Abusing AWS Native Services: Ransomware Encrypting S3 Buckets with SSE-C

2025-01-28

It is always helpful to identify new novel techniques utilized by ransomware groups. In this case, it is a native tool of Amazon Web Services (AWS). The folks from Halcyon’s Rise Labs recently published the report “Abusing AWS Native Services: Ransomware Encrypting S3 Buckets with SSE-C” – https://lnkd.in/grBeQjej. They discovered a troubling new ransomware campaign aimed at Amazon S3 buckets. This attack utilizes AWS’s Server-Side Encryption with customer-provided keys (SSE-C) to encrypt data and demands ransom payments for the symmetric AES-256 keys necessary for decryption. Alon Gal of Hudson Rock also wrote about it in “Infostealer Logs to Fuel a New Wave of AWS Ransomware Attacks” – https://lnkd.in/g-h8b3Hq.

High-Level Takeaways from Halcyon

1. Native Resource Abuse: A threat actor dubbed Codefinger uses compromised AWS keys to encrypt S3 bucket data via SSE-C, leveraging AWS’s secure encryption infrastructure to prevent recovery without their generated key.

2. Irrecoverable Data Loss: AWS CloudTrail logs only an HMAC of the encryption key, which is insufficient for recovery or forensic analysis.

3. Urgent Ransom Tactics: To pressure victims, files are marked for deletion within seven days, and ransom notes provide payment details and warnings against altering account permissions.

What Undercode Say

The rise of ransomware attacks targeting cloud infrastructure, particularly AWS S3 buckets, underscores the importance of robust security practices. Here are some key takeaways and actionable steps to mitigate such threats:

1. Monitor AWS Keys: Regularly audit and monitor AWS access keys. Use tools like `aws iam list-access-keys` to review active keys and `aws iam delete-access-key` to remove compromised ones.

2. Enable MFA: Ensure Multi-Factor Authentication (MFA) is enabled for all IAM users. Use `aws iam enable-mfa-device` to enforce this.

3. CloudTrail Logging: Activate AWS CloudTrail to log all API calls. Use `aws cloudtrail create-trail` to set up logging and monitor for unusual activities.

4. Bucket Policies: Implement strict bucket policies to restrict access. Use `aws s3api put-bucket-policy` to apply policies that limit permissions.

5. Encryption Management: Avoid using SSE-C for sensitive data. Instead, use SSE-S3 or SSE-KMS for better key management. Use `aws s3api put-bucket-encryption` to configure encryption settings.

6. Backup Strategies: Regularly back up S3 data to another secure location. Use `aws s3 sync` to automate backups.

7. Incident Response: Develop an incident response plan. Use tools like `aws s3api list-objects` to identify affected objects and `aws s3api restore-object` to recover from backups.

8. Security Audits: Conduct regular security audits using `aws securityhub get-findings` to identify vulnerabilities.

9. Network Security: Use VPC endpoints to securely access S3 buckets. Configure with `aws ec2 create-vpc-endpoint`.

10. User Training: Educate users on phishing and social engineering tactics to prevent credential theft.

For further reading, refer to the AWS Security Best Practices guide: https://aws.amazon.com/security/security-best-practices/.

By implementing these measures, organizations can significantly reduce the risk of falling victim to ransomware attacks targeting AWS S3 buckets. Stay vigilant and proactive in your cloud security practices.

References:

Hackers Feeds, Undercode AI