Abusing SSE-C services with Ransomware

Name:
Abusing SSE-C services with Ransomware

TTP:
T1486 Data Encrypted for Impact, T1566.001 Phishing: Spearphishing Attachment, T1496.004 Resource Hijacking: Cloud Service Hijacking

Hypothesis:

The threat actor is exploiting compromised AWS keys to manipulate cloud storage objects and encrypt S3 bucket data for ransom.

Campaign Type:
Data Driven

Data Sources:

• AWS CloudTrail logs.
• S3 Object Lifecycle Management API logs.
• Ransom notes deposited in affected directories.

Tools:

• AWS Management Console.
• CloudTrail log analysis tools.
• S3 API analysis tools.
• Text analysis tools for ransom note examination.

Scenario:

• Initial Access: Attacker obtains compromised AWS keys with S3 access permissions.
• Execution: The attacker uses the keys to access and manipulate S3 buckets.
• Defense Evasion: The attacker leverages legitimate AWS services (SSE-C) to encrypt the data, making it appear as authorized behavior.
• Impact: The attacker encrypts critical data in S3 buckets, making it inaccessible to the owner.
• Exfiltration: The attacker may exfiltrate data before encryption, but the focus is on denying access to the data.
• Command and Control: The attacker may use external communication channels for command and control, but the core attack leverages AWS’s internal mechanisms.
• Lateral Movement: The attacker may move laterally within the AWS environment to compromise additional S3 buckets or other services.
• Persistence: The attacker may establish persistence by maintaining access to the compromised AWS keys or creating new IAM users with elevated privileges.
• Reconnaissance: The attacker may perform reconnaissance to identify valuable data within S3 buckets before encryption.

Hunting Strategy:

1. Analyze AWS CloudTrail logs for suspicious API calls related to S3 buckets, focusing on s3:GetObject and s3:PutObject requests.
2. Identify any unusual patterns of S3 object encryption, such as bulk encryption or the use of SSE-C with unfamiliar customer-provided keys.
3. Correlate CloudTrail logs with S3 Object Lifecycle Management API logs to detect any unexpected changes to lifecycle policies, such as accelerated deletion timelines.
4. Examine ransom notes found in affected directories to extract information about the attacker’s motives, demands, and communication channels.
5. Investigate any outliers or suspicious events further, looking for indicators of compromise (IOCs) or other malicious activities.
6. Validate potential threats by analyzing additional data sources, such as AWS Config logs or VPC Flow Logs.
7. Remediate threats by isolating affected S3 buckets, revoking compromised AWS keys, and restoring data from backups (if available).
8. Report findings and recommendations to improve security controls and prevent future attacks.

Recommendations:

• Restrict or audit the use of SSE-C within your AWS environment.
• Regularly review and monitor AWS key usage, ensuring least privilege and rotating keys frequently.
• Implement strong logging and monitoring capabilities for all S3 operations.
• Enable multi-factor authentication (MFA) for all AWS accounts.
• Educate employees about phishing attacks and the importance of protecting AWS credentials.
• Maintain regular backups of critical data stored in S3 buckets.
• Stay informed about emerging threats and vulnerabilities in cloud environments.

Scoring Notes

• Observables related to API calls and encryption parameters are core to the technique but can be obfuscated or manipulated by attackers.
• Changes to lifecycle policies are more specific to adversary tactics but can also occur due to legitimate reasons.
• The presence of a ransom note is a strong indicator of malicious activity but its content can vary.

Additional Notes

• This D3 diagram focuses on the specific scenario of abusing SSE-C for ransomware purposes.
• Other implementations of T1583.002 may involve different observables and robustness levels.
• It is crucial to consider the context and environment when analyzing these observables.

False Positive Consideration:

• Legitimate use of SSE-C by authorized users.
• Automated scripts or applications with access to S3 buckets.
• Accidental misconfigurations of S3 bucket policies or lifecycle settings.

D3 Diagram:

### D3 Diagram (Abuse of Cloud Services)

**T1583.002 - Abuse of Cloud Services: Cloud Storage Object Manipulation**

**Implementations**

1. Exploiting compromised AWS keys to encrypt S3 buckets using SSE-C.
2. Creating new IAM users with elevated privileges to access and manipulate S3 buckets.
3. Modifying S3 bucket policies to allow unauthorized access or encryption.
4. Utilizing S3 Object Lifecycle Management API to delete or modify objects.

**Observables**

|Observable|Value|Robustness Level|Rationale|
|:---|:---|:---|:---|
|API calls|`s3:GetObject`, `s3:PutObject`, `s3:PutBucketEncryption`, `s3:PutLifecycleConfiguration`|Level 2: Core to Adversary-Brought Tool or Outside Boundary|Specific to AWS API calls but can be obfuscated or mimicked|
|Encryption parameters|`x-amz-server-side-encryption-customer-algorithm`, `x-amz-server-side-encryption-customer-key`, `x-amz-server-side-encryption-customer-key-MD5`|Level 2: Core to Adversary-Brought Tool or Outside Boundary|Specific to SSE-C encryption but can be manipulated|
|Lifecycle policy changes|Unexpected changes to object expiration or deletion rules|Level 3: Specific to Adversary Tactics or Techniques|Indicates unusual behavior but can be legitimately modified|
|Ransom note presence|Unique identifier, Bitcoin address, communication instructions|Level 2: Core to Adversary-Brought Tool or Outside Boundary|Specific to the attacker's demands but can be changed|

**Scoring Notes**

* Observables related to API calls and encryption parameters are core to the technique but can be obfuscated or manipulated by attackers.
* Changes to lifecycle policies are more specific to adversary tactics but can also occur due to legitimate reasons.
* The presence of a ransom note is a strong indicator of malicious activity but its content can vary.

**Additional Notes**

* This D3 diagram focuses on the specific scenario of abusing SSE-C for ransomware purposes.
* Other implementations of T1583.002 may involve different observables and robustness levels.
* It is crucial to consider the context and environment when analyzing these observables.