Analysis Summary

A new ransomware campaign by the threat actor "Codefinger" targets Amazon S3 buckets by exploiting AWS's Server-Side Encryption with Customer-Provided Keys (SSE-C). This attack involves using compromised AWS credentials with 's3:GetObject' and 's3:PutObject' privileges to encrypt S3 bucket data using an AES-256 encryption key known only to the attacker. Victims are left unable to recover their data without the decryption key, as AWS does not store customer-provided keys. The attackers further set a seven-day file deletion policy and issue ransom notes demanding payment in Bitcoin, warning victims against altering permissions or files to avoid termination of negotiations.

Amazon S3, a scalable cloud storage service, allows users to secure data at rest through SSE-C. While this feature offers strong security, it places the responsibility of key management solely on customers, creating a vulnerability that Codefinger exploits. By leveraging AWS native services, the attackers execute encryption securely and irreversibly without cooperation.

Amazon has acknowledged the campaign, stating that it promptly notifies customers of exposed keys and takes action, such as applying quarantine policies, to mitigate risks. Halcyon, the cybersecurity firm that discovered the campaign, has advised AWS customers to adopt strict security measures to defend against such attacks. Recommendations include disabling unused keys, rotating active keys frequently, and applying restrictive policies to prevent the use of SSE-C. Customers should also minimize account permissions and implement security best practices, such as using AWS Identity and Access Management (IAM) roles and multifactor authentication (MFA).

AWS emphasizes its shared responsibility model and the importance of robust security practices. It highlights technologies like AWS Security Token Service (STS) for issuing temporary credentials and AWS Secrets Manager for managing non-AWS credentials. AWS also advises customers to avoid storing credentials in source code or configuration files and use IAM roles for secure API requests.

The campaign demonstrates the critical need for organizations to strengthen cloud security protocols, especially for sensitive data stored in S3 buckets. By following best practices and leveraging AWS’s security tools, businesses can reduce their exposure to ransomware attacks like Codefinger’s and enhance overall data protection.

Impact

• Sensitive Information Theft
• Reputational Damage
• Unauthorized Gain Access
• Credentials Leak

Remediation

• Deactivate unused AWS keys to minimize potential unauthorized access.
• Regularly update active keys to reduce the risk of exploitation if compromised.
• Limit the use of SSE-C encryption and implement alternative secure methods where possible.
• Grant users and services the least amount of privilege necessary to perform their tasks.
• Enable multi-factor authentication for all AWS logins to strengthen access control.
• Continuously monitor and review S3 access logs to spot any unusual or suspicious activities.
• Use IAM roles for secure, temporary access instead of relying on hardcoded credentials.
• Regularly audit AWS security policies to ensure compliance with best practices.
• Apply patches and updates without delay to fix known vulnerabilities in AWS services.
• Provide ongoing cloud security training to employees to increase awareness of security risks and countermeasures.