This article explores how malicious actors exploit Amazon S3’s Server-Side Encryption with Customer-Provided Keys (SSE-C) for ransom and extortion. It provides insights into S3 and SSE-C, outlines the tactics, techniques, and procedures for detection and emulation of this abuse, and discusses infrastructure setup and security best practices. The content aims to enhance understanding of potential security vulnerabilities associated with S3 and suggests effective detection strategies. Affected: AWS, S3 service, organizations utilizing SSE-C
Keypoints :
- Threat actors misuse SSE-C for ransom/extortion operations on Amazon S3.
- Insights provided into S3’s workflows, bucket configurations, and best practices for security.
- Research based on the first documented case of SSE-C abuse for ransomware.
- Emulation of the attack using Terraform and Python in a controlled environment.
- Mismanagement of encryption keys and Bucket Access Controls leads to vulnerabilities.
- Importance of proper IAM configurations in preventing unauthorized access.
- Detailed workflow for detection and analysis of SSE-C abuse through AWS CloudTrail.
- Creation of alerts for first-time occurrences of suspicious SSE-C activities.
MITRE Techniques :
- Mitre Technique: T1587 – Acquire or Modify Access Tokens
Procedure: Using compromised AWS credentials and IAM user access for unauthorized manipulation of S3 resources. - Mitre Technique: T1486 – Data Encrypted for Impact
Procedure: Encrypting target files in S3 using SSE-C, exploiting the encryption key management to deny access to victims. - Mitre Technique: T1547 – Establish Persistence
Procedure: Setting lifecycle policies to retain control over encrypted data, with commands for retention and automated deletion scheduling.
Indicator of Compromise :
- No IoCs Found
Full Story: https://www.elastic.co/security-labs/emulating-aws-s3-sse-c