A new ransomware campaign targeting Amazon Simple Storage Service (Amazon S3) users has been identified. Dubbed Codefinger, the attackers leverage compromised AWS credentials to access and encrypt the victim’s data in Amazon S3 via AWS server-side encryption with customer-provided keys (AWS SSE-C). Cloud Storage Security’s (CSS’s) threat laboratory, Casmer Labs, responded quickly and conducted extensive research covering the attack method, identifying possible victims, and comparing Codefinger attacks to other ransomware tactics. Casmer Labs concluded that these attacks are especially dangerous because after encryption has been completed, the data cannot be recovered without the attacker’s disclosure of the encryption key, which would theoretically be provided after the ransom has been paid. 

How Codefinger Ransomware Attacks Work

Research from credible sources around the world, including Casmer Labs, have discovered and confirmed that:

1. Attackers obtain AWS credentials in a number of manners. Some examples are:
   1. Reused passwords obtained from other data breaches
   2. Credentials hardcoded in source code that is committed to a public repository
   3. Brute forcing or otherwise guessing passwords
2. Once the AWS credentials are obtained, the attacker locates AWS keys with permissions to execute s3:GetObject and s3:PutObject.
3. The attacker encrypts the files using AWS SSE-C
4. The attacker sets an S3 Lifecycle policy that schedules the encrypted files for deletion within seven days
5. The attacker leaves ransom notes in affected repositories, usually comprised of a bitcoin address, client ID, and verbiage stating that the ransom needs to be paid off in 7 days and that negotiations will cease if permissions are changed

  WATCH NOW: Codefinger: A Ransomware Threat from Within  

In this session from Cloud Storage Security’s threat laboratory, Casmer Labs, learn how Codefinger works, including a simulation of the steps an attacker could take, and how to protect against it.

AWS is architected to be the most secure cloud platform in the world. However, unlike traditional ransomware, which encrypts files locally or during transit, this new approach leverages AWS infrastructure against the victim. 

Any time AWS is aware of exposed keys or credentials, they will notify their customers, thoroughly investigate all reports and remediate, if necessary, without disrupting their customers’ environment. However, in line with the AWS Shared Responsibility Model, customers are ultimately responsible for securing their data by eliminating exposed credentials, ensuring AWS Identity and Access Management (IAM) roles and policies are properly configured, and following various other security, identity, and compliance best practices. With proper configuration and general security practices implemented by the customer these attacks could have been prevented.

Consequences of Codefinger

1. Data is permanently lost without payment: The use of SSE-C ensures that data recovery is next to impossible without the attacker’s key. Even if backups exist, it’s likely that they have been compromised as well.
2. Financial and operational impact: A ransom payment contributes to direct financial loss. Business operations dependent on the encrypted data face disruption, leading to service downtime, pipeline disruption, and revenue loss.
3. Erosion of customer trust: Ransomware incidents, in their entirety, result in reputational damage that might make current or prospective customers more likely to choose another product or service.

Recommendations to Protect your Business

Prevention Measures

• Regularly rotate credentials and enforce a strong password policy, including multi-factor authentication (MFA)
• Implement strict IAM controls according to the principle of least privilege to ensure AWS users have access to only the permissions they need
• Use temporary security credentials such as IAM roles instead of creating long-term credentials like access keys

Detection Methods

• Monitor AWS CloudTrail logs for unusual activity like the creation of SSE-C encrypted objects or changes to lifecycle policies
• Use anomaly detection tools to flag abnormal account access and regularly audit AWS accounts

Recovery

• Maintain offline backups 
• Implement storage volume ransomware scenarios as part of your incident response planning

Education

• Train teams on secure coding practices to avoid hardcoded credentials 
• Educate employees on phishing and credential compromise tactics

Implementing the above practices in addition to using tools such as Antivirus for Amazon S3 from CSS, can help ensure the security of your storage volumes and the objects stored within them.

About Cloud Storage Security

Cloud Storage Security (CSS) is dedicated to protecting storage in the cloud. Our robust malware detection solution is designed to secure the entirety of an organization’s cloud storage suite, preventing cybersecurity incidents, including ransomware events, in downstream environments. Contact a subject matter expert today for help in preventing Codefinger (or its imitators) from compromising your data stores. 

  WATCH NOW: Codefinger: A Ransomware Threat from Within  

In this session from Cloud Storage Security’s threat laboratory, Casmer Labs, learn how Codefinger works, including a simulation of the steps an attacker could take, and how to protect against it.