Subject: Engage Report: Codefinger Ransomware Targeting AWS S3 Buckets
Tactics: TA0005 Defense Evasion, TA0040 Impact, TA0042 Resource Development
Technique: T1526 Cloud Service Discovery, T1486 Data Encrypted for Impact
Procedure:
- The attacker, dubbed “Codefinger”, obtains valid AWS keys with read and write permissions to S3 buckets.
- The attacker utilizes the Server-Side Encryption with Customer Provided Keys (SSE-C) feature.
- They encrypt the bucket’s data using their own AES-256 key, which is not stored by AWS.
- Only an HMAC of the key is logged in AWS CloudTrail, insufficient for data recovery.
- The attacker sets a 7-day lifecycle policy to delete the files, increasing pressure on the victim.
Vulnerability: EAV0006 When adversaries collect targeting information from open or closed data sources, they are vulnerable to being influenced by manipulated or misleading data., EAV0017 When adversaries discover enabled, accessible, or intentionally weakened/overly permissive resources in the environment (production or isolated), they are vulnerable to revealing additional or more advanced capabilities when exploiting or using said resource.
Engagement Opportunity:
- Restrict or audit the use of SSE-C through IAM policies to prevent unauthorized encryption.
- Monitor CloudTrail logs for unusual S3 object encryption activity or lifecycle policy changes.
- Set up honeypot S3 buckets with decoy data and enticing names to attract attackers and analyze their TTPs.
Threat Actor: Codefinger
Threat Objective:
Encrypt critical data within S3 buckets and extort ransom payments for the decryption keys.
Deception Opportunity:
- Plant fake AWS keys with access to decoy buckets containing fabricated sensitive data.
- Configure deceptive lifecycle policies that trigger alerts or countermeasures upon modification.
Sensor Data Placement: Application
Observable Level: Core to Some Implementations of (Sub-)Technique
Scoring Rationale:
Detecting the abuse of SSE-C requires analyzing application-level events and payload visibility to identify the use of customer-provided keys during encryption. While SSE-C itself is a legitimate feature, its use in this context is core to the attacker’s technique.
Link to Report:
Link to Report II.:
Additional Comments:
This attack highlights a novel abuse of cloud services, turning a security feature into a weapon. It underscores the importance of proper key management and cloud security best practices.
Possible elements:
MSG (Pseudocode):
T1526 - Abuse Cloud Services T1486 - Data Encrypted for Impact Implementations Obtain AWS Keys Utilize SSE-C Encrypt S3 Data Set Lifecycle Policy Deliver Ransom Note Observables SSE-C Usage Level 4: Core to Some Implementations of (Sub-)Technique Scoring Rationale: The use of SSE-C is core to this specific attack but not all abuses of cloud services. It indicates the attacker intends to control the encryption process fully. Customer-Provided Key Level 5: Core to Sub-Technique or Technique Scoring Rationale: The presence of a customer-provided key during S3 object encryption is a strong indicator of this technique. It deviates from standard AWS practices where keys are managed internally. Lifecycle Policy Change Level 3: Core to Pre-Existing Tool or Inside Boundary Scoring Rationale: While lifecycle policies are legitimate features, their sudden modification to delete data rapidly could indicate malicious activity. Ransom Note Presence Level 2: Core to Adversary-Brought Tool or Outside Boundary Scoring Rationale: The ransom note is specific to the attacker's operation and not inherent to the cloud service itself. Notes * Defenders should focus on monitoring S3 encryption activities, key usage, and lifecycle policy changes. * Deception opportunities can be created by deploying honeypot buckets with fake data and monitoring for unauthorized encryption attempts.