Amazon encryption used to steal files in new hacker attack

Halcyon’s research and intelligence team reports new ransomware that is “impossible” to decrypt. The campaign targets Amazon Web Services customers.

Unlike common ransomware that encrypts files locally or in transit, the new attack leverages AWS encryption infrastructure (SSE-C) to lock data with AES-256 symmetric keys. In this way it becomes impossible (or very difficult) to decrypt the content without the attacker’s keyResearchers explained.

HE new campaign does not exploit any AWS vulnerabilitieshowever, victims can access their accounts through weak or previously exposed credentials.

“This is a good example of how reusing passwords, easy-to-access keywords, or lack of two-factor authentication will set the administrator back,” said Darren James, senior product manager at Specops Software. Forbes.

New ransomware attack, according to researchers Known as Codefinger. First report A meeting of Halcyon researchers took place on Monday (13).

“If spread rapidly, ransomware could pose a systemic threat to organizations using AWS S3 to store critical data,” the researchers said.

Codefinger attack flow

Halcyon’s attack flow goes like this:

1. Publicly or previously exposed AWS keys are identified;
2. Files are encrypted using SSE-C with a locally generated and stored AES-256 encryption key;
3. File deletion policies are typically defined for 7 days using S3 Object Lifecycle Management;
4. Adds a note to each affected directory stating that changes to permissions or files caused negotiations to end.

Amazon’s description

in contact with ForbesAn Amazon spokesperson notes that the company “helps consumers keep their cloud resources safe based on a shared responsibility model”; Company warns if access keys are compromised in any way.

In addition, the company also He promises to investigate all reports of exposed keys and take necessary actions quickly. “We encourage all consumers to follow security, identification and compliance best practices.”