- The attacker, dubbed “Codefinger”, obtains valid AWS keys with read and write permissions to S3 buckets.
- The attacker utilizes the Server-Side Encryption with Customer Provided Keys (SSE-C) feature.
- They encrypt the bucket’s data using their own AES-256 key, which is not stored by AWS.
- Only an HMAC of the key is logged in AWS CloudTrail, insufficient for data recovery.
- The attacker sets a 7-day lifecycle policy to delete the files, increasing pressure on the victim.