How attackers encrypt AWS S3 buckets using SSE-C

14 January 2025 2 minutes Author: Newsman

The Halcyon RISE team has discovered a new dangerous ransomware campaign that uses Amazon S3 Service Encryption with Customer-Supplied Keys (SSE-C). Attackers use stolen AWS keys to encrypt data, forcing victims to pay a ransom for the decryption key.

This attack poses a serious risk to companies that store critical information in the AWS cloud environment: using read and write permissions on objects in S3 buckets, an attacker encrypts data using SSE-C and generates custom AES-256 keys. In AWS, these keys are not stored, so data recovery is impossible without paying a ransom. At the same time, CloudTrail records only the HMAC of the keys, which makes it impossible to reproduce them or carry out a thorough analysis.

Key stages of the attack:

  1. Using stolen AWS keys to access buckets with appropriate permissions.
  2. Data encryption using SSE-C and the attacker’s own key.
  3. Instituting a lifecycle policy that deletes files after 7 days, putting additional pressure on victims.
  4. Leaving notes with ransom demands and warnings not to change access rights.

Introduced in 2014, SSE-C enables customers to encrypt their data using their own key. This feature, once used to improve security, has now become a tool in the hands of cybercriminals; Halcyon identified two companies that were affected but were not customers at the time of the attack.

This attack shows that legitimate cloud services can be used for data encryption and ransom threats. Halcyon urges organizations to immediately strengthen the security of their AWS environments by limiting the use of SSE-C, auditing access keys, conducting detailed monitoring, and working with AWS to minimize risks. Similar practices can spread to other cloud services, creating an organizational threat to the security of cloud data.

Other related articles
News
Read more
Backdoor in backdoors
Researchers at watchTowr Labs discovered more than 4,000 active backdoors on compromised systems of governments and universities in various countries, using abandoned infrastructure and abandoned domains.
82
Found an error?
If you find an error, take a screenshot and send it to the bot.