In a new ransomware campaign dubbed Codefinger, hackers are targeting Amazon S3 cloud storage by exploiting AWS’s built-in SSE-C encryption with client-provided keys. The attackers encrypt stored data and demand a ransom in exchange for the decryption key.
This malicious operation was uncovered by the Halcyon research team, which has confirmed at least two successful attacks. Experts caution that this method could inspire adoption by other cybercriminals.
Amazon S3 offers cloud storage where users can secure data using the SSE-C encryption option. This approach relies on AES-256 encryption keys provided and managed solely by clients, with AWS having no access to these keys. As a result, the responsibility for key security lies entirely with the users.
The Codefinger attackers leverage compromised AWS credentials with ‘s3:GetObject’ and ‘s3:PutObject’ permissions. They generate their own encryption keys, rendering file recovery impossible without their cooperation. Since AWS does not have access to the keys, it cannot assist in decryption.
After encrypting the data, the criminals set an auto-deletion timer for seven days and leave ransom notes within the affected directories, demanding payment in Bitcoin. Attempts to alter account settings or tamper with files may result in the termination of negotiations by the attackers.
Halcyon has alerted Amazon to this threat. In response, AWS underscored the critical importance of stringent security practices, such as limiting the use of SSE-C, disabling unused keys, regularly rotating encryption keys, and restricting access permissions.
AWS reiterated its shared responsibility model for security and outlined measures clients can adopt to safeguard their accounts. These include using temporary credentials, managing access through IAM Roles, and employing AWS Secrets Manager for secure storage and automatic key rotation.
Halcyon advises organizations to reassess their Amazon S3 access policies and implement additional protective measures to prevent similar incidents.
