The Halcyon RISE Team has detected a concerning new ransomware campaign known as Codefinger, aimed at Amazon S3 buckets. This sophisticated attack takes advantage of Amazon Web Services (AWS) Server-Side Encryption with Customer-Provided Keys (SSE-C) to lock user data, demanding ransom payments for the symmetric AES-256 keys necessary for decryption.
By employing AWS’s built-in security feature, this ransomware campaign signifies a notable increase in attack methodology, as it utilizes techniques that turn what should be a robust defense into a tool for exploitation. Unlike conventional ransomware that encrypts files locally, Codefinger operates directly in the cloud environment, using SSE-C’s inherent protections to make data virtually inaccessible without the attacker’s decryption keys.
The Halcyon investigation reveals that the threat actor behind this campaign, referred to as Codefinger, initiates the attack by first obtaining AWS credentials. This can occur through methods such as social engineering, phishing, or exploiting weaknesses in other components of the target’s infrastructure. Once Codefinger secures these credentials, they gain access to the compromised S3 buckets and begin the encryption process, utilizing a self-generated AES-256 key through SSE-C.
It is crucial to emphasize that this attack does not hinge on exploiting vulnerabilities within AWS itself. Instead, it fundamentally relies on the attacker’s ability to acquire a customer’s AWS account credentials. With no recovery methods for the data without paying the ransom, this operation underscores a worrying advancement in ransomware tactics.
A key feature of this attack is that AWS retains an HMAC (Hash-based Message Authentication Code) of the encryption key but does not record the key itself. While this HMAC ensures integrity, it does not assist victims in recovering their data, effectively leaving them without options for decryption unless they comply with the ransom demands.
Additionally, Codefinger intensifies the pressure on victims with a rapid file deletion schedule, designating files for automatic deletion within seven days following encryption. This tactic creates urgency, increasing the likelihood that victims will concede to the ransom. The attackers typically leave a ransom note within the affected S3 buckets, detailing the payment instructions in Bitcoin and providing each victim with a unique client ID.
The implications of this ransomware campaign are significant, as it demonstrates how attackers can weaponize a core security service of AWS. By effectively manipulating a trusted mechanism, they not only inhibit data recovery but also complicate forensic investigations and overall recovery efforts. Should this method prove successful, it could inspire other malicious actors to exploit similar vulnerabilities in cloud services, leading to a potential increase in these types of attacks.
Organizations are urged to adopt a multilayered approach to security to mitigate risks associated with cloud attacks. It is essential to enforce strict access controls, adhere to least privilege principles, and regularly rotate AWS keys. Strong Identity and Access Management (IAM) policies should restrict SSE-C usage to only authorized personnel and well-defined use cases. Furthermore, consistent monitoring of AWS CloudTrail logs for unusual activities, such as bulk encryption operations or abnormal access patterns, is vital for early identification and response to such threats.
AWS – A Lucrative Target for Cybercriminals
As cybercriminal activities escalate, AWS has emerged as an attractive target, with various threat actors, including well-known groups like ShinyHunters and Nemesis, actively exploiting its infrastructure. This trend is also evident among newer groups, which increasingly seek to gain access to AWS keys through third-party attacks.
In commentary on this trend, a cybersecurity expert noted that unsafe password practices and the absence of two-factor authentication significantly contribute to vulnerabilities leading to ransomware incidents. The expert emphasized that utilizing strong, unique passwords and implementing phishing-resistant two-factor authentication is essential to fortify defenses against such attacks.
RELATED TOPICS
Relevant discussions include various dimensions of AWS security, highlighting the need for vigilance against emerging threats that utilize similar tactics for exploitation.
