A threat actor has been observed abusing compromised AWS keys to encrypt data in S3 buckets and demand a ransom payment in exchange for the encryption keys, cybersecurity firm Halcyon reports.
As part of the identified attacks, the threat actor, tracked as Codefinger, relies on stolen credentials and on AWS’s Server-Side Encryption with Customer Provided Keys (SSE-C) for encryption, which prevents data recovery without the attacker-generated key.
“It is important to note that this attack does not require the exploitation of any AWS vulnerability but instead relies on the threat actor first obtaining an AWS customer’s account credentials,” Halcyon notes.
The threat actor looks for keys with permissions to write and read S3 objects (s3:GetObject and s3:PutObject requests), and then launches the encryption process by calling the SSE-C algorithm, utilizing a locally generated and stored AES-256 encryption key.
“AWS processes the key during the encryption operation but does not store it. Instead, only an HMAC (hash-based message authentication code) is logged in AWS CloudTrail. This HMAC is not sufficient to reconstruct the key or decrypt the data,” Halcyon explains.
The attackers drop a ransom note in each directory, instructing the victim to pay a ransom and to refrain from changing account permissions. To further pressure the victim, the attackers use the S3 Object Lifecycle Management API to mark the files for deletion within seven days.
According to Halcyon, because the attack relies on AWS’s infrastructure for encryption, it is impossible to recover the encrypted data without the symmetric AES-256 keys required to decrypt it.
Organizations can mitigate the risk of attacks by configuring IAM policies to prevent SSE-C from being applied to S3 buckets and can restrict the feature to authorized data and users.
Furthermore, they are advised to regularly review permissions for AWS keys and to remove unused keys, as well as to enable logging for S3 operations to identify unusual behavior.
Responding to a SecurityWeek inquiry, an AWS spokesperson said that Halcyon’s report is based on encountering the issue at two organizations.
“AWS helps customers secure their cloud resources through a shared responsibility model. Anytime AWS is aware of exposed keys, we notify the affected customers. We also thoroughly investigate all reports of exposed keys and quickly take any necessary actions, such as applying quarantine policies to minimize risks for customers without disrupting their IT environment.”
“We encourage all customers to follow security, identity, and compliance best practices. In the event a customer suspects they may have exposed their credentials, they can start by following the steps listed in this post. As always, customers can contact AWS Support with any questions or concerns about the security of their account,” AWS said.
The spokesperson also pointed out that AWS provides customers with a broad range of access control and authentication capabilities, eliminating the need to store credentials and offering automated credential and secrets management features that cover both AWS and non-AWS resources.
*Updated with statement from AWS.
Related: CISA Issues Binding Operational Directive for Improved Cloud Security
Related: Vendors Unveil New Cloud Security Products, Features at AWS re:Invent 2024
Related: Watch Now: Cloudy With a Chance of Threats: The Active Threat Landscape in the Cloud
