A new ransomware threat, known as Codefinger, is targeting users of AWS S3 Buckets.
Ransomware attacks are always serious, but this new form of ransomware leaves no way to recover the data without payment once it has been encrypted. This puts organizations in a lose-lose situation and highlights the growing sophistication of ransomware attacks.
Continue reading to learn more about the attack and how your organization can prevent it.
What is this new ransomware?
Each object in an S3 bucket has a unique key (name) that identifies it.
Codefinger’s attack leverages AWS’ Server-Side Encryption with Customer Provided Keys (SSE-C) to encrypt data and demand payment for the Advanced Encryption Standard (AES-256) keys needed to decrypt the data.
There is no way to recover the data without payment once it has been encrypted. When data is encrypted using AES-256 it becomes virtually impossible to decrypt without the correct keys. This means that organizations are left with limited options: pay the ransom or lose access to critical data.
It’s important to note that this attack is not exploiting any AWS vulnerability but relies on an unauthorized user obtaining an AWS customer’s account credentials.
How does this attack work?
- Using either publicly disclosed or compromised AWS keys, the threat actor finds keys with permissions to execute ‘s3:GetObject’ and ‘s3:PutObject’ requests.
- Files are then encrypted using SSE-C using an AES-256 key generated by the attacker on the fly and required to decrypt the file. This key is not stored in the cloud so there is no way even AWS could recover it.
- The threat actor then sets lifecycle policies for file deletion, taking advantage of the S3 Object Lifecycle Management interface to add urgency to the demand.
- A ransom note is deposited into each affected directory, warning that changes to account permissions or the affected files will end any negotiations.
How can you prevent this threat?
The most important steps to protect your AWS environment and minimize your risk of data loss are implementing short-term credentials, monitoring AWS resources, using S3 Object Lock for critical information, blocking the use of SSE-C unless required by an application, using specific KMS keys or SSE-S3 keys, versioning and backing up your critical S3 data, and monitoring identities when data is accessed. Taking these steps helps mitigate your risk of your AWS environment being compromised.
How Varonis helps with automated remediations for AWS
Varonis’ DSPM capabilities automatically find and fix critical AWS issues that can lead to ransomware attacks and data breach. Varonis automates actions, such as missing password policies, S3 object ownership enforcement, removing stale users and roles, and deleting inactive access keys.
Automatically block public access to S3 buckets
AWS gives organizations the flexibility and power to create and proliferate cloud data workloads fast. However, with complicated access policies and complex configurations, it can be easy for critical risks and misconfigurations to go unnoticed. With Varonis for AWS, security teams can automatically discover and classify sensitive data and workloads, fix misconfigurations, enforce least privilege, and detect threats.
Remove stale users, roles, and access keys
Even in the case of a ransomware attack, the first step for attackers is most often to compromise an identity, using use tried-and-true techniques to gain access, like phishing and password spraying. Once they have credentials, they have access to your data. Because identity is often the weak link, the first step is to unravel permissions structures and ensure that only the right people can access important files, folders, and mailboxes. Varonis maintains a complete inventory of users, roles, and access keys in your AWS environment and identifies which are stale users, inactive accounts, and abnormal behavior that indicates an attack, like unexpected privilege escalation. This granular control helps close offboarding gaps, identify identity-related threats, and quickly reduce your blast radius.
Try Varonis for AWS for free
Available on the AWS Marketplace, the Varonis Data Security Platform helps security teams continuously monitor and improve their data security posture in real time.
What should I do now?
Below are three ways you can continue your journey to reduce data risk at your company:
Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.
See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.
Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.
