At a glance.
- Ransomware campaign abuses AWS encryption service to encrypt S3 buckets.
- Spain's largest telecommunications company confirms data breach.
- Microsoft restores services following MFA outage.
Ransomware campaign abuses AWS encryption service to encrypt S3 buckets.
Researchers at Halcyon warn that a new ransomware campaign is abusing AWS’s Server-Side Encryption with Customer Provided Keys (SSE-C) to encrypt data in Amazon S3 buckets. The attacks don't exploit any AWS vulnerabilities; the threat actors simply use stolen or publicly disclosed AWS keys with permission to write and read S3 objects. The attacker then generates a local encryption key and encrypts the victim's data. Halcyon notes, "AWS CloudTrail logs only an HMAC of the encryption key, which is insufficient for recovery or forensic analysis." In the cases observed by Halcyon, the attackers mark the encrypted files for deletion in seven days, and place a ransom note with a Bitcoin address in the affected directory.
AWS provided the following statement in response to Halcyon's findings: "AWS helps customers secure their cloud resources through a shared responsibility model. Anytime AWS is aware of exposed keys, we notify the affected customers. We also thoroughly investigate all reports of exposed keys and quickly take any necessary actions, such as applying quarantine policies to minimize risks for customers without disrupting their IT environment. We encourage all customers to follow security, identity, and compliance best practices. In the event a customer suspects they may have exposed their credentials, they can start by following the steps listed in this post."