- Attackers access storage buckets with exposed AWS keys
- The files are then encrypted and scheduled for deletion after a week.
- Halycon says he observed at least two victims attacked in this way
Cybercriminals have begun exploiting legitimate AWS S3 features to encrypt victim deposits in a unique twist to the old ransomware attack.
Halycon researchers recently observed that several victims, all AWS-native software developers, were attacked in this way. In the attack, the group, called Codefinger, accessed its victims’ cloud storage buckets via publicly exposed or otherwise compromised AWS keys with read and write permissions.
After accessing the repositories, they would use AWS server-side encryption with customer-provided keys (SSE-C) to lock the files.
Mark files for deletion
But that’s not where the creativity ends with Codefinger. The group does not threaten to make the files public or delete them. Instead, it marks all encrypted files for deletion within one week, also using native AWS S3 functions.
talking to The RegistryHalcyon RISE team vice president of services Tim West said this was the first time someone had abused AWS’s native secure encryption infrastructure via SSE-C.
“Historically, AWS Identity IAM keys have been leaked and used for data theft, but if this approach achieves widespread adoption, it could pose a significant systemic risk to organizations that rely on AWS S3 for critical data storage.” , he told the publication.
“This is unique in that most ransomware operators and affiliated attackers are not directly involved in destroying data as part of a double extortion scheme or to pressure the victim into paying the ransom demand,” West said. “Data destruction represents additional risk to targeted organizations.”
Halcyon declined to name the victims and instead urged AWS customers to restrict their use of SSE-C.
Amazon, on the other hand, said The Registry does what it can whenever it detects exposed keys and urges customers to follow cybersecurity best practices.
