Security Intelligence
Loading table of contents...
Cybersecurity researchers have uncovered a new campaign in which a threat actor known as Codefinger encrypts Amazon S3 buckets and demands a ransom in exchange for the decryption key.
While Codefinger has only been attributed to two successful attacks using this method, the researchers are concerned the group could escalate their activity or inspire other ransomware groups to begin using similar tactics.
Stay on top of emerging threats.
Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.
Codefinger leveraged compromised AWS credentials to locate victim keys with specific privileges. This allowed the threat actor to encrypt objects in S3 buckets through AWS’s own Server-Side Encryption with Customer Provided Keys (SSE-C) feature.
Codefinger then generates an encryption key, known only to them, to encrypt the target's data. Since AWS doesn't store customer-provided encryption keys, data recovery without the key Codefinger generated is impossible.
To add insult to injury, Codefinger then uses AWS’s S3 Object Lifecycle Management API to set a seven-day file deletion countdown and warns the victim not to attempt to change permissions or modify files in the encrypted S3 bucket or the group will cease negotiations.
Victims are also provided with a ransom note that includes the Bitcoin address to which victims can send payment in exchange for the decryption key.
Source: Bleeping Computer
Analysis
As more and more organizations move their infrastructure to cloud services such as AWS, it’s no surprise that threat actors like Codefinger have evolved their tactics to take advantage of this trend.
Codefinger’s campaign is simple but effective, focusing on exploiting Amazon AWS's legitimate features—specifically, S3 bucket encryption—to lock victims out of their own cloud-stored data. This means that the group doesn’t have to worry about deploying ransomware, it only must worry about getting access to the S3 account in the first place, making the overall attack significantly easier.
Mitigation
Field Effect’s Security Intelligence professionals constantly monitor the cyber threat landscape for threats targeting cloud infrastructure. Field Effect MDR users are automatically notified if suspicious connections are made to their cloud accounts and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.
The best way to keep cloud accounts secure from malicious activities is to keep threat actors from accessing them in the first place. Field Effect strongly recommends organizations adopt dark web monitoring, which is included as part of Field Effect MDR, to proactively uncover leaked credentials and personal information before threat actors can use them to facilitate access to their network.
Additionally, we suggest that AWS users restrict the use of SSE-C on their S3 buckets, disable unused keys, rotate frequently used keys, and ensure account permissions are configured at the lowest level possible.
