Ongoing Campaign Targeting Amazon Web Services S3 Buckets

Overview of the Ransomware Campaign

There are reports of a ransomware campaign that targets Amazon Web Services (AWS) S3 bucket functionality by abusing their versioning and encryption features. By compromising identity and access management (IAM) credentials or exploiting overly permissive IAM roles, attackers gain unauthorised access and render the original data inaccessible unless a ransom is paid or S3 versioning was enabled (allowing data restoration by the victim). This approach leverages the widespread use of AWS in enterprise environments, making recovery efforts more complex and amplifying the impact of weak security configurations.

How Attackers Gain Access

Initial access is typically gained through compromised IAM credentials or overly permissive IAM roles. Attackers may use phishing emails, social engineering, or exploiting misconfigured permissions to obtain the necessary access to AWS environments. Once access is established, they manipulate native AWS features to carry out the attack.

Impact of the Attack

Organisations affected by this ransomware campaign face severe operational disruptions due to encrypted and inaccessible data stored in S3 buckets. The financial impact includes potential ransom payments, extended recovery times, and reputational damage. The reliance on cloud storage magnifies the impact of a successful attack, particularly for entities without alternative backup strategies.

Steps to Protect Your Systems

1. Review and Strengthen IAM Policies:

   • Enforce the principle of least privilege to limit access rights.

   • Regularly audit IAM permissions and revoke excessive privileges.

2. Enable Multi-Factor Authentication (MFA):

   • Enforce MFA for all user and root accounts to enhance security.

3. Monitor AWS Environments:

   • Use AWS CloudTrail to log and monitor all account activity.

   • Activate AWS GuardDuty to detect suspicious behaviour and potential threats.

4. Ensure Data Backup and Recovery:

   • Maintain regular, immutable backups of critical S3 data. You can create immutable backups using S3 Object Lock to protect objects from being deleted or overwritten for a specified time or indefinitely.

   • Enabling S3 versioning allows you to keep multiple versions of an object within an S3 bucket, effectively acting as a backup mechanism by enabling you to recover data if it is accidentally deleted or overwritten.

   • Periodically test recovery procedures to ensure readiness.

5. Restrict Access to S3 Buckets:

   • Configure restrictive bucket policies to limit access.

   • Enforce encryption for all stored data.

6. Restrict SSE-C Usage:

   • Attackers can exploit Server-Side Encryption with Customer-Provided Keys (SSE-C) to encrypt objects with their own keys, locking out victims.

For details on resolving potential account compromises, refer to AWS Knowledge Center at https://repost.aws/knowledge-center/potential-account-compromise and Halcyon AI Blog at https://www.halcyon.ai/blog/abusing-aws-native-services-ransomware-encrypting-s3-buckets-with-sse-c

Stay Vigilant

Ransomware tactics are rapidly evolving, with cloud infrastructures being targeted more frequently. Thus, it is important to strengthen your organisation’s cloud security posture and ensure robust incident response capabilities.

More information is available here:

https://aws.amazon.com/s3/features/object-lock/

https://repost.aws/knowledge-center/potential-account-compromise

https://www.halcyon.ai/blog/abusing-aws-native-services-ransomware-encrypting-s3-buckets-with-sse-c

https://www.csa.gov.sg/alerts-and-advisories/advisories/ad-2021-009