- Attackers access storage buckets with exposed AWS keys
- The files are then encrypted and scheduled to be deleted after a week
- Halycon says it observed at least two victims attacked in this way
Cybercriminals have begun exploiting legitimate AWS S3 features to encrypt victims’ buckets, a unique twist on the old ransomware attack.
Halycon researchers recently observed several victims, all AWS native software developers, being attacked in this manner. In the attack, the group, dubbed Codefinger, accessed its victims’ cloud storage buckets via publicly exposed or otherwise compromised AWS keys with read and write permissions.
After accessing the buckets, they would use AWS server-side encryption with customer-provided keys (SSE-C) to lock the files.
Marking files for deletion
But the creativity doesn’t stop there with Codefinger. The group does not threaten to make the files public or delete them. Instead, it marks all encrypted files for deletion within a week, also using native AWS S3 features.
Talk to The registerVice President of Halcyon RISE Team Services Tim West said this was the first time anyone had abused AWS native secure encryption infrastructure through SSE-C.
“Historically, AWS Identity IAM keys are leaked and used for data theft, but if this approach becomes widely adopted, it could represent a significant systemic risk for organizations that rely on AWS S3 for critical data storage” , he told the publication.
“This is unique in that most ransomware operators and affiliated attackers do not engage in direct data destruction as part of a dual extortion scheme or to pressure the victim into “She pays the ransom demand,” West said. “Data destruction represents an additional risk for targeted organizations.”
Halcyon would not name the victims and instead urged AWS customers to restrict the use of SSE-C.
Amazon, on the other hand, said The register it does what it can, whenever it detects exposed keys, and urges its customers to follow cybersecurity best practices.
