Source URL: https://it.slashdot.org/story/25/01/14/0141238/ransomware-crew-abuses-aws-native-encryption-sets-data-destruct-timer-for-7-days?utm_source=rss1.0mainlinkanon&utm_medium=feed
Source: Slashdot
Title: Ransomware Crew Abuses AWS Native Encryption, Sets Data-Destruct Timer for 7 Days
Feedly Summary:
AI Summary and Description: Yes
Summary: The emergence of the ransomware group Codefinger highlights a novel and dangerous method of exploiting AWS S3 buckets by using compromised AWS keys and AWS’s SSE-C (Server-Side Encryption with Customer-Provided Keys) to encrypt and render data inaccessible. This technique indicates a significant systemic risk to organizations relying on AWS for critical data storage, posing challenges for cloud security practices.
Detailed Description: The text describes the tactics of a new ransomware group known as Codefinger, which specifically targets AWS S3 buckets. The group’s approach showcases a unique exploitation of AWS’s own encryption mechanisms, raising alarms within the cybersecurity community regarding the potential risks to organizations using AWS for cloud storage. Key points include:
– **Exploitation of AWS Keys**: Codefinger utilizes compromised or publicly exposed AWS keys to encrypt victim data, leveraging AWS’s own SSE-C encryption. This technique renders the data unreadable without the attacker-provided AES-256 keys.
– **First Instance of SSE-C Misuse**: As noted by Tim West from the Halcyon RISE Team, this is the first known case where attackers have used AWS’s native encryption infrastructure in such a manner. Previous incidents typically involved IAM keys being leaked for data theft.
– **Data Destruction as a Tactic**: Unlike typical ransomware that either threatens to leak or delete data to force compliance, Codefinger marks files for deletion within seven days using the S3 Object Lifecycle Management API, which adds an additional layer of risk for organizations.
– **Ransom Note**: The group leaves a ransom note that includes a Bitcoin address and a client ID, warning victims against making changes to account permissions or files that might jeopardize negotiations.
– **Recommendations for AWS Customers**:
– Organizations should restrict the use of SSE-C through IAM policy conditions to ensure only authorized users can apply this feature.
– Monitoring and regular auditing of AWS keys are critical since they are prime targets for cybercriminals.
– Companies are advised to review permissions in accordance with the principle of least privilege and disable unused keys while rotating active ones.
– **AWS’s Response**: AWS has stated it notifies affected customers of exposed keys and takes necessary actions to manage risks.
Overall, the text serves as a sober reminder of the evolving tactics employed by ransomware actors, emphasizing the need for heightened vigilance and improved security measures in cloud environments, particularly for organizations leveraging AWS.