AWS S3 feature abused by ransomware hackers to encrypt storage buckets

News
By
published

AWS server-side encryption is being abused in the next evolution of ransomware

A laptop with a red screen with a white skull on it with the message: "RANSOMWARE. All your files are encrypted."
(Image credit: Getty Images)
  • Attackers access storage buckets with exposed AWS keys
  • The files are then encrypted and scheduled for deletion after a week
  • Halycon says it observed at least two victims being attacked this way

Cybercriminals have started abusing legitimate AWS S3 features to encrypt victim buckets in a unique twist to the old ransomware attack.

Researchers from Halycon recently observed multiple victims, all AWS native software developers, being attacked this way. In the attack, the group, dubbed Codefinger, accessed their victims’ cloud storage buckets through publicly exposed, or otherwise compromised, AWS keys with read and write permissions.

After accessing the buckets, they would use AWS server-side encryption with customer provided keys (SSE-C) to lock down the files.

Marking files for deletion

But that’s not where creativity ends with Codefinger. The group does not threaten to release the files to the public, or delete it. Instead, it marks all the encrypted files for deletion within a week, also using AWS S3 native features.

Speaking to The Register, VP of services with the Halcyon RISE Team, Tim West, said this was the first time someone’s abused AWS native secure encryption infrastructure via SSE-C.

"Historically AWS Identity IAM keys are leaked and used for data theft but if this approach gains widespread adoption, it could represent a significant systemic risk to organizations relying on AWS S3 for the storage of critical data," he told the publication.

"This is unique in that most ransomware operators and affiliate attackers do not engage in straight up data destruction as part of a double extortion scheme or to otherwise put pressure on the victim to pay the ransom demand," West said. "Data destruction represents an additional risk to targeted organizations."

Halcyon did not want to name the victims, and instead urged AWS customers to restrict the use of SSE-C.

Amazon, on the other hand, told The Register it does what it can, whenever it spots exposed keys, and urged customers to follow best practices when it comes to cybersecurity.

In a statement shared with TechRadar Pro, an AWS spokesperson said AWS helps customers secure their cloud resources through a shared responsibility model:

"Anytime AWS is aware of exposed keys, we notify the affected customers. We also thoroughly investigate all reports of exposed keys and quickly take any necessary actions, such as applying quarantine policies to minimize risks for customers without disrupting their IT environment."

The spokesperson also stressed AWS encourages all customers to follow security, identity, and compliance best practices.

"In the event a customer suspects they may have exposed their credentials, they can start by following the steps listed in this post. As always, customers can contact AWS Support with any questions or concerns about the security of their account."

"AWS provides a rich set of capabilities that eliminate the need to ever store credentials in source code or in configuration files. IAM Roles enable applications to securely make signed API requests from EC2 instances, ECS or EKS containers, or Lambda functions using short-term credentials that are automatically deployed, frequently rotated, requiring zero customer management. Even compute nodes outside the AWS cloud can make authenticated calls without long-term AWS credentials using the Roles Anywhere feature.

Developer workstations use Identity Center to obtain short-term credentials backed by their longer-term user identities protected by MFA tokens. All these technologies rely on the AWS Security Token Service (AWS STS) to issue temporary security credentials that can control access to their AWS resources without distributing or embedding long-term AWS security credentials within an application, whether in code or configuration files. Even secure access to non-AWS technologies can be protected using the AWS Secrets Manager service.

The purpose of that service is to create, manage, retrieve, and automatically rotate non-AWS credentials like database usernames and passwords, non-AWS API keys, and other such secrets throughout their lifecycles."

You might also like

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

More about security
the YouTube logo on a screen in front of other YouTube logos covering a black background

Worrying YouTube security flaw exposed billions of user emails
malware

Valve advises full system reset if you've downloaded this Steam game containing malware
YouTube Veo 2

Look out, AI video could soon flood YouTube Shorts
See more latest