Cloud Security,
Security Operations
Hackers Exploit Valid Customer Credentials to Re-Encrypt S3 Objects
Amazon Web Services (AWS) is advising its clients to implement enhanced security protocols for their S3 buckets in light of recent ransomware attacks targeting its platform. This call to action follows reports indicating that cybercriminals have successfully re-encrypted data within S3 buckets using valid customer credentials, compromising the integrity of sensitive information.
In an official alert, Amazon detailed how adversaries exploited server-side encryption with customer-provided keys (SSE-C) to manipulate encryption processes without retaining the keys. This allowed attackers to overwrite objects stored in S3 buckets, effectively re-encrypting customer data with newly generated keys without detection.
While AWS has not specified the exact nature of these attacks, it reported a significant number of related operations linked to the S3 file copying feature, CopyObject, which was exploited by malicious actors. This tactic falls under the MITRE ATT&CK frameworks’ techniques for “Initial Access,” specifically utilizing valid credentials for unauthorized actions.
The complexity of the situation arises from the challenge of distinguishing between legitimate and malicious usage, given that attackers utilized real customer credentials. As part of its mitigation strategies, AWS is urging its clients to adopt a series of defensive measures, including disabling SSE-C for applications that do not require it, enabling S3 versioning to retain multiple object states, and ensuring critical backups are stored in separate buckets to enhance data recovery capabilities.
These recommendations aim to fortify the security posture of users against similar threats. According to AWS, implementing these strategies has successfully thwarted a considerable percentage of attack attempts, signifying their effectiveness.
This alert from AWS coincides with findings from cybersecurity firm Halcyon RISE, which recently exposed a ransomware campaign specifically targeting AWS S3 resources. The attackers associated with this breach were noted to have identified AWS access keys with permissions to read and write S3 objects, subsequently using generated AES-256 keys to encrypt data and impose ransom demands.
The nature of this attack poses severe risks, including potential permanent data loss and the compromise of an organization’s broader IT infrastructure. Experts continue to highlight the need for robust security protocols to prevent such breaches, emphasizing the crucial role of awareness in safeguarding vital information assets.
