Attacks encrypting Amazon Web Services' S3 bucket data through server-side encryption with customer-provided keys have been launched by newly emergent threat operation Codefinger against a pair of AWS native software developers since December, reports The Record, a news site by cybersecurity firm Recorded Future.
After obtaining AWS account credentials and their encryption keys, Codefinger proceeds to remove targeted organizations' access to the accounts and seek payment for the keys, according to an analysis from Halcyon researchers, who noted that ransom payment is the only means to facilitate data recovery following the intrusion. "By utilizing AWS native services, they achieve encryption in a way that is both secure and unrecoverable without their cooperation. While SSE-C has been available since 2014, this appears to be a novel use of the feature by ransomware operators," said researchers. AWS has noted its immediate notification of customers with exposed keys, which have been urged to examine reported key exposures and implement quarantine policies.
