Cybersecurity Newsflash : New Codefinger ransomware attack targets compromised AWS keys

On January 13, researchers at anti-ransom platform Halcyon revealed that a threat actor dubbed Codefinger is exploiting compromised AWS keys and encrypting data in S3 buckets. Victims are then threatened with permanent data deletion unless a ransom is paid within a week.

A troubling development

Conventional ransomware attacks encrypt files, either locally or while in transit. However, what makes this attack different — and particularly troubling — is that doesn’t exploit a vulnerability in AWS itself. Instead, it uses a compromised key with write permissions to encrypt data, leveraging AWS’s built-in encryption feature to lock access to critical information.

Once data is encrypted, it is impossible to recover without the attacker’s key. In addition, log evidence is limited since AWS CloudTrail captures only the Hash-Based Message Authentication Code (HMAC) of the encryption key, which is insufficient for recovery or forensic analysis. Halcyon researchers warn that if this new method gains traction and becomes widespread, it could represent an enormous, system-wide threat to organizations that use Amazon S3 for critical data storage.

How the attack works

The attack unfolds in four stages:

• The attacker analyzes publicly-disclosed and compromised AWS keys, and identifies those with permissions for executing s3:GetObject and s3:PutObject requests.
• The attacker encrypts files using AWS’s server-side encryption with customer-provided keys (SSE-C).
• Files are marked for deletion within seven days using the S3 Object Lifecycle Management API.
• Victims find a note in each affected directory that demands payment via bitcoin within seven days. The note also warns that any changes to account permissions or files will immediately trigger deletion.

Mitigating the threat

• Exposed organizations are advised to immediately take the following threat mitigation steps:
• Use the Condition element in Identity and Access Management (IAM) policies to block the application of SSE-C to S3 buckets. Subsequent configurations can be made to restrict this to authorized data and users.
• Enable detailed logging for S3 operations to detect unusual activity (e.g., bulk encryption or lifecycle policy changes).
• Use the AWS Security Token Service (AWS STS) to issue temporary security credentials. This service controls access to AWS resources, but without distributing or embedding long-term AWS security credentials within an application.
• Review permissions on a regular basis for all AWS keys, and verify that they have the minimum required access.
• Disable unused keys, and frequently rotate active keys.
• Use the AWS Secrets Manager service to create, manage, retrieve, and automatically rotate non-AWS credentials (e.g., database usernames and passwords) throughout their lifecycle.
• Engage directly with AWS Support, which in response to the Codefinger attack has published a new bulletin on its Knowledge Base called “What can I do if I notice unauthorized activity in my AWS account?”

Takeaways & advice

We all know that bad actors copy what works, and as such there is valid reason to be concerned that this kind of ransomware attack will soon become common. In fact, perhaps the most surprising thing is that it has taken them this long to try this method, since SSE-C has been available since 2014.

This development emphasizes the critical importance for organizations that rely on Amazon S3 for data storage to properly secure AWS keys or access tokens. Furthermore, all major cloud service providers offer similar client-side encryption functionality that could be abused.

The broader insight and implication of this attack is a stark reminder that no one is completely safe from ransomware attacks. As such, it is crucial for organizations to take steps to reduce the probability of exposure and minimize the risk. This approach should include:

• Restricting key management access: Limiting who and what can access encryption keys.
• Follow the Principle of Least Privilege: Ensuring that keys only have the minimum permissions needed for their intended purpose.
• Minimizing the attack surface: Regularly reviewing and reducing external access to your cloud resources.

In addition, we urge all organizations – including those that are not exposed to the Codefinger attack, or other attacks that use a similar threat vector – to implement and enforce strict access control and privilege management policies, which can substantially limit the damage caused by ransomware attacks. Organizations that want to learn more about achieving this critical objective are invited to explore Devolutions PAM, which delivers enterprise-grade robustness in a solution adapted to SMBs, combining ease-of-use with scalability. Learn more about Devolutions PAM.