Large-Scale Ransomware Campaign Targets AWS Users with Stolen Access Keys
A significant ransomware campaign has come to light, exploiting over 1,200 compromised Amazon Web Services (AWS) access keys to target users of AWS S3 buckets, a widely used cloud storage solution. Researchers from Cybernews reported this alarming trend, revealing that attackers are encrypting files stored within S3 buckets and leaving behind ransom notes for affected administrators.
The investigation uncovered a database that contained more than 158 million records of AWS secret keys, narrowed down to 1,229 unique access credentials after removing duplicates. While some of these keys were inactive, they still allowed the attackers to browse S3 bucket contents and demand a ransom of 0.3 BTC, approximately equating to $25,000.
One of the most concerning aspects of this incident is the method employed by the attackers. By utilizing AWS’s Server-Side Encryption with Customer-Provided Keys (SSE-C), the attackers were able to encrypt data without alerting the data owners. This technique involved generating strong encryption keys using the AES-256 standard, effectively locking victims out of their own data without triggering typical security alerts or modifying the bucket structure. This approach has resulted in a "silent compromise," leaving some victims unaware of the ongoing encryption while their accounts appeared to function normally.
Cybersecurity expert Bob Diachenko emphasized the unprecedented nature of this coordinated extortion campaign. The reliance on stolen access keys rather than intricate hacking techniques raises the threat level significantly, indicating that even recently created backups may be at risk. This highlights an urgent need for robust security measures to protect against such vulnerabilities.
The methods by which the attackers amassed such a large pool of AWS access keys remain speculative. Researchers suggest that the leakage of sensitive credentials could have stemmed from various sources, including public repositories on platforms like GitHub, vulnerabilities in continuous integration and delivery (CI/CD) tools such as Jenkins, misconfigured web application settings, or even recent data breaches affecting developer tools or password management solutions.
Currently, the identity of the attackers remains unknown, and indications suggest that the operation is largely automated. Each affected S3 bucket contains a unique ransom note, labeled “warning.txt,” providing victims with a specific Bitcoin address for payment and a contact email.
The situation has prompted Cybernews to notify AWS of the security incident and request further investigation. In the meantime, cybersecurity experts recommend that organizations take immediate action to audit and update their IAM credentials. Implementing AWS security measures, routinely scanning for exposed secrets, enforcing short-lived credentials, and restricting the use of SSE-C with detailed logging are essential steps to mitigate risks.
This incident illustrates the potential tactics and techniques outlined in the MITRE ATT&CK framework, particularly concerning initial access, which may have been facilitated through compromised credentials, and the techniques of privilege escalation and persistence, utilized by attackers to maintain access without detection. As businesses continue to adopt cloud technologies, vigilance and proactive security strategies are paramount in safeguarding sensitive data against evolving cyber threats.
