Cloud Security,
Cybercrime,
Fraud Management & Cybercrime
Ransomware Group ‘Codefinger’ Targets Cloud-Based Resources
A ransomware campaign has been identified targeting Amazon S3 buckets, aiming to exploit the sensitive data stored within them. The attackers utilize AWS’s server-side encryption with customer-specific keys, demanding a ransom for the decryption key necessary to regain access to the compromised data.
The threat group, referred to as Codefinger by researchers from Halcyon RISE, does not exploit inherent vulnerabilities within AWS infrastructure. Instead, it capitalizes on compromised AWS account credentials that are either leaked or publicly exposed.
Using these credentials, the attackers encrypt S3 bucket data via server-side encryption with customer-provided keys (SSE-C), a feature that allows for secure key handling while avoiding storage within AWS. As a result, once the data is encrypted, recovery is only possible if victims pay the ransom to obtain the decryption key from the threat actor.
According to Halcyon’s findings, this operation has already affected at least two organizations, raising concerns over possible copycat attacks in the future. The researchers noted that the encrypted files are programmed for deletion within a mere seven days, increasing the urgency for victims to meet the attackers’ demands.
Codefinger leverages AWS-native tools to orchestrate the attack. The process starts by identifying AWS keys that possess permissions for reading and writing S3 objects. The attackers initiate the encryption process using a locally generated AES-256 key. However, the standard AWS logging only maintains a hashed version of the key, which does not allow for its reconstruction, complicating any potential recovery efforts. The attackers also manipulate lifecycle management policies to add pressure by enforcing a deletion timeline.
The limited logging features of AWS CloudTrail add another layer of complexity to forensic investigations, making it even more challenging for victims to analyze the attack or trace back the unauthorized activities.
To counteract such threats, Halcyon emphasizes the importance of implementing rigorous security protocols. Organizations are encouraged to restrict the use of SSE-C through Identity and Access Management (IAM) policies, routinely audit and rotate AWS credentials, and utilize advanced logging methodologies to detect anomalous activities swiftly.
AWS advocates that customers take full advantage of their security resources, including IAM roles, Identity Center, and Secrets Manager, to minimize credential exposure and bolster overall defenses against these kinds of ransomware threats.
