A new ransomware campaign has surfaced, leveraging Amazon Web Services’ (AWS) Server-Side Encryption with Customer Provided Keys (SSE-C) to encrypt data in Amazon S3 buckets.
This attack was launched by a group known as “Codefinger,” to exploit legitimate cloud-native features rather than vulnerabilities in AWS itself.
The attackers use compromised AWS account credentials with permissions to read and write S3 objects. By employing AWS’s SSE-C feature, they encrypt data stored in targeted S3 buckets with AES-256 encryption keys that only they possess.
This innovative approach renders the data irrecoverable without paying the ransom.
Unlike traditional ransomware, which encrypts files locally or in transit, this attack integrates seamlessly with AWS’s built-in encryption infrastructure.
AWS logs only an HMAC (hash-based message authentication code) of the encryption key, which is insufficient to reconstruct the key or decrypt the data, making recovery impossible without cooperation from the attackers.
The attackers amplify pressure by setting lifecycle policies for files, marking them for deletion within seven days.
Victims receive ransom notes in affected directories containing Bitcoin payment instructions and warnings against altering account permissions or files.
The ransomware attack is perpetrated by a group dubbed “Codefinger.” Halcyon, a cybersecurity firm, has identified two victims in recent weeks, neither of whom were Halcyon customers at the time of the attacks.
This campaign is believed to be the first known instance of SSE-C being exploited in this manner.
Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free
How Does the Attack Works:
Codefinger uses publicly disclosed or stolen AWS keys with permissions to perform s3:GetObject and s3:PutObject operations.
According to Halcyon report, Using the x-amz-server-side-encryption-customer-algorithm header, the attackers initiate encryption with a custom-generated AES-256 encryption key. This key is stored locally by the attackers and never logged or stored by AWS.
“The attackers apply S3 object lifecycle policies to schedule the deletion of encrypted files within seven days, creating a tight negotiation window for ransom payment.”
Victims find ransom notes in each affected directory, which include Bitcoin payment addresses and unique client IDs. The notes warn victims against tampering with account permissions, stating it will “end negotiations.”
SSE-C is designed to securely encrypt data at rest, but this attack subverts the feature for malicious purposes. Once encrypted with an external key, the data cannot be decrypted without access to the specific encryption key that only the attackers hold.
“AWS CloudTrail logs only the HMAC of the encryption key, which is insufficient for forensic analysis or data recovery. Existing AWS safeguards are powerless against this method once credentials are compromised.”
By leveraging cloud-native tools, Codefinger has introduced a new level of sophistication to ransomware attacks. Their method could pose a systemic threat to organizations using Amazon S3 for critical data storage if widely adopted by cybercriminals.
How to Prevent
Organizations must take immediate action to secure their AWS environments and reduce the risk of this type of attack. Halcyon recommends the following measures:
1. Restrict SSE-C Usage: Use IAM policies to restrict SSE-C encryption by incorporating the Condition element. This limits the use of SSE-C to authorized users and data only.
2. Monitor and Audit AWS Keys: Regularly review and audit permissions for AWS keys. Disable unused credentials and rotate active keys frequently to minimize exposure.
3. Strengthen Logging and Monitoring: Enable detailed logging for S3 operations to detect unusual activity, such as bulk encryption or sudden lifecycle policy changes.
4. Engage AWS Support: Work with AWS Support to identify potential vulnerabilities in your configuration and implement tailored security measures.
AWS Response
Halcyon informed Amazon Web Services of its findings, prompting AWS to issue a statement emphasizing their shared responsibility model for cloud security.
AWS noted that they proactively notify customers of exposed keys and investigate such incidents thoroughly. Their guidance for customers includes:
- AWS encourages the use of Identity and Access Management (IAM) roles and temporary security credentials issued through AWS Security Token Service (AWS STS). These practices eliminate the risks associated with embedding long-term credentials in source code or configurations.
- AWS Secrets Manager helps securely store and rotate non-AWS credentials, such as database usernames and API keys, reducing the likelihood of accidental exposure.
AWS reaffirmed its commitment to assisting customers in securing their environments and urged organizations to practice robust identity, compliance, and access management practices.
This ransomware attack highlights the increasing sophistication of cyber threats in the cloud era. By exploiting legitimate cloud features like SSE-C, Codefinger has demonstrated how readily available aws tools can be weaponized for malicious purposes.
Organizations using AWS must strengthen their security postures and implement proactive measures to mitigate these risks. With data loss potentially permanent and recovery contingent on paying ransom, businesses cannot afford to take the security of their cloud environments lightly.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!