Exploiting AWS: How Ransomware Targets S3 Buckets Using SSE-C

by | Jan 14, 2025 | Data breaches and hacks, Digital infrastructure, Digital providers, Emerging Threats and Trends, News

A new ransomware attack is targeting Amazon S3 buckets. This campaign uses AWS’s Server-Side Encryption with Customer Provided Keys (SSE-C) to lock data and demands payment for the AES-256 decryption keys. This tactic doesn’t exploit AWS vulnerabilities. Instead, attackers gain access by stealing user credentials. Once data is encrypted, recovery is impossible without paying the ransom.

 

Key Points

  • Attack Method: A group called “Codefinger” uses stolen AWS keys to encrypt S3 data via SSE-C, making recovery without their key impossible.
  • Data Loss Risk: AWS logs only a hashed version (HMAC) of the encryption key, which can’t be used for decryption or forensic analysis.
  • Time Pressure: Ransom notes warn that files will be deleted in seven days, urging victims to pay quickly.

Anatomy of the Attack

  1. Compromised Keys Attackers use stolen or publicly leaked AWS keys with permissions to read and write S3 objects.
  2. Encryption Using SSE-C They encrypt files by sending their AES-256 key through the SSE-C header. AWS processes the key but doesn’t store it. Only a hashed version is logged, which can’t decrypt the data.
  3. Lifecycle Policies for Deletion Attackers configure S3’s lifecycle settings to mark files for deletion after seven days, increasing the pressure to pay the ransom.
  4. Ransom Note A ransom note is left in each folder, providing payment instructions and a warning: altering account permissions or files will end negotiations.

Why This Attack Matters

  • Permanent Data Loss: Once encrypted, data can’t be recovered without the attacker’s key.
  • Limited Logs for Investigation: AWS logs only the hashed version of the key, which is useless for recovery or analysis.
  • Potential for Widespread Use: If this method gains popularity, it could become a major threat for organizations using S3 for critical data.

Steps to Mitigate the Risk

To reduce your risk, take these steps:

  1. Restrict SSE-C Usage
    • Update IAM policies to block unauthorized use of SSE-C on S3 buckets.
  2. Audit and Monitor AWS Keys
    • Regularly review key permissions and disable unused ones. Rotate active keys often.
  3. Enable Detailed Logging
    • Use advanced S3 logging to detect unusual activity, such as bulk encryption or policy changes.
  4. Engage AWS Support
    • Work with AWS to assess vulnerabilities and apply security measures tailored to your needs.

AWS Guidance and Best Practices AWS emphasizes a shared responsibility model for security. They alert customers about exposed keys and provide steps to secure accounts. They recommend using IAM roles, short-term credentials, and AWS Secrets Manager to manage access securely.

 

For more details, visit:

Takeaway This ransomware campaign is a wake-up call for organisations relying on S3. By securing AWS keys and applying strict policies, you can reduce your risk. Stay proactive to protect your cloud data from emerging attacks.

Cookie Consent with Real Cookie Banner