The Halcyon RISE Team has uncovered a sophisticated operation targeting Amazon S3 storage buckets. The threat actor, dubbed "Codefinger," leverages Amazon Web Services’ (AWS) Server-Side Encryption with Customer Provided Keys (SSE-C) to encrypt data, leaving victims with no means to recover their files without paying a ransom.
The attack does not exploit any vulnerabilities within AWS itself. Instead, it relies on compromised AWS credentials, allowing the attacker to manipulate AWS’s secure encryption infrastructure in a way that prevents recovery without their cooperation. This novel use of SSE-C represents a significant evolution in ransomware tactics.
“While this attack is generating a lot of chatter in the cloud security community, it’s naive to think that native cloud functionality, like AWS S3, would never be used by ransomware gangs,” said Kat Traxler, Principal Security Researcher at Vectra AI. “This may be the first time we have witnessed such an attack in the wild, but we would be shortsighted to believe that this is the first occurrence, or the only technique used by threat actors in the cloud. This trend highlights a critical reality – wherever data exists, ransomware attempts will follow, whether through encryption or extortion.”
How the Attack Works
The Codefinger attack follows a meticulous workflow:
Identify Vulnerable AWS Keys: Threat actors use publicly disclosed or compromised AWS keys with permissions to execute S3 object read and write operations.
Encrypt Files Using SSE-C: The attacker applies the x-amz-server-side-encryption-customer-algorithm header to encrypt data using an AES-256 key they generate and store privately. AWS processes the encryption but retains only an HMAC (hash-based message authentication code) of the key in logs, which is insufficient for recovery or forensic analysis.
Set File Deletion Policies: Using S3 Object Lifecycle Management, files are marked for deletion within seven days, adding urgency to the ransom demand.
Deliver Ransom Notes: Notes include payment instructions, warnings, and a client ID linked to the encrypted data, emphasizing the consequences of altering permissions or failing to pay.
Why This Campaign is Alarming
This ransomware strategy raises critical concerns for cloud security:
Irrecoverable Data Loss: Once encrypted with SSE-C, recovery is impossible without the attacker’s key.
Limited Forensic Evidence: AWS CloudTrail logs only the HMAC of the encryption key, leaving insufficient data for investigation or decryption.
Potential for Escalation: If this method gains traction, it could pose a systemic threat to organizations relying on S3 for critical data storage.
Mitigating the Threat
Organizations can reduce their exposure to attacks like Codefinger by adopting robust security practices:
Restrict SSE-C Usage: Apply IAM policy conditions to limit the use of SSE-C to authorized operations and users.
Audit AWS Keys: Regularly review and rotate credentials, disabling unused keys.
Enable Advanced Logging: Monitor for suspicious activity, such as mass encryption operations or lifecycle policy changes.
Collaborate with AWS Support: Engage AWS to identify and address potential vulnerabilities in your cloud environment.
AWS’s Response
AWS, notified of the findings in advance, reiterated its commitment to customer security through the shared responsibility model. “Anytime AWS is aware of exposed keys, we notify the affected customers,” the company stated. “We encourage all customers to follow security, identity, and compliance best practices.” AWS also highlighted existing tools like IAM Roles, AWS Secrets Manager, and temporary credentials from AWS Security Token Service (STS) as measures to minimize risks.
The Bigger Picture
As ransomware operators continue to evolve their tactics, experts warn that cloud-native features—designed for security and convenience—can be repurposed by malicious actors. Organizations must prioritize proactive security measures to safeguard critical data in increasingly complex cloud environments.
The Codefinger campaign is a wake-up call for the industry: data security in the cloud is only as strong as the credentials and policies protecting it.