Recent research reveals that a threat actor named Codefinger is exploiting Amazon Web Services (AWS) to conduct ransomware attacks by utilizing its native features to encrypt victims’ S3 buckets. This shift in tactics emphasizes the growing threat of infostealer malware, which harvests AWS credentials, enabling attackers to gain unauthorized access to cloud environments. Affected: AWS, Telefonica, Schneider Electric
Keypoints :
- Codefinger is leveraging AWS’s native features for ransomware attacks.
- Infostealer malware is becoming a primary vector for initial access to AWS accounts.
- Recent breaches at Telefonica and Schneider Electric highlight the dangers of stolen AWS credentials.
- Credential harvesting from infostealers is leading to increased ransomware threats.
- Attackers can exploit AWS services to encrypt victims’ data, locking them out unless a ransom is paid.
MITRE Techniques :
- T1078 – Valid Accounts: Attackers gain access to AWS accounts through stolen credentials from infostealers.
- T1486 – Data Encrypted for Impact: Using AWS-native capabilities to encrypt data in S3 buckets.
- T1071 – Application Layer Protocol: Exploiting legitimate AWS services for data exfiltration and ransom demands.
Indicator of Compromise :
- [domain] halcyon.com
- [url] www.hudsonrock.com/free-tools
- [email] info@hudsonrock.com
- [others ioc] Infostealer malware
- Check the article for all found IoCs.
close with
Full Research: https://www.infostealers.com/article/infostealer-logs-to-fuel-a-new-wave-of-aws-ransomware-attacks/