The Codefinger attack represents a new frontier in cloud-native ransomware, leveraging compromised AWS keys to target Amazon S3 buckets. By exploiting AWS’s Server-Side Encryption with Customer-Provided Keys (SSE-C), this advanced ransomware encrypts S3 objects, leaving organizations unable to access their data without the decryption key held by the attacker. The attacker further enforces urgency by marking files for deletion, compounding the threat's severity.
What makes this attack particularly concerning is its use of AWS-native encryption features to lock organizations out of their own data without exploiting any AWS vulnerability. This sophisticated approach underscores the need for organizations to adopt robust cloud security strategies that address both prevention and detection.
The Codefinger attack workflow
Unlike earlier ransomware attacks, which primarily focused on encrypting files locally, modern ransomware campaigns often incorporate data theft, extortion threats, and advanced cloud-native tactics. The Codefinger attack exemplifies this evolution by leveraging AWS’s cloud-native features, such as Amazon S3's Server-Side Encryption with Customer-Provided Keys (SSE-C), to directly integrate into the victim’s environment and render traditional recovery methods ineffective.
Below is a short breakdown — based on Halcyon’s analysis — of how the attack by the Codefinger threat actors unfolds, from initial access to ransom deployment:
- Initial access: The attacker uses publicly exposed or compromised AWS API keys to gain access to the victim’s account.
- Discovery: Once inside, an attacker would necessarily need to perform operations such as the enumeration of S3 buckets and objects.
- Credential abuse: Using stolen credentials, the attacker accesses S3 buckets and downloads objects.
- Encryption via SSE-C: The attacker encrypts data with threat actor owned/generated symmetric encryption keys, making it irretrievable by the victim.
- Lifecycle manipulation: Object lifecycle policies are modified to mark files for deletion, creating urgency for victims to comply with ransom demands.
- Ransom deployment: Ransom notes are placed in affected directories, providing payment instructions and warnings against intervention.
Why prevention is not enough
AWS advises organizations to adopt robust preventative measures as the first line of defense against ransomware.
These measures include:
- Implement short-term credentials: Avoiding long-term credentials eliminates the risk of compromise, as credentials that do not exist cannot be stolen. Use AWS tools like IAM roles, IAM Identity Center, and Security Token Service (STS) to provide secure, short-term access without storing credentials in code or configuration files.
- Enable versioning and object locking in S3 buckets: Versioning prevents permanent data loss by allowing the restoration of previous object versions, while object locking protects against overwriting or deleting critical data.
- Restrict SSE-C usage: Use IAM policies to block SSE-C unless explicitly required. This prevents attackers from leveraging custom encryption keys to lock you out of your data.
- Centralized key management: Use centralized control over cryptographic keys with AWS KMS (Key Management Service). Apply Service Control Policies (SCPs) to restrict the use of specific keys and cryptographic operations to trusted users and applications.
- Implement advanced logging and monitoring: Enable AWS CloudTrail with comprehensive S3 data-plane logging to monitor all bucker activities. Configure alarms for unusual API activities, such as bulk encryption, lifecycle policy changes, or unauthorized use of replication rules.
These steps can significantly reduce the attack surface and limit opportunities for attackers to exploit cloud-native features. However, as advanced attacks like Codefinger demonstrate, prevention alone is not sufficient. Even with the best preventative controls in place, attackers can still bypass defenses by exploiting misconfigurations, gaining access through compromised keys, or abusing legitimate cloud services.
Kat Traxler’s white paper on Cloud-Native Ransomware highlights how attackers exploit cloud-native tools for malicious purposes. The research outlines key insights, such as how gaps in logging and monitoring enable attackers to hide their activities and the various lifecycle stages of cloud-native ransomware. These findings reinforce the need for a comprehensive strategy that combines robust preventative measures with proactive threat detection and response.
Best Practices: Robust post-compromise threat detection in AWS
To complement AWS’s preventative recommendations, organizations should implement the following detection and response best practices:
- Monitor early-stage behaviors: Detecting reconnaissance activities, such as bucket enumeration or IAM permissions discovery, can stop attackers from advancing their plans.
- Behavioral-based detection: Use behavioral analytics to identify unusual patterns in API calls, privilege escalations, or encryption events.
- Comprehensive logging: Ensure CloudTrail is enabled for all regions and services, including S3 data events, to provide visibility into potentially malicious actions.
- Automated incident response: Employ automated workflows to isolate compromised accounts or services immediately upon detection of suspicious activity.
- Post-compromise mitigation: Focus on stopping lateral movement and minimizing damage by monitoring for signs of privilege escalation, unauthorized lifecycle policy changes, or bulk data operations.
Preventative controls are vital, but they cannot eliminate the risk of compromise. By pairing proactive prevention with robust detection and response capabilities, organizations can build a resilient cloud security program capable of mitigating advanced threats like Codefinger.
How the Vectra AI Platform Can Help
The Vectra AI Platform provide unparalleled visibility for what attackers do before and after the sign-in, AI prioritization, and comprehensive response capabilities to empower security teams in addressing sophisticated attacks used by threat actors like Codefinger:
Coverage to reduce exposure
The Vectra AI Platform provides visibility into cloud environments, identifying threats before they escalate. By monitoring AWS services for suspicious activity, the platform enables detection of unauthorized access, privilege escalation, and other ransomware-related behaviors, helping organizations reduce exposure and fortify defenses.
Clarity to remove latency in threat detection
The Vectra AI Platform not only detects threats but also prioritizes incidents based on risk. The Vectra platform uses AI to attribute suspicious behaviors to original actors rather than roles and provides necessary context for every stage of the attack. This enables security teams to see the complete picture and streamline investigations effectively. By surfacing threats based on attacker behaviors instead of what is different, security teams can prioritize and address the most critical issues first.
Control to stop attacks
Vectra AI empowers security teams to maintain control and stop attacks with a combination of automation and expert support. Security analysts can leverage instant investigations for guided pathways to trace attack progression and advanced investigations for custom queries across network metadata, identity, and AWS logs. Cloud-native response workflows enable teams to isolate and lock down cloud principals across regions for rapid containment.
Vectra AI seamlessly integrates with leading EDR, SIEM, SOAR, and ITSM platforms, including AWS Security Hub, to automate and orchestrate incident response playbooks. For added support, Vectra MXDR lets security teams outsource threat detection, investigation, and response to hybrid attack experts.
By leveraging these capabilities, security teams can stop attackers with access to AWS keys before they escalate their operations.
Learn more about how Vectra AI can help by watching our self-guided tour or schedule a security assessment today to identify your security gaps!