Codefinger ransomware encrypts Amazon S3 buckets
The Codefinger ransomware encrypts data in Amazon S3 buckets. There are many AWS access points circulating on the darknet that open the door to it.
(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
A current ransomware campaign is targeting data dumps in Amazon S3 buckets. The attackers are using "Server-Side Encryption with Customer Provided Keys" (SSE-C), i.e. server-side encryption with keys provided by customers, from Amazon's AWS.
To decrypt the data encrypted with AES-256 keys, the cybercriminals demand a ransom, writes Halcyon in an analysis. What is particularly striking is that the attackers are not abusing any vulnerabilities in AWS, but are using regular Amazon AWS access data. According to the IT researchers, the tactic represents a significant evolution in ransomware capabilities, as there is no known method of recovering the data other than paying the ransom.
Use of existing resources
They also emphasize that the perpetrators abuse native resources for their attack. With compromised AWS keys, they encrypt S3 buckets using SSE-C, which makes recovery impossible without the created key. The data loss is irreversible, as AWS Cloudtrail only logs an HMAC of the encryption keys, which is not sufficient for recovery or forensic analysis. In addition, the cybercriminals are building up pressure by marking the files for deletion within seven days. In the ransom notes with the payment details, the perpetrators also warn against changing access authorizations.
Videos by heise
Kaspersky has searched the darknet as part of this ransomware campaign and has come across more than 100 unique, compromised account finances for Amazon AWS since the beginning of the year. According to the Russian antivirus manufacturer, a large number of different accesses to Amazon's AWS cloud can be found on the Darknet: more than 18,000 accounts are linked to the URL "console.aws.amazon.com", over 126,000 to "portal.aws.amazon.com" and more than 245,000 to "signin.aws.amazon.com". The virus researchers add that this information often comes from infostealers or datastealers that collect such data. The most common of these are the Lumma stealer and Redline.
Halcyon recommends restricting the use of SSE-C by means of policies in order to harden their own AWS environments. In addition, organizations should regularly check their AWS keys, for example to ensure that they have configured the lowest necessary rights. Unused keys should be deleted and active keys should be rotated frequently. Activating extended logging helps to uncover unusual activities, such as mass encryption or changes to lifetime policies. AWS support also helps to detect potential vulnerabilities.
(dmk)
