- Attackers access storage buckets with exposed AWS keys
- The files are then encrypted and scheduled for deletion after a week
- Halycon says it observed at least two victims being attacked this way
Cybercriminals have started exploiting legitimate AWS S3 features to encrypt victim buckets in a unique twist to the old ransomware attack.
Researchers from Halycon recently observed multiple victims, all AWS native software developers, being attacked this way. In the attack, the group, dubbed Codefinger, accessed their victims’ cloud storage buckets through publicly exposed, or otherwise compromised, AWS keys with read and write permissions.
After accessing the buckets, they would use AWS server-side encryption with customer provided keys (SSE-C) to lock down the files.
Marking files for deletion
But that’s not where creativity ends with Codefinger. The group does not threaten to release the files to the public, or delete it. Instead, it marks all the encrypted files for deletion within a week, also using AWS S3 native features.
Speaking to The Register, VP of services with the Halcyon RISE Team, Tim West, said this was the first time someone’s abused AWS native secure encryption infrastructure via SSE-C.
“Historically AWS Identity IAM keys are leaked and used for data theft but if this approach gains widespread adoption, it could represent a significant systemic risk to organizations relying on AWS S3 for the storage of critical data,” he told the publication.
“This is unique in that most ransomware operators and affiliate attackers do not engage in straight up data destruction as part of a double extortion scheme or to otherwise put pressure on the victim to pay the ransom demand,” West said. “Data destruction represents an additional risk to targeted organizations.”
Halcyon did not want to name the victims, and instead urged AWS customers to restrict the use of SSE-C.
Amazon, on the other hand, told The Register it does what it can, whenever it spots exposed keys, and urged customers to follow best practices when it comes to cybersecurity.
Leave a comment