Weaponizing cloud encryption and key management: Trend Micro has identified five S3 ransomware variants that increasingly exploit AWS’s built-in encryption paths. One abuses default AWS-managed KMS keys (SSE-KMS) by encrypting data with an attacker-created key and scheduling that key for deletion. Another uses customer-provided keys (SSE-C), where AWS has no copy, making recovery impossible. The third one exfiltrates S3 bucket data (with no versioning) and deletes the originals.The final two variants go deeper into key management infrastructure. One relies on imported key material (BYOK), letting attackers encrypt data and then destroy or expire the imported keys. The other abuses AWS’s External Key Store (XKS), where key operations happen outside AWS, which means that if attackers control the external key source, neither the customer nor AWS can restore access. Together, the techniques reveal that attackers are using AWS itself as the encryption mechanism.”I can’t recall having seen this done in the wild,” Ford added. “This specifically targets the use of external or customer-provided keys (SSE-C or XKS, respectively) to assert control over key management for the cryptography used in storage.” Researchers urge customers to harden their S3 environments by enforcing least privilege access, enabling protective controls like versioning and Object Lock, and closely regulating the use of customer-provided or external key sources that can undermine recovery. Isolating backups in separate accounts and continuously monitoring cloud audit logs for signs of suspicious key activity, mass encryption, or large-scale object deletions was also recommended.”An ‘assume breach’ mindset is essential in the cloud: runtime environments should be immutable, identities must have tightly scoped permissions and short-lived credentials, networks need meaningful segmentation, and critical datasets must have backups,” Morin added. “Modern operations depend on complex supply chains, and a ransomware affecting a key partner can disrupt your business just as completely as a direct compromise.”
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4094475/ransomware-gangs-find-a-new-hostage-your-aws-s3-buckets.html
