In January 2025, the ransomware group “Codefinger” has exploited Amazon Web Services (AWS) to launch a sophisticated campaign targeting Simple Storage Service (S3) buckets. Using compromised AWS credentials, the attackers leveraged AWS’s Server-Side Encryption with Customer Provided Keys (SSE-C) to encrypt stored data. This innovative use of legitimate AWS features complicates detection and remediation, underscoring the importance of robust cloud security practices.
Attack Pathway
The Campaign
The “Codefinger” ransomware group initiated their campaign in late 2024, focusing on organizations heavily reliant on cloud-based storage solutions. By gaining unauthorized access to AWS accounts, they encrypted sensitive data stored in S3 buckets and demanded ransom payments in Bitcoin to provide the decryption keys. Victims faced an additional threat: the attackers used AWS Object Lifecycle Management policies to set a seven-day deletion deadline for encrypted data, heightening urgency for ransom payment.
How The Attack Happened?
Credential Compromise
Codefinger obtained AWS credentials with permissions to read and write S3 objects through methods such as:
- Phishing and Social Engineering – Tricking users into revealing login information.
- Credential Dump Exploitation – Leveraging leaked credentials from prior breaches.
- Misconfigured IAM Policies – Exploiting overly permissive access configurations.
SSE-C Encryption Abuse
AWS’s SSE-C enables customers to encrypt S3 data using their own encryption keys. Codefinger exploited this feature by:
- Generating unique AES-256 keys for encryption.
- Using compromised credentials to encrypt data via SSE-C.
- Ensuring AWS logged only a hash-based message authentication code (HMAC) of the encryption key, which attackers used to their advantage, knowing recovery would be impossible without their key.This approach rendered the data inaccessible without the attacker’s cooperation, as AWS itself does not store or manage customer-provided keys.
Ransom Note Placement
After encrypting the data, the attackers left ransom notes within affected directories. These notes included payment instructions and warnings about data deletion, with threats escalating after a seven-day period.
Lifecycle Policies Exploitation
The attackers employed AWS S3 Lifecycle Management to add a deletion rule for encrypted data. By doing this, they introduced a ticking clock for victims, amplifying psychological pressure to pay the ransom.
Possible Impact
The financial and operational consequences for affected organizations were severe:
- Data Unavailability – Critical files became inaccessible, disrupting operations.
- Financial Loss – Victims faced significant ransom demands.
- Reputational Damage – Trust eroded as customers and partners questioned the organization’s security measures.
Recommendations
To defend against such attacks, organizations should consider the following measures:
Restrict SSE-C Usage – Implement Identity and Access Management (IAM) policies to limit the use of SSE-C to authorized users and data.
Regular Credential Audits – Frequently review AWS key permissions, disable unused keys, and rotate active ones to minimize the risk of unauthorized access.
Monitoring and Logging
- Enable Detailed Logging – Use AWS CloudTrail to monitor S3 bucket activities.
- Event Notifications – Set up alerts for changes to lifecycle policies or bulk encryption operations.
Security Best Practices
- Use AWS GuardDuty and Amazon Macie for anomaly detection.
- Regularly audit S3 bucket configurations for misconfigurations and overly permissive access.
- Train employees to recognize phishing attempts.
Conclusion
Codefinger’s attack on AWS S3 buckets demonstrates the sophisticated threats facing cloud environments. Organizations must adopt a proactive approach, combining robust technical controls, vigilant monitoring, and user education, to mitigate the risks of such attacks.
By understanding the attack vectors and implementing layered defenses, businesses can protect their critical assets from similar threats in the future.
