| Section | Details |
|---|---|
| Threat Actors | Codefinger |
| Campaign Overview | Ransomware targeting Amazon S3 buckets using AWS’s Server-Side Encryption with Customer-Provided Keys (SSE-C) to encrypt data and demand ransom for decryption keys. |
| Target Regions (Victims) | AWS customers with vulnerable credentials |
| Methodology | • Phishing, social engineering, or exploiting infrastructure vulnerabilities to steal AWS credentials. • Using AWS credentials to encrypt data in S3 buckets via SSE-C. • Data is encrypted with an AES-256 key, and files are scheduled for deletion within seven days. |
| Product Targeted | Amazon S3 buckets |
| Malware Reference | Ransomware using AES-256 encryption |
| Tools Used | AWS SSE-C (Server-Side Encryption with Customer-Provided Keys), Bitcoin for ransom payments |
| Vulnerabilities Exploited | Weak or compromised AWS credentials (via phishing, social engineering, or infrastructure vulnerabilities) |
| TTPs | • Social engineering and phishing for AWS credentials. • Encryption of S3 data with customer-provided keys (SSE-C). • Aggressive deletion schedule (7 days) to pressure victims. |
| Attribution | Codefinger |
| Recommendations | • Implement multi-layered security, prioritize access controls, and rotate AWS keys. • Restrict SSE-C usage to authorized personnel. • Monitor AWS CloudTrail for suspicious activities. |
| Source | Hackread |
Read full article: https://hackread.com/codefinger-ransomware-amazon-aws-encrypt-s3-buckets/
The above summary has been generated by an AI language model
Leave a Reply