014. Encrypting S3 Buckets Abusing Native AWS Services
Hello everyone! Let's talk a bit about the cloud. Yes, such services also affected by ransomware. For example, this report by Halcyon demonstrates how adversaries abuse native AWS services to encrypt S3 buckets.
The threat actor named Codefinger leveraged compromised AWS keys to start the encryption process by calling the x-amz-server-side-encryption-customer-algorithm header. As only an HMAC (hash-based message authentication code) is logged in AWS CloudTrail, it's impossible to recover the key and decrypt the data.
The adversary also abused S3 Object Lifecycle Management API to mark files for deletion within 7 days.
This case once again shows the importance of reviewing and monitoring AWS keys as well as implementing advanced logging capabilities in order to to detect unusual activity.
See you tomorrow!
Comments
Post a Comment