Threat Research

Where Are my Keys?! Ransomware Group Steals AWS Keys to Advance

Varonis
Where Are my Keys?! Ransomware Group Steals AWS Keys to Advance

Ransomware actors are increasingly targeting cloud control planes by using compromised AWS programmatic keys and tools like Pacu to enumerate, escalate, and exfiltrate data from cloud accounts. Rapid detection and response — including disabling keys, auditing activity, and monitoring cloud control plane telemetry — prevented greater impact in the investigated incident. #Pacu #Veeam

Keypoints

  • Ransomware groups are shifting from only attacking on-premises or data-plane cloud resources to actively targeting the cloud control plane, increasing potential impact and response complexity.
  • Programmatic AWS keys (Access Key ID + secret access key) can grant API-level access independent of user passwords and are valuable targets for attackers.
  • Varonis detected an attempted use of the Pacu exploitation framework against a client’s AWS environment via control plane API calls.
  • Pacu provides modules for exfiltration, exploitation, escalation, enumeration, persistence, evasion, and lateral movement within AWS, making it a powerful offensive tool if abused.
  • Forensics linked compromised AWS keys and a malicious IP address to multiple AWS accounts and ultimately to a common on-premises Veeam Backup Server targeted by ransomware.
  • Swift remediation (disabling keys and auditing activity) limited the attacker’s ability to leverage access, avoiding large-scale exfiltration or excessive cloud costs.
  • Recommended defenses include enabling and monitoring cloud logging, avoiding programmatic keys when possible, enforcing MFA, locking API access by IP for privileged users, least-privilege for keys, and using tools like Pacu defensively to assess risk.

MITRE Techniques

  • [T1078] Valid Accounts – Attackers used compromised AWS programmatic keys (Access Key ID + secret access key) to interact with the control plane and perform API actions, allowing access without the user’s password. Quote: ‘…identified the specific programmatic keys used to make the API call that triggered it.’
  • [T1529] System Owner/User Discovery – Enumeration capabilities in Pacu were used to list and explore services, buckets, snapshots, and other resources within the targeted AWS account. Quote: ‘…scan the AWS account for all S3 buckets the account has access to, and offers to download all the data.’
  • [T1071] Application Layer Protocol – Use of AWS APIs (control plane) to create, describe, update, and delete resources demonstrates abuse of application layer protocols for malicious activity. Quote: ‘…programmatic key…allows interaction with AWS based on the attached user’s assigned permissions.’
  • [T1005] Data from Local System (EBS snapshot download) – Pacu modules can download EBS snapshots to the attacker’s machine to explore sensitive data. Quote: ‘…Can download EBS snapshots to the user’s computer, which can then be mounted and explored for sensitive data.’
  • [T1531] Account Discovery – Identifying additional AWS accounts and keys tied to the same malicious IP and expanding scope of compromise. Quote: ‘…quickly identified malicious actions in additional AWS accounts controlled by the customer, bringing them into the investigation scope.’
  • [T1499] Endpoint Denial of Service (Cost Generation) – Attackers could generate large AWS costs by abusing account resources if not removed promptly. Quote: ‘…could have generated enormous AWS costs for the victim.’
  • [T1078.002] Valid Accounts: Cloud Accounts – Use of programmatic keys specific to cloud accounts to gain persistent API access and perform cloud-specific actions. Quote: ‘An AWS key is a programmatic key that can be attached to a user and allows interaction with AWS…’
  • [T1555] Credentials from Password Stores (backup server as credential source) – Compromise of a Veeam Backup Server was identified as the common location where keys were stored, enabling the attacker to pivot into AWS. Quote: ‘…identify a common location where both sets of keys were located, a Veeam Backup Server.’
  • [T1098] Account Manipulation (backdoors via IAM/security groups/Lambda) – Pacu can establish persistence by abusing IAM, adding backdoor rules to EC2 security groups, and creating Lambda-based backdoors. Quote: ‘…establish multiple backdoors relating to the abuse of IAM… Adds backdoor rules to EC2 security groups… abusing the Lambda service.’
  • [T1562] Impair Defenses (log deletion/disablement) – Pacu can download and offer options to disable or minimize CloudTrail and CloudWatch logging and add IPs to allow lists to evade detection. Quote: ‘…Can download CloudTrail and CloudWatch logs… present options for disabling or minimizing each source… Can add IP addresses to the GuardDuty allow list.’

Indicators of Compromise

  • [AWS Access Keys] Compromised programmatic credentials used to make API calls – example Access Key ID format: AKIAIOSFODMM7EXAMPLE, and associated secret keys (redacted), tied to malicious activity across multiple AWS accounts.
  • [IP Address] Malicious API caller IP – Varonis identified an IP address used to make the API calls that triggered the alert (example context: tied to keys and additional AWS accounts) — specific IP not published in article.
  • [Tooling/Framework] Offensive framework observed – Pacu usage detected targeting the AWS environment (context: modules for enumeration, exfiltration, persistence).
  • [Server Name] Backup server compromise – Veeam Backup Server identified as common location for stored keys and a pivot point during the incident (context: on-premise ransomware targeted the server).
  • [Cloud Resources] Targeted cloud artifacts – S3 buckets and EBS/RDS snapshots enumerated and potentially downloaded (example context: Pacu modules to scan buckets and download snapshots), and other activities across account resources.

Read more: https://www.varonis.com/blog/aws-keys

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint