A threat actor has been observed abusing compromised AWS keys to encrypt data in S3 buckets and demand a ransom payment in exchange for the encryption keys, cybersecurity firm Halcyon reports.

As part of the identified attacks, the threat actor, tracked as Codefinger, relies on stolen credentials and on AWS’s Server-Side Encryption with Customer Provided Keys (SSE-C) for encryption, which prevents data recovery without the attacker-generated key.

“It is important to note that this attack does not require the exploitation of any AWS vulnerability but instead relies on the threat actor first obtaining an AWS customer’s account credentials,” Halcyon notes.

The threat actor looks for keys with permissions to write and read S3 objects (s3:GetObject and s3:PutObject requests), and then launches the encryption process by calling the SSE-C algorithm, utilizing a locally generated and stored AES-256 encryption key.

“AWS processes the key during the encryption operation but does not store it. Instead, only an HMAC (hash-based message authentication code) is logged in AWS CloudTrail. This HMAC is not sufficient to reconstruct the key or decrypt the data,” Halcyon explains.

The attackers drop a ransom note in each directory, instructing the victim to pay a ransom and to refrain from changing account permissions. To further pressure the victim, the attackers use the S3 Object Lifecycle Management API to mark the files for deletion within seven days.

According to Halcyon, because the attack relies on AWS’s infrastructure for encryption, it is impossible to recover the encrypted data without the symmetric AES-256 keys required to decrypt it.

Organizations can mitigate the risk of attacks by configuring IAM policies to prevent SSE-C from being applied to S3 buckets and can restrict the feature to authorized data and users.

Furthermore, they are advised to regularly review permissions for AWS keys and to remove unused keys, as well as to enable logging for S3 operations to identify unusual behavior.

When notified of the observed attacks, AWS said that it alerts customers when learning of exposed keys and that it investigates exposed key reports, and quickly takes necessary actions to minimize risks without causing disruptions.

SecurityWeek has emailed AWS for a statement on this campaign and will update this article as soon as a reply arrives.

Related: CISA Issues Binding Operational Directive for Improved Cloud Security

Related: Vendors Unveil New Cloud Security Products, Features at AWS re:Invent 2024

Related: Watch Now: Cloudy With a Chance of Threats: The Active Threat Landscape in the Cloud

Related: Watch Now: Cloud & Data Security Summit Sessions