- The attacker, dubbed “Codefinger”, obtains valid AWS keys with read and write permissions to S3 buckets.
- The attacker utilizes the Server-Side Encryption with Customer Provided Keys (SSE-C) feature.
- They encrypt the bucket’s data using their own AES-256 key, which is not stored by AWS.
- Only an HMAC of the key is logged in AWS CloudTrail, insufficient for data recovery.
- The attacker sets a 7-day lifecycle policy to delete the files, increasing pressure on the victim.
Tag: T1486
Abusing SSE-C services with Ransomware
The threat actor is exploiting compromised AWS keys to manipulate cloud storage objects and encrypt S3 bucket data for ransom.
Threat Hunting Scenario based on the Cyber Anarchy Squad (C.A.S) Attacks
C.A.S actors gain initial access through the exploitation of public-facing applications, establish persistence, escalate privileges, and utilize various tools and techniques to achieve their objectives, including data exfiltration, encryption, and destruction.
Hunt for Termite
The threat actor gains initial access, likely via phishing or exploitation, then moves laterally to encrypt files on the network.
Threat Hunting Report: CyberVolk
The CyberVolk group is actively developing and deploying ransomware, potentially targeting organizations based on geopolitical motivations.
CyberVolk | A Deep Dive into the Hacktivists, Tools and Ransomware Fueling Pro-Russian Cyber Attacks
T1566 – CyberVolk has been observed utilizing phishing emails and LinkedIn messages to distribute malicious links to targets.
T1490 – The ransomware terminates processes associated with Microsoft Management Console (MMC) or Task Manager.
T1486 – The ransomware displays a payment screen with a decryption timer and payment details, including BTC and USDT options. The ransom amount is set to $1000.00, and the timer is set to 5 hours.
It’s Not Safe To Pay SafePay
The threat actor initiated the attack by disabling Windows Defender’s real-time protection and automatic file submission. They then proceeded to discover network shares using a PowerShell script. Sensitive data was collected and archived using WinRAR. Subsequently, they employed a UAC bypass technique involving COM objects to gain elevated privileges. Finally, the SafePay ransomware was deployed to encrypt files on the target system.