Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Ransomware

Compromised AWS Keys Abused in Codefinger Ransomware Attacks

A ransomware group tracked as Codefinger is using compromised AWS keys to encrypt S3 bucket data using SSE-C.

A threat actor has been observed abusing compromised AWS keys to encrypt data in S3 buckets and demand a ransom payment in exchange for the encryption keys, cybersecurity firm Halcyon reports.

As part of the identified attacks, the threat actor, tracked as Codefinger, relies on stolen credentials and on AWS’s Server-Side Encryption with Customer Provided Keys (SSE-C) for encryption, which prevents data recovery without the attacker-generated key.

“It is important to note that this attack does not require the exploitation of any AWS vulnerability but instead relies on the threat actor first obtaining an AWS customer’s account credentials,” Halcyon notes.

The threat actor looks for keys with permissions to write and read S3 objects (s3:GetObject and s3:PutObject requests), and then launches the encryption process by calling the SSE-C algorithm, utilizing a locally generated and stored AES-256 encryption key.

“AWS processes the key during the encryption operation but does not store it. Instead, only an HMAC (hash-based message authentication code) is logged in AWS CloudTrail. This HMAC is not sufficient to reconstruct the key or decrypt the data,” Halcyon explains.

The attackers drop a ransom note in each directory, instructing the victim to pay a ransom and to refrain from changing account permissions. To further pressure the victim, the attackers use the S3 Object Lifecycle Management API to mark the files for deletion within seven days.

According to Halcyon, because the attack relies on AWS’s infrastructure for encryption, it is impossible to recover the encrypted data without the symmetric AES-256 keys required to decrypt it.

Organizations can mitigate the risk of attacks by configuring IAM policies to prevent SSE-C from being applied to S3 buckets and can restrict the feature to authorized data and users.

Advertisement. Scroll to continue reading.

Furthermore, they are advised to regularly review permissions for AWS keys and to remove unused keys, as well as to enable logging for S3 operations to identify unusual behavior.

Responding to a SecurityWeek inquiry, an AWS spokesperson said that Halcyon’s report is based on encountering the issue at two organizations.

“AWS helps customers secure their cloud resources through a shared responsibility model. Anytime AWS is aware of exposed keys, we notify the affected customers. We also thoroughly investigate all reports of exposed keys and quickly take any necessary actions, such as applying quarantine policies to minimize risks for customers without disrupting their IT environment.”

“We encourage all customers to follow security, identity, and compliance best practices. In the event a customer suspects they may have exposed their credentials, they can start by following the steps listed in this post. As always, customers can contact AWS Support with any questions or concerns about the security of their account,” AWS said.

The spokesperson also pointed out that AWS provides customers with a broad range of access control and authentication capabilities, eliminating the need to store credentials and offering automated credential and secrets management features that cover both AWS and non-AWS resources.

*Updated with statement from AWS.

Related: CISA Issues Binding Operational Directive for Improved Cloud Security

Related: Vendors Unveil New Cloud Security Products, Features at AWS re:Invent 2024

Related: Watch Now: Cloudy With a Chance of Threats: The Active Threat Landscape in the Cloud

Related: Watch Now: Cloud & Data Security Summit Sessions

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

The US arm of networking giant TP-Link has appointed Adam Robertson as Director of Information and Security.

Cyber exposure management firm Armis has promoted Alex Mosher to President.

Software giant Atlassian has named David Cross as its new CISO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.