2025-01-15 03:08:55 Pacfic
Ransomware Abuses AWS Encryption Features - 1d
A new ransomware campaign is exploiting Amazon Web Services (AWS) Server-Side Encryption with Customer Provided Keys (SSE-C) to encrypt S3 buckets. The attackers, known as "Codefinger," utilize encryption keys unknown to the victims. The hackers demand ransoms in exchange for the decryption keys, effectively holding the data hostage. This attack leverages a legitimate AWS feature, making data recovery incredibly difficult without the attacker's keys. The Codefinger crew was first spotted in December, and at least two AWS native software developers were recently targeted.
The attackers gain access to victims’ cloud storage by using compromised AWS keys with read and write permissions and encrypt files by calling the "x-amz-server-side-encryption-customer-algorithm" header and using a locally stored AES-256 encryption key they generate. AWS processes the key during encryption but does not store it, meaning the victim cannot decrypt their data without the attacker-generated key. Furthermore, the encrypted files are marked for deletion within seven days using the S3 Object Lifecycle Management API, adding pressure on the victims. This tactic represents a significant risk, as it’s the first known instance of ransomware using AWS's native secure encryption infrastructure via SSE-C to lock up victims data.
ImgSrc: www.bleepstatic.com
References:
- @bleepingcomputer.com - BleepingComputer - A new ransomware campaign encrypts Amazon S3 buckets using AWS's Server-Side Encryption with Customer Provided Keys (SSE-C) known only to the threat actor, demanding ransoms to receive the decryption - 1d
- @BleepingComputer - A new ransomware campaign encrypts Amazon S3 buckets using AWS's Server-Side Encryption with Customer Provided Keys (SSE-C) known only to the threat actor, demanding ransoms to receive the decryption - 1d
- www.bleepingcomputer.com - A new ransomware campaign encrypts Amazon S3 buckets using AWS's Server-Side Encryption with Customer Provided Keys (SSE-C) known only to the threat actor, demanding ransoms to receive the decryption - 1d
- The Register - Security: Research - Ransomware crew abuses AWS native encryption, sets data-destruct timer for 7 days - 1d
- @AAKL - Seems like cybercriminals are getting bolder. Halcyon: Abusing AWS Native Services: Ransomware Encrypting S3 Buckets with SSE-C More: New ransomware gang dubbed Codefinger abuses AWS native encryption - 20h
- www.halcyon.ai - Ransomware Encrypting S3 Buckets with SSE-C - 20h
- www.theregister.com - ransomware_crew_abuses_compromised_aws - 20h
Classification:
- HashTags: AWS Ransomware CloudSecurity
- Company: Amazon
- Target: AWS S3 Users
- Attacker: Codefinger
- Product: AWS S3
- Feature: SSE-C abuse
- Type: Ransomware
- Severity: Major