AWS S3 feature exploited by ransomware hackers to encrypt storage buckets

Attackers access storage buckets with exposed AWS keys
The files are then encrypted and scheduled for deletion after a week
Halycon says it observed at least two victims being attacked this way

Cybercriminals have started exploiting legitimate AWS S3 features to encrypt victim buckets in a unique twist to the old ransomware attack.

Researchers from Halycon recently observed multiple victims, all AWS native software developers, being attacked this way. In the attack, the group, dubbed Codefinger, accessed their victims’ cloud storage buckets through publicly exposed, or otherwise compromised, AWS keys with read and write permissions.

After accessing the buckets, they would use AWS server-side encryption with customer provided keys (SSE-C) to lock down the files.

Marking files for deletion

But that’s not where creativity ends with Codefinger. The group does not threaten to release the files to the public, or delete it. Instead, it marks all the encrypted files for deletion within a week, also using AWS S3 native features.

Speaking to The Register, VP of services with the Halcyon RISE Team, Tim West, said this was the first time someone’s abused AWS native secure encryption infrastructure via SSE-C.

“Historically AWS Identity IAM keys are leaked and used for data theft but if this approach gains widespread adoption, it could represent a significant systemic risk to organizations relying on AWS S3 for the storage of critical data,” he told the publication.

“This is unique in that most ransomware operators and affiliate attackers do not engage in straight up data destruction as part of a double extortion scheme or to otherwise put pressure on the victim to pay the ransom demand,” West said. “Data destruction represents an additional risk to targeted organizations.”

Halcyon did not want to name the victims, and instead urged AWS customers to restrict the use of SSE-C.

Amazon, on the other hand, told The Register it does what it can, whenever it spots exposed keys, and urged customers to follow best practices when it comes to cybersecurity.

https://cdn.mos.cms.futurecdn.net/wEXMiPzVwyFScr9dUD6V9B-1200-80.jpg

Source link

I’ve been waiting years for ChatGPT’s new Tasks feature – here’s how I’m planning to use it to organize my life

Forget OLED? LG is going all in on QNED TV tech for 2025, and it’s dropping quantum dots

Two reasons why it’s a good idea to reserve a Samsung Galaxy S25 today

A flaw in Google OAuth system is exposing millions of users via abandoned accounts

What UK political parties are promising in the 2019 general election

Otto Warmbier’s parents want North Korea to suffer for their son’s death

Could a ‘youthquake’ cause Boris Johnson to lose the general election?

People are driving through flames to escape this California wildfire

New ‘Westworld’ trailer introduces us to another dystopian tech company

What’s the point of ‘Charlie’s Angels’ without Sam Rockwell dancing?

These striking photos capture the future of human flight

‘Heathers’ is still the best dark comedy about high school hell

Trump vs. Harris: How the election will affect EV adoption

Lumwana’s Super Pit Expansion Officially Launched By Investing.com

How Biden could use a 1947 law to suspend the dockworkers’ strike

Why your Roth IRA conversions could have ‘unintended’ tax consequences

The YouTuber who has become one of Gen Z’s most beloved celebrities

26 last-minute holiday gifts that are still thoughtful and unique

Practicing gratitude regularly can make you less stressed and sleep better

8 things millennials wish you would just stop getting them for the holidays

AWS S3 feature exploited by ransomware hackers to encrypt storage buckets

I’ve been waiting years for ChatGPT’s new Tasks feature – here’s how I’m planning to use it to organize my life

Forget OLED? LG is going all in on QNED TV tech for 2025, and it’s dropping quantum dots

Two reasons why it’s a good idea to reserve a Samsung Galaxy S25 today

A flaw in Google OAuth system is exposing millions of users via abandoned accounts

Leave a reply Cancel reply