Excessive AWS S3 Object Encryption with SSE-C
Compromised AWS credentials can be used to encrypt a large number of S3 objects with SSE-C, rendering them unreadable without the attacker's keys, potentially leading to a ransomware-like extortion scenario.
This threat involves the malicious use of Server-Side Encryption with Customer-Provided Keys (SSE-C) in AWS S3. Attackers, typically leveraging compromised AWS credentials, encrypt numerous objects within an S3 bucket using their own encryption keys. This action renders the objects unreadable and unrecoverable without the attacker's private keys. The primary motive behind this attack is extortion, where the bucket owner is coerced into paying for the decryption keys, effectively mirroring a ransomware attack in a cloud environment. The behavior is detected by monitoring for a high volume of PutObject events with SSE-C encryption within a short time window.
Attack Chain
- Credential Compromise: The attacker gains unauthorized access to AWS credentials through methods like phishing, credential stuffing, or exploiting vulnerable applications.
- Privilege Escalation (Optional): If the compromised credentials have limited permissions, the attacker may attempt to escalate privileges to gain broader access within the AWS environment.
- Bucket Discovery: The attacker uses the compromised credentials to enumerate available S3 buckets within the AWS account.
- Target Selection: The attacker identifies a target S3 bucket containing sensitive or valuable data.
- SSE-C Encryption: The attacker initiates a high volume of PutObject operations, encrypting the existing objects using SSE-C with attacker-controlled keys. The
x-amz-server-side-encryption-customer-algorithmrequest parameter is set to "AES256". - Data Denial: The legitimate users are unable to access their data due to the encryption.
- Extortion: The attacker demands payment for the decryption keys, holding the encrypted data hostage.
Impact
A successful SSE-C encryption attack can lead to significant data loss and business disruption. The number of affected objects can range from hundreds to thousands, depending on the bucket size and attacker's dwell time. This can result in financial losses due to downtime, data recovery costs (if possible), and potential reputational damage. Industries heavily reliant on cloud storage, such as media, finance, and healthcare, are particularly vulnerable.
Recommendation
- Enable and monitor AWS CloudTrail logs, specifically for
PutObjectevents withx-amz-server-side-encryption-customer-algorithm: AES256, to detect suspicious SSE-C encryption activity (see references and log source in the rules below). - Implement the provided Sigma rule to detect excessive S3 object encryption with SSE-C and tune the threshold for your environment.
- Review and tighten IAM policies for roles and users accessing S3 buckets to enforce least privilege and prevent unauthorized encryption (see "setup" in source).
- Disable or rotate any compromised access keys identified in the investigation process as documented in the "note" section of the source material.
Detection coverage 2
Detect AWS S3 Object Encryption with SSE-C
mediumDetects AWS S3 PutObject events where Server-Side Encryption with Customer-Provided Keys (SSE-C) is used.
Detect High Volume of AWS S3 Object Encryption with SSE-C from Single IP
highDetects a high volume of S3 objects being encrypted with SSE-C from a single IP address within a short timeframe, potentially indicating malicious activity.
Detection queries are available on the platform. Get full rules →