{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/sse-c/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Amazon S3"],"_cs_severities":["high"],"_cs_tags":["aws","s3","sse-c","ransomware","impact"],"_cs_type":"advisory","_cs_vendors":["Amazon"],"content_html":"\u003cp\u003eThis threat involves the malicious use of Server-Side Encryption with Customer-Provided Keys (SSE-C) in AWS S3. Attackers, typically leveraging compromised AWS credentials, encrypt numerous objects within an S3 bucket using their own encryption keys. This action renders the objects unreadable and unrecoverable without the attacker's private keys. The primary motive behind this attack is extortion, where the bucket owner is coerced into paying for the decryption keys, effectively mirroring a ransomware attack in a cloud environment. The behavior is detected by monitoring for a high volume of PutObject events with SSE-C encryption within a short time window.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Compromise:\u003c/strong\u003e The attacker gains unauthorized access to AWS credentials through methods like phishing, credential stuffing, or exploiting vulnerable applications.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation (Optional):\u003c/strong\u003e If the compromised credentials have limited permissions, the attacker may attempt to escalate privileges to gain broader access within the AWS environment.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eBucket Discovery:\u003c/strong\u003e The attacker uses the compromised credentials to enumerate available S3 buckets within the AWS account.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eTarget Selection:\u003c/strong\u003e The attacker identifies a target S3 bucket containing sensitive or valuable data.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSSE-C Encryption:\u003c/strong\u003e The attacker initiates a high volume of PutObject operations, encrypting the existing objects using SSE-C with attacker-controlled keys. The \u003ccode\u003ex-amz-server-side-encryption-customer-algorithm\u003c/code\u003e request parameter is set to \u0026quot;AES256\u0026quot;.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Denial:\u003c/strong\u003e The legitimate users are unable to access their data due to the encryption.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExtortion:\u003c/strong\u003e The attacker demands payment for the decryption keys, holding the encrypted data hostage.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful SSE-C encryption attack can lead to significant data loss and business disruption. The number of affected objects can range from hundreds to thousands, depending on the bucket size and attacker's dwell time. This can result in financial losses due to downtime, data recovery costs (if possible), and potential reputational damage. Industries heavily reliant on cloud storage, such as media, finance, and healthcare, are particularly vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable and monitor AWS CloudTrail logs, specifically for \u003ccode\u003ePutObject\u003c/code\u003e events with \u003ccode\u003ex-amz-server-side-encryption-customer-algorithm: AES256\u003c/code\u003e, to detect suspicious SSE-C encryption activity (see references and log source in the rules below).\u003c/li\u003e\n\u003cli\u003eImplement the provided Sigma rule to detect excessive S3 object encryption with SSE-C and tune the threshold for your environment.\u003c/li\u003e\n\u003cli\u003eReview and tighten IAM policies for roles and users accessing S3 buckets to enforce least privilege and prevent unauthorized encryption (see \u0026quot;setup\u0026quot; in source).\u003c/li\u003e\n\u003cli\u003eDisable or rotate any compromised access keys identified in the investigation process as documented in the \u0026quot;note\u0026quot; section of the source material.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-s3-sse-c-encryption/","summary":"Compromised AWS credentials can be used to encrypt a large number of S3 objects with SSE-C, rendering them unreadable without the attacker's keys, potentially leading to a ransomware-like extortion scenario.","title":"Excessive AWS S3 Object Encryption with SSE-C","url":"https://feed.craftedsignal.io/briefs/2024-01-s3-sse-c-encryption/"}],"language":"en","title":"CraftedSignal Threat Feed - Sse-C","version":"https://jsonfeed.org/version/1.1"}