The Halcyon RISE Team has discovered a sophisticated ransomware campaign by a threat actor known as "Codefinger." This new attack targets Amazon S3 buckets, utilizing AWS’s Server-Side Encryption with Customer-Provided Keys (SSE-C) to lock data and demand ransom for the decryption keys.

Attack Mechanism: The campaign leverages AWS’s SSE-C encryption feature, turning it against users by encrypting data directly within the AWS infrastructure. This approach deviates from traditional ransomware methods that typically encrypt files locally.

Initial Access: Attackers gain access through AWS credentials obtained via social engineering, phishing schemes, or exploiting vulnerabilities in the victims’ networks.

Encryption Process: Once inside, Codefinger uses the compromised credentials to access S3 buckets and initiate encryption with a self-generated AES-256 key.

No AWS Exploit: The attack does not exploit any AWS vulnerabilities. Instead, it relies on compromised AWS credentials.

Limited Recovery Options: Since AWS only retains an HMAC of the encryption key for integrity checks, victims have no way to decrypt their data without the attacker's key.

Ransom Strategy: Codefinger pressures victims by setting a seven-day file deletion timeline and leaving ransom notes in affected buckets, demanding Bitcoin payments.

Analysis and Implications

This attack showcases the evolving methods of leveraging native cloud services for malicious intents. By harnessing AWS’s encryption capabilities, attackers can significantly hinder data recovery efforts and forensic investigations. The campaign's success could lead other cybercriminals to adopt similar tactics, increasing the overall risk landscape.

Mitigation Strategies

Organizations should enhance security by implementing a layered protection approach:

Access Controls: Establish strict access controls and utilize the least privilege principle.

IAM Policies: Enforce strong Identity and Access Management policies to limit SSE-C usage to authorized cases.

Credential Management: Regularly rotate AWS keys and monitor AWS CloudTrail logs for suspicious activities.

Password Practices: Adopt unique passwords and implement phishing-resistant multi-factor authentication.

AWS environments have become prime targets for cybercrime, as seen with groups like ShinyHunters exploiting AWS credentials. Weak password practices and lack of two-factor authentication contribute significantly to such attacks. Ensuring strong, unique passwords and integrating robust 2FA measures are critical in preventing ransomware incidents. This incident emphasizes the importance of cybersecurity awareness and advanced threat detection tools to guard against innovative cyber-attacks.

The link has been copied!