in Bitcoin to provide the necessary AES-256 key for decryption. Additionally, they threaten to delete the data if victims attempt to change permissions or modify the files.
4. Deletion Policy: They configure a seven-day automatic deletion period using the APIAn API, which stands for “Application Programming Interface,”… for S3 object lifecycle management, intensifying pressure on victims to pay quickly.

Recommendations for Protection

AWS and Halcyon have suggested several measures to prevent similar attacks:

1. Restrict Use of SSE-C: Configure policies to disable SSE-C functionality on S3 buckets.
2. Key Management:
   • Disable unused keys.
   • Regularly rotate active keys.
   • Implement strict permission controls, limiting them to the minimum necessary.
3. Monitoring and Notification:
   • Enable alerts to detect unauthorized activity.
   • Monitor access to S3 buckets and review permissions regularly.
4. Education and Security Protocols:
   • Train staff to recognize phishing attempts and secure access credentials.
   • Implement multi-factor authentication (MFA) on all AWS accounts.

A Warning for the Future

The use of AWS native services to carry out sophisticated attacks like this underscores the need for robust security management in cloud environments. While Amazon acts quickly to notify customers of potential compromises, users must take a proactive role in implementing preventive measures.

The “Codefinger” attack highlights the risks of relying on default configurations and emphasizes the importance of maintaining a proactive security posture against emerging threats in the cloud.

via: Bleeping Computer