Attacks encrypting Amazon Web Services S3 bucket data through server-side encryption with customer-provided keys have been launched by the newly-emergent threat actor Codefinger against a pair of AWS native software developers, reports The Record, a news site run by Recorded Future.
Halcyon researchers said after obtaining AWS account credentials and their encryption keys, Codefinger removes targeted organizations' access to the accounts and seeks payment for the keys. The researchers also noted that the ransom payment is the only means to facilitate data recovery following the intrusion.
"By utilizing AWS native services, they achieve encryption in a way that is both secure and unrecoverable without their cooperation, said the researchers. "While SSE-C has been available since 2014, this appears to be a novel use of the feature by ransomware operators."
AWS customers with exposed keys have been urged to examine reported key exposures and implement quarantine policies.
