Ethical Hacking News
Ransomware hackers have successfully exploited Amazon Web Services' encryption features to encrypt thousands of sensitive files, forcing victims to pay hefty ransoms to recover their data. The attackers used compromised AWS credentials to gain access to customer-provided encryption keys, rendering the data unrecoverable without their cooperation.
The attack targeted Amazon Web Services (AWS) using its Server-Side Encryption with Customer Provided Keys (SSE-C) feature to encrypt S3 buckets. The attackers used compromised AWS credentials to locate victims' keys and generate an encryption key locally to encrypt their data. The attackers set a seven-day file deletion policy and dropped ransom notes, threatening to delete the victim's files if they didn't pay ransom in Bitcoin. AWS customers are advised to disable unused keys, rotate active ones frequently, and keep account permissions at minimum levels to prevent such attacks.
Amazon Web Services (AWS) has been targeted by a new ransomware campaign that utilizes its Server-Side Encryption with Customer Provided Keys (SSE-C) feature to encrypt S3 buckets. The attack, attributed to the threat actor "Codefinger", has already resulted in at least two victims being encrypted, and experts warn that this tactic could be adopted by other threat actors in the future.
The AWS SSE-C feature allows customers to use their own encryption keys to secure their data at rest, utilizing the AES-256 algorithm. This provides a high level of security, as AWS does not store the encryption key, and it is up to the customer to generate, manage, and secure it. However, this also presents an opportunity for threat actors to exploit vulnerabilities in customer management practices.
According to Halcyon, a cybersecurity firm that reported the incident, the attackers utilized compromised AWS credentials to locate the victims' keys with 's3:GetObject' and 's3:PutObject' privileges, which enable these accounts to encrypt objects in S3 buckets through SSE-C. The attackers then generated an encryption key locally to encrypt the target's data.
The attackers set a seven-day file deletion policy using the S3 Object Lifecycle Management API and dropped ransom notes on all affected directories that instructed the victim to pay ransom on a given Bitcoin address in exchange for the custom AES-256 key. If the victim attempted to change account permissions or modify files on the bucket, the attackers would unilaterally terminate negotiations, leaving the victim with no way to recover their data.
Amazon has told Halcyon that they promptly notify customers who have had their keys exposed so they can take immediate action. The company also encourages people to implement strict security protocols and follow these steps to quickly resolve unauthorized AWS account activity issues:
* Unused keys should be disabled
* Active ones should be rotated frequently
* Account permissions should be kept at the minimum level required
Halcyon suggests that AWS customers set restrictive policies that prevent the use of SSE-C on their S3 buckets. This can help mitigate the risk of being targeted by threat actors who exploit customer management practices.
The incident highlights the need for businesses to prioritize data security and implement robust measures to protect their cloud storage. The exploitation of AWS features like SSE-C is a reminder that even the most secure systems can be vulnerable to attack if not managed correctly.
In conclusion, the use of ransomware by threat actors to encrypt S3 buckets using Amazon's Server-Side Encryption with Customer Provided Keys (SSE-C) feature poses a significant risk to businesses and organizations that rely on AWS for their cloud storage needs. It is essential for customers to take proactive steps to secure their data and implement robust security protocols to prevent such attacks in the future.
Ransomware hackers have successfully exploited Amazon Web Services' encryption features to encrypt thousands of sensitive files, forcing victims to pay hefty ransoms to recover their data. The attackers used compromised AWS credentials to gain access to customer-provided encryption keys, rendering the data unrecoverable without their cooperation.
Related Information:
https://www.bleepingcomputer.com/news/security/ransomware-abuses-amazon-aws-feature-to-encrypt-s3-buckets/
Published: Mon Jan 13 10:14:27 2025 by llama3.2 3B Q4_K_M
