New Codefinger Ransomware Exploits AWS to Encrypt S3 Buckets

The Halcyon RISE Team has identified a new Codefinger ransomware campaign targeting Amazon S3 buckets. This attack leverages AWS’s Server-Side Encryption with Customer-Provided Keys (SSE-C) to encrypt data, demanding ransom payments for the symmetric AES-256 keys required to decrypt it.

The Halcyon RISE Team has uncovered a novel ransomware campaign targeting Amazon S3 buckets, marking a significant escalation in sophistication. This campaign leverages AWS’s own Server-Side Encryption with Customer-Provided Keys (SSE-C) to encrypt victim data, turning a powerful security feature into a weapon against its intended users.

Unlike traditional ransomware that encrypts files locally, this attack operates directly within the AWS environment, exploiting the inherent security of SSE-C to render data irretrievable without the attacker’s decryption keys.

According to Halcyon’s investigation, shared with Hackread.com, this campaign is attributed to a threat actor dubbed “Codefinger.” The attack begins by acquiring AWS credentials, either through social engineering, phishing attacks, or exploiting vulnerabilities in other parts of the victim’s infrastructure.

Once in possession of these credentials, Codefinger utilizes them to gain access to S3 buckets and initiate the encryption process. Leveraging SSE-C, the attackers encrypt the data using a unique, self-generated AES-256 key.

It is important to note that this attack does not exploit any vulnerabilities within AWS itself. Instead, it relies on the threat actor first obtaining an AWS customer’s account credentials. With no known method to recover the data without paying the ransom, this tactic represents a concerning evolution in ransomware capabilities.

A critical aspect of this attack lies in the fact that AWS only logs an HMAC (Hash-based Message Authentication Code) of the encryption key, not the key itself. This HMAC, while providing integrity verification, is insufficient for data recovery, leaving victims with no viable means of decryption without paying the ransom.

To further pressure victims, Codefinger implements an aggressive deletion schedule. Files are marked for automatic deletion within seven days of encryption, creating a sense of urgency and increasing the likelihood of victims paying the ransom demand. To facilitate payment and communication, attackers typically leave a ransom note within the affected S3 buckets, providing instructions for Bitcoin payments and a unique client ID for each victim.

The implications of this campaign are significant. By exploiting a core AWS security service, attackers have effectively weaponized a trusted mechanism, making data recovery significantly more challenging.

This method not only renders data inaccessible but also limits forensic analysis and recovery options. Moreover, the success of this campaign could incentivize other threat actors to adopt similar tactics, potentially leading to a surge in attacks leveraging native cloud services for malicious purposes.

To mitigate cloud attack risks, organizations should adopt a multi-layered security approach. It is essential to prioritize access controls, implement least privilege principles, and rotate AWS keys. Implementing strong IAM policies that restrict the use of SSE-C to authorized personnel and specific use cases is crucial.

Furthermore, proactive monitoring of AWS CloudTrail logs for unusual activity, such as bulk encryption events or suspicious access patterns, is essential for early detection and response.

****AWS – A Lucrative Target for Hackers****

AWS has become a lucrative target for cybercriminals, with top groups like ShinyHunters and Nemesis exploiting it. Even in third-party cyberattacks, extracting AWS keys has become a preferred tactic for threat actors. This trend extends to newer groups such as EC2 Grouper.

In a comment to Hackread.com, Darren James, Senior Product Manager at Specops Software stated “This is a great example of where password reuse or sticking with easy-to-guess passwords, along with no two-factor authentication, will come back to bite admins.”

Darren also highlighted that poor password practices, such as reusing or using default passwords without two-factor authentication, often lead to issues like ransomware attacks. He emphasized the need for unique passwords and phishing-resistant 2FA to prevent such incidents.

1. In the jungle of AWS S3 Enumeration
2. Russian Cozy Bear Phish Critical Sectors with AWS Lures
3. EMERALDWHALE Steals Credentials, Stores Data in S3 Bucket
4. Fabrice Malware on PyPI Stealing AWS Credentials for 3 Years
5. ALBeast: Misconfiguration Flaw Exposes AWS Load Balancers to Risk