- Attackers access storage buckets with exposed AWS keys
- The files are then encrypted and scheduled for deletion after a week
- Halycon says it observed at least two victims being attacked this way
Cybercriminals have started abusing legitimate AWS S3 features to encrypt victim buckets in a unique twist to the old ransomware attack.
Researchers from Halycon recently observed multiple victims, all AWS native software developers, being attacked this way. In the attack, the group, dubbed Codefinger, accessed their victims’ cloud storage buckets through publicly exposed, or otherwise compromised, AWS keys with read and write permissions.
After accessing the buckets, they would use AWS server-side encryption with customer provided keys (SSE-C) to lock down the files.
Marking files for deletion
But that’s not where creativity ends with Codefinger. The group does not threaten to release the files to the public, or delete it. Instead, it marks all the encrypted files for deletion within a week, also using AWS S3 native features.
Speaking to The Register, VP of services with the Halcyon RISE Team, Tim West, said this was the first time someone’s abused AWS native secure encryption infrastructure via SSE-C.
"Historically AWS Identity IAM keys are leaked and used for data theft but if this approach gains widespread adoption, it could represent a significant systemic risk to organizations relying on AWS S3 for the storage of critical data," he told the publication.
"This is unique in that most ransomware operators and affiliate attackers do not engage in straight up data destruction as part of a double extortion scheme or to otherwise put pressure on the victim to pay the ransom demand," West said. "Data destruction represents an additional risk to targeted organizations."
Halcyon did not want to name the victims, and instead urged AWS customers to restrict the use of SSE-C.
Amazon, on the other hand, told The Register it does what it can, whenever it spots exposed keys, and urged customers to follow best practices when it comes to cybersecurity.
In a statement shared with TechRadar Pro, an AWS spokesperson said AWS helps customers secure their cloud resources through a shared responsibility model:
"Anytime AWS is aware of exposed keys, we notify the affected customers. We also thoroughly investigate all reports of exposed keys and quickly take any necessary actions, such as applying quarantine policies to minimize risks for customers without disrupting their IT environment."
The spokesperson also stressed AWS encourages all customers to follow security, identity, and compliance best practices.
"In the event a customer suspects they may have exposed their credentials, they can start by following the steps listed in this post. As always, customers can contact AWS Support with any questions or concerns about the security of their account."
"AWS provides a rich set of capabilities that eliminate the need to ever store credentials in source code or in configuration files. IAM Roles enable applications to securely make signed API requests from EC2 instances, ECS or EKS containers, or Lambda functions using short-term credentials that are automatically deployed, frequently rotated, requiring zero customer management. Even compute nodes outside the AWS cloud can make authenticated calls without long-term AWS credentials using the Roles Anywhere feature.
Developer workstations use Identity Center to obtain short-term credentials backed by their longer-term user identities protected by MFA tokens. All these technologies rely on the AWS Security Token Service (AWS STS) to issue temporary security credentials that can control access to their AWS resources without distributing or embedding long-term AWS security credentials within an application, whether in code or configuration files. Even secure access to non-AWS technologies can be protected using the AWS Secrets Manager service.
The purpose of that service is to create, manage, retrieve, and automatically rotate non-AWS credentials like database usernames and passwords, non-AWS API keys, and other such secrets throughout their lifecycles."
You might also like
- This new open-source tool is hunting for public AWS S3 buckets to spy on
- Here's a list of the best antivirus tools on offer
- These are the best endpoint protection tools right now
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
