'Codefinger' crims on the hunt for compromised keys
A new ransomware crew dubbed Codefinger targets AWS S3 buckets and uses the cloud giant's own server-side encryption with customer provided keys to lock up victims' data before demanding a ransom payment for the symmetric AES-256 keys required to decrypt it.
Halcyon threat hunters say they first spotted this criminal gang in December, and in recent weeks observed two such ransomware attacks against their customers, both of whom were AWS native software developers. Codefinger breaks into victim orgs' cloud storage buckets using publicly exposed or compromised AWS keys with write and read permissions to execute","this is the first instance we know of leveraging AWS's native secure encryption infrastructure via SSE-C in the wild," Tim West, VP of services with the Halcyon RISE Team, told"Historically AWS Identity IAM keys are leaked and used for data theft but if this approach gains widespread adoption, it could represent a significant systemic risk to organizations relying on AWS S3 for the storage of critical data," he warned." header and use a locally stored AES-256 encryption key they generate to lock up the victims' files. Because AWS processes the key during encryption but does not store it, the victim cannot decrypt their data without the attacker-generated key. Plus, in addition to encrypting the data, Codefinder marks the compromised files for deletion within seven days using the S3 Object Lifecycle Management API — the criminals themselves do not threaten to leak or sell the data, we're told. "This is unique in that most ransomware operators and affiliate attackers do not engage in straight up data destruction as part of a double extortion scheme or to otherwise put pressure on the victim to pay the ransom demand," West said."Data destruction represents an additional risk to targeted organizations."Codefinger also leaves a ransom note in each affected directory that includes the attacker's Bitcoin address and a client ID associated with the encrypted data."The note warns that changes to account permissions or files will end negotiations," the Halcyon researchers said in aWhile West declined to name or provide any additional details about the two Codefinger victims – including if they paid the ransom demands – he suggests that AWS customers restrict the use of SSE-C. "This can be achieved by leveraging the Condition element in IAM policies to prevent unauthorized applications of SSE-C on S3 buckets, ensuring that only approved data and users can utilize this feature," he explained."Permissions should be reviewed frequently to confirm they align with the principle of least privilege, while unused keys should be disabled, and active ones rotated regularly to minimize exposure," West said.that anytime the cloud giant is aware of exposed keys, it notifies the affected customers and"quickly takes any necessary actions, such as applyingabout what to do upon noticing unauthorized activity, and encouraged customers to follow best practices related to security, identify, and compliance – especially as they related to the cloud-security "AWS provides a rich set of capabilities that eliminate the need to ever store credentials in source code or in configuration files," the spokesperson told us."IAM Roles enable applications to securely make signed API requests from EC2 instances, ECS or EKS containers, or Lambda functions using short-term credentials that are automatically deployed, frequently rotated, requiring zero customer management." These capabilities also include allowing compute nodes outside of AWS to make authenticated calls without long-term AWS credentials using the Roles Anywhere feature. Plus, developer workstations that use AWS Identity Center can obtain short-term credentials that are protected by multi-factor authentication tokens. "All these technologies rely on the AWS Security Token Service to issue temporary security credentials that can control access to their AWS resources without distributing or embedding long-term AWS security credentials within an application, whether in code or configuration files," the spokesperson said. ®Chinese cyber-spies peek over shoulder of officials probing real-estate deals near American military bases
United Kingdom Latest News, United Kingdom Headlines
Similar News:You can also read news stories similar to this one that we have collected from other news sources.
Ransomware scum blow holes in Cleo software patches, Cl0p (sort of) claims responsibilityBut can you really take crims at their word?
Read more »
AWS Offers Instances Based on Single HPE ServerAmazon Web Services (AWS) announced a new instance type based on a single Hewlett Packard Enterprise (HPE) server, the Compute Scale-up Server 3200. This offering is aimed at customers running SAP workloads and looking to migrate to the cloud while maintaining their use of HPE hardware.
Read more »
LockBit Ransomware Developer Arrested in IsraelRostislav Panev, a suspected LockBit ransomware developer, is detained in Israel and faces extradition to the United States. He is accused of participating in a global ransomware operation that extorted over $500 million from victims.
Read more »
RansomHub: The Rising Threat in Ransomware AttacksRansomHub, a relatively new ransomware collective, has quickly gained prominence for its aggressive tactics and high-profile victims. The group's success can be attributed to its generous affiliate program and its ability to exploit vulnerabilities across diverse industries.
Read more »
Atos Denies Direct Breach by Space Bears Ransomware GroupFrench tech giant Atos claims it wasn't directly breached by ransomware group Space Bears, but acknowledges that third-party infrastructure linked to Atos was compromised, containing data mentioning the company name.
Read more »
AWS Tackles AI 'Hallucinations' with Automated ReasoningAmazon Web Services (AWS) is introducing Amazon Bedrock Automated Reasoning checks to address the issue of AI 'hallucinations,' where AI models generate plausible but inaccurate responses. This new technology aims to prevent factual errors by verifying the accuracy of statements made by AI models.
Read more »