Tag: T1526

Engage Report: Codefinger Ransomware Targeting AWS S3 Buckets

  1. The attacker, dubbed “Codefinger”, obtains valid AWS keys with read and write permissions to S3 buckets.
  2. The attacker utilizes the Server-Side Encryption with Customer Provided Keys (SSE-C) feature.
  3. They encrypt the bucket’s data using their own AES-256 key, which is not stored by AWS.
  4. Only an HMAC of the key is logged in AWS CloudTrail, insufficient for data recovery.
  5. The attacker sets a 7-day lifecycle policy to delete the files, increasing pressure on the victim.
Read more...

Engage Report: SCATTERED SPIDER Ransomware Operations in the Cloud

  1. Compromise a privileged account within the victim tenant (e.g., Global Administrator or Security Administrator).
     
  2. Establish inbound synchronization from an attacker-controlled tenant to the victim tenant.
  3. Provision malicious accounts within the victim tenant as needed.
     
  4. Maintain persistence and potentially move laterally across connected tenants.
Read more...