‘Codefinger’ hackers encrypting Amazon cloud storage buckets

Cybercriminals have begun to encrypt data held in Amazon storage tools used by thousands of organizations around the globe. 

Researchers with the cybersecurity firm Halcyon documented a recent trend of hackers going after Amazon Web Services’ cloud storage products known as S3 buckets and using the company’s own encryption tools to lock customers out of their data. 

Halcyon has observed two such incidents since the beginning of December. The researchers dubbed the group behind the attack “Codefinger.” 

“As they have only been observed in the two attacks noted in this report, Halcyon does not currently have any further intelligence on them, their origin, where they operate, or who they typically target,”a spokesperson told Recorded Future News. “Both victims were AWS native software developers.” 

The attacks leverage Amazon Web Service’s server-side encryption with customer-provided keys (SSE-C) to encrypt customer data. 

The hackers steal a customer’s AWS account credentials, obtain encryption keys and then lock customers out, demanding a ransom payment in exchange for the keys. 

Halcyon said that because there is no known method to recover the data without paying the ransom the tactic “represents a significant evolution in ransomware capabilities.”

The hackers pressure victims into paying ransoms by marking files for deletion within seven days. Ransom notes included details on how victims can pay and threatened people against attempting to alter the permissions of their AWS accounts. 

“By utilizing AWS native services, they achieve encryption in a way that is both secure and unrecoverable without their cooperation,” the researchers said.  

“While SSE-C has been available since 2014, this appears to be a novel use of the feature by ransomware operators.”

An AWS spokesperson told Recorded Future News that whenever the company becomes aware of keys that have been leaked they notify affected customers and “thoroughly investigate all reports of exposed keys and quickly take any necessary actions, such as applying quarantine policies to minimize risks for customers without disrupting their IT environment.” 

The company provided a list of resources for any concerned customers and urged those affected to contact AWS support. They also urged customers not to store credentials in source code or in configuration files.

Halcyon warned the hackers’ tactics “may soon gain traction among other threat actors” and said AWS customers need to act swiftly to protect themselves. 

Cybercriminals have long targeted S3 buckets because organizations typically leave them exposed and open to anyone on the internet — causing massive data breaches. 

In recent months, researchers have warned that ransomware actors have begun to target the product and find ways to extort customers using it. 

Ransomware actors have previously used a company’s legitimate encryption tools against customers — including Microsoft’s Bitlocker service, which has been harnessed repeatedly by ransomware gangs to encrypt customer data.