This post was originally published on this site
A new ransomware campaign encrypts Amazon S3 buckets using AWS’s Server-Side Encryption with Customer Provided Keys (SSE-C) known only to the threat actor, demanding ransoms to receive the decryption key.
The campaign was discovered by Halcyon, who reported that a threat actor named “Codefinger” had encrypted at least two victims. However, the operation could escalate or the tactic could be adopted by more threat actors soon.
Encrypting cloud storage
Amazon Simple Storage Service (S3) is a scalable, secure, and high-speed object storage service by Amazon Web Services (AWS), and S3 buckets are cloud storage containers for storing files, data backups, media, logs, etc.
SSE-C is an encryption option to secure S3 data at rest, allowing customers to use their own encryption key to encrypt and decrypt their data using the AES-256 algorithm. AWS does not store the key, and customers are responsible for generating the key, managing it, and securing it.
In the attacks by Codefinger, the threat actors used compromised AWS credentials to locate victim’s keys with ‘s3:GetObject’ and ‘s3:PutObject’ privileges, which allow these accounts to encrypt objects in S3 buckets through SSE-C.
The attacker then generates an encryption key locally to encrypt the target’s data.
Since AWS doesn’t store these encryption keys, data recovery without the attacker’s key is impossible, even if the victim reports unauthorized activity to Amazon.
“By utilizing AWS native services, they achieve encryption in a way that is both secure and unrecoverable without their cooperation,” explains Halcyon.
Next, the attacker sets a seven-day file deletion policy using the S3 Object Lifecycle Management API and drops ransom notes on all affected directories that instruct the victim to pay ransom on a given Bitcoin address in exchange for the custom AES-256 key.
The ransom also warns the victim that if they attempt to change account permissions or modify files on the bucket, the attackers will unilaterally terminate the negotiations, leaving the victim with no way to recover their data.
Defending against Codefinger
Halcyon reported its findings to Amazon, and the cloud services provider told them that they do their best to promptly notify customers who have had their keys exposed so they can take immediate action.
Amazon also encourages people to implement strict security protocols and follow these steps to quickly resolve unauthorized AWS account activity issues.
Halcyon also suggests that AWS customers set restrictive policies that prevent the use of SSE-C on their S3 buckets.
Concerning AWS keys, unused keys should be disabled, active ones should be rotated frequently, and account permissions should be kept at the minimum level required.