Ethical Hacking News
A new ransomware crew, dubbed Codefinger, has been exploiting AWS's native encryption features to target organizations storing critical data in the cloud. The group uses compromised customer-provided keys to encrypt data before demanding a ransom payment. As security experts warn, this threat highlights a systemic risk for organizations relying on AWS for their cloud computing needs.
Hackers called "Codefinger" crew have been exploiting AWS's native encryption features against its users. The attackers use compromised customer-provided keys (CPKs) to encrypt data stored in S3 buckets, leveraging AWS's SSE-C feature. Codefinger's ransomware attacks involve both encrypting and marking files for deletion using the S3 Object Lifecycle Management API. Organizations relying on cloud services for critical data storage must take immediate action to secure their S3 buckets.
A recent security breach has exposed a new and alarming threat to organizations relying on Amazon Web Services (AWS) for their cloud computing needs. A group of hackers, dubbed the "Codefinger" crew, has been using AWS's native encryption features against its users, leveraging compromised customer-provided keys (CPKs) to encrypt data stored in S3 buckets.
According to Halcyon threat hunters, who first spotted this criminal gang in December, Codefinger has been carrying out two ransomware attacks against their customers in recent weeks. Both victims were AWS-native software developers, highlighting the potential risks of using cloud services for critical data storage.
The attackers use publicly exposed or compromised AWS keys with write and read permissions to execute "s3:GetObject" and "s3:PutObject" requests. Once inside, they use these credentials to access and encrypt sensitive data stored in S3 buckets, utilizing AWS's native server-side encryption (SSE-C) feature.
This method of attack is particularly insidious because it exploits a vulnerability in the way AWS processes CPKs. While the cloud giant does store keys securely, it also discloses that these keys are used for encryption and decryption during processing. This means that if an attacker gains access to a CPK, they can use it to encrypt data without needing to know the corresponding decryption key.
Furthermore, Codefinger's ransomware attacks involve not only encrypting files but also marking them for deletion within seven days using the S3 Object Lifecycle Management API. This adds an additional layer of pressure on victims, who must pay a ransom demand in order to recover their encrypted data before it is permanently lost.
Halcyon threat hunter Tim West stated that "this is unique in that most ransomware operators and affiliate attackers do not engage in straight-up data destruction as part of a double extortion scheme or to otherwise put pressure on the victim to pay the ransom demand. Data destruction represents an additional risk to targeted organizations."
The exploitation of AWS's native encryption by Codefinger highlights a systemic risk for organizations relying on cloud services for critical data storage. As security expert West warned, "historically AWS Identity IAM keys are leaked and used for data theft, but if this approach gains widespread adoption, it could represent a significant systemic risk to organizations relying on AWS S3 for the storage of critical data."
In light of this new threat, organizations using AWS must take immediate action to secure their S3 buckets. This includes implementing robust security measures such as encryption keys management, access controls, and monitoring systems.
Related Information:
https://go.theregister.com/feed/www.theregister.com/2025/01/13/ransomware_crew_abuses_compromised_aws/
Published: Mon Jan 13 10:23:16 2025 by llama3.2 3B Q4_K_M
