Source URL: https://www.theregister.com/2025/01/13/ransomware_crew_abuses_compromised_aws/
Source: The Register
Title: Ransomware crew abuses AWS native encryption, sets data-destruct timer for 7 days
Feedly Summary: ‘Codefinger’ crims on the hunt for compromised keys
A new ransomware crew dubbed Codefinger targets AWS S3 buckets and uses the cloud giant’s own server-side encryption with customer provided keys (SSE-C) to lock up victims’ data before demanding a ransom payment for the symmetric AES-256 keys required to decrypt it.…
AI Summary and Description: Yes
**Summary:**
The emergence of the ransomware gang Codefinger, which exploits AWS S3 buckets through customer-managed encryption keys (SSE-C), raises significant concerns about cloud security. This novel approach not only encrypts data without storing the decryption keys but also poses a unique threat through potential data destruction. This insight is crucial for security professionals managing AWS environments, emphasizing the need for stringent key management and IAM policy adherence.
**Detailed Description:**
The text discusses a new ransomware threat named Codefinger that has recently targeted AWS S3 buckets using sophisticated tactics that leverage the cloud provider’s own server-side encryption capabilities. Key points include:
– **Ransomware Mechanism**:
– Codefinger encrypts victims’ data using AWS’s SSE-C, which utilizes customer-provided encryption keys (AES-256).
– Attackers gain access either through publicly exposed or compromised AWS keys, allowing them to perform S3 operations, “GetObject” and “PutObject”.
– **First Known Exploitation**:
– This marks the first known instance of leveraging AWS’s SSE-C for ransomware attacks in the real world, thus presenting a new vector of risk for organizations using AWS.
– **Systemic Risks**:
– Historically, AWS IAM keys have facilitated data theft. However, this novel attack could lead to widespread systemic risks for organizations relying heavily on AWS S3 for storing sensitive data.
– **Method of Operation**:
– Codefinger generates a unique AES-256 key for encryption while AWS processes but does not store it, preventing victims from decrypting their data independently.
– In addition, compromised files are marked for deletion after seven days, raising the stakes and urgency for victims to pay.
– **Unique Ransom Approach**:
– Unlike typical ransomware that may threaten data exposure, Codefinger indicates a willingness to delete data, increasing pressure on victims to comply with ransom demands.
– Ransom notes are left in the affected directories, providing an address for Bitcoin payment and issuing threats against account alterations.
– **Preventative Measures**:
– Security researchers recommend AWS customers limit SSE-C usage by utilizing IAM policies to prevent unauthorized applications of encryption.
– Regular monitoring and audits of AWS keys are critical, and permissions should align with the principle of least privilege.
– **AWS Response**:
– AWS acknowledges its role in mitigating risks from exposed keys and encourages customers to adhere to best practices for security and compliance, particularly in line with the shared responsibility model.
– **Technical Recommendations**:
– AWS provides features like IAM Roles and the Security Token Service (STS) that allow secure credential management without embedding long-term credentials in applications, reinforcing the need for secure coding practices.
Overall, the incident underscores the importance of stringent security practices within cloud environments, the potential for systemic risks through novel attack vectors, and the imperative for organizations to adopt robust IAM strategies to mitigate exposure to such ransomware threats.