Summary: A threat actor known as Codefinger is exploiting compromised AWS keys to encrypt data in S3 buckets, demanding ransom for the decryption keys. This attack leverages AWS’s Server-Side Encryption with Customer Provided Keys (SSE-C) without exploiting any vulnerabilities in AWS itself.
Threat Actor: Codefinger | Codefinger
Victim: AWS customers | AWS customers
Key Point :
- The attack relies on stolen AWS credentials to encrypt data, making recovery impossible without the attacker’s AES-256 keys.
- Attackers drop ransom notes and use the S3 Object Lifecycle Management API to threaten file deletion within seven days.
- Organizations can mitigate risks by configuring IAM policies, regularly reviewing permissions, and enabling logging for S3 operations.
- AWS alerts customers of exposed keys and investigates reports to minimize risks.
Source: https://www.securityweek.com/compromised-aws-keys-abused-in-codefinger-ransomware-attacks/